Defcon competition: modifying viruses to bypass scanners
A competition at this year's Defcon security conference, to be held in Las Vegas between 8 and 10 August, has caused disquiet amongst antivirus vendors. In Race to Zero hackers will compete to modify existing viruses so that they are undetectable by anti-virus engines.
The competition rules state that the hackers must not restrict the effectiveness of the viruses, which must continue to work in exactly the same way as the original versions. The competition is designed to highlight the limitations of signature-based detection while letting the contestants "have some fun". The US media have reported that prizes for successfully modifying the samples will be awarded in a number of categories, such as "Most elegant obfuscation", "Dirtiest hack of an obfuscation", "Comedy value" and "Most deserving of beer".
Bypassing an anti-virus engine's signatures is normally a trivial task. It takes little more than changing a few bytes in the right place or infiltrating the
noop (No Operation) command to increase the length of the code and so ensure that a static, string-based signature will not match. It is less easy to find the right changes to enable the virus to evade all anti-virus engines. To make evasion more difficult vendors now use generic signatures which can match variants of a virus on the basis of its consistent characteristics. Nevertheless, purely signature-based engines are easily fooled.
Antivirus vendors have expressed concern. Dave Marcus from McAfee told the US media, "Encouraging research that provides better techniques for virus writers is not a good idea. How many identities and how much data will be stolen from users as a result of the new bypassing techniques that will be developed? Security research should focus on better detection – not better circumvention." "It will do more harm than good," commented Paul Ferguson from Trend Micro. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top." Roger Thompson, chief research officer with antivirus vendor AVG Technologies said: "It's hard to see an upside for encouraging people to write more viruses. It's a dumb idea." "We don't need more virus samples," he added. "The antivirus manufacturers already deal with 30,000 a day."
The idea behind the competition does indeed appear rather suspect. Virtually all antivirus vendors now employ heuristic detection in addition to signature-based detection, and are increasingly turning to dynamic detection using emulation in a sandbox or real-time behavioural analysis. Signatures nevertheless remain indispensable for tasks such as scanning for system viruses with a clean boot CD.
- Race to Zero, competition web site