The so-called ‘malware obfuscation contest’ proposed by the folks at Race to Zero is already generating contradictory discussions.
IMHO – either something is ethical or not…and I firmly hold that creating new malware to bypass security products ‘for fun’ is not!
We anti-virus researchers have always opposed the creation of new malware under any circumstances. The only excuse for creating malware in test environments that ever sounded vaguely reasonable was the old “we need to create new samples in order to study attack methods in detail”.
Let’s get real folks – we are seeing new samples by the thousands today – we have more than enough ‘live’ malware to study in order to improve our technologies. So even if this excuse was “sort-of-maybe one-time-only almost-acceptable” once upon a time, it is NOT acceptable in 2008.The assertion that “signature-based antivirus is dead, people need to look to heuristic, statistical and behavior based techniques to identify emerging threats” is just a cheap publicity stunt. Nobody, but nobody in the AV industry depends only on signatures – we haven’t for years. In fact, it sounds as if most (read all) AV scanners will fail the ‘tests’ in the ‘contest’ because it’s easy to cheat signature-based scanners and static heuristics.
This will send a clear message to thousands of e-criminals: “do more obfuscation”. So, this ‘contest’ will only stimulate e-criminals to research and develop new obfuscation technologies. Since they are busy doing this anyway – they just will do it more and more. Thanks, but no thanks, virus labs don’t need such stimulation – we have enough work as it is.
The most positive public responses are calling the contest a form of product testing. Wrong!!
Antivirus testing, like any other product testing, must be done by trained professionals, for instance Andreas Clementi, Andreas Marx or Virus Bulletin, in a fair, ethical and scientific manner. This is how things work in a reputable industry.
The Race to Zero/DefCon ‘contest’ is:
- NOT done by professional testers – no comment
- NOT fair – no public contacts with AV vendors to date
- NOT scientific – the test bed is not delineated
- And, last, but not least, it is 100% NOT ethical! Writing malware is a crime. End of story.
Finally – what about the US Federal Computer Act?? And other legislation? Is this ‘contest’ even legal in the US? Is the agency responsible for monitoring e-crime aware of it?
So, it all boils down to… should we have public and unstructured ‘contests to test’ criminal technologies run by uncertified/unproven people? What about a ‘live robbing a bank contest’ to test bank security systems? Or maybe a ‘drugs distribution trial in a school’ – to test the narcotics police?
Anything can be taken to a ridiculous extreme – code analysis included. Let’s all take a deep breath and focus on developing protection technologies, not ‘modifying malcode for fun’.
Drawing the line