Drawing the line

The so-called ‘malware obfuscation contest’ proposed by the folks at Race to Zero is already generating contradictory discussions.

IMHO – either something is ethical or not…and I firmly hold that creating new malware to bypass security products ‘for fun’ is not!

We anti-virus researchers have always opposed the creation of new malware under any circumstances. The only excuse for creating malware in test environments that ever sounded vaguely reasonable was the old “we need to create new samples in order to study attack methods in detail”.

Let’s get real folks – we are seeing new samples by the thousands today – we have more than enough ‘live’ malware to study in order to improve our technologies. So even if this excuse was “sort-of-maybe one-time-only almost-acceptable” once upon a time, it is NOT acceptable in 2008.The assertion that “signature-based antivirus is dead, people need to look to heuristic, statistical and behavior based techniques to identify emerging threats” is just a cheap publicity stunt. Nobody, but nobody in the AV industry depends only on signatures – we haven’t for years. In fact, it sounds as if most (read all) AV scanners will fail the ‘tests’ in the ‘contest’ because it’s easy to cheat signature-based scanners and static heuristics.

This will send a clear message to thousands of e-criminals: “do more obfuscation”. So, this ‘contest’ will only stimulate e-criminals to research and develop new obfuscation technologies. Since they are busy doing this anyway – they just will do it more and more. Thanks, but no thanks, virus labs don’t need such stimulation – we have enough work as it is.

The most positive public responses are calling the contest a form of product testing. Wrong!!

Antivirus testing, like any other product testing, must be done by trained professionals, for instance Andreas Clementi, Andreas Marx or Virus Bulletin, in a fair, ethical and scientific manner. This is how things work in a reputable industry.

The Race to Zero/DefCon ‘contest’ is:

  • NOT done by professional testers – no comment
  • NOT fair – no public contacts with AV vendors to date
  • NOT scientific – the test bed is not delineated
  • And, last, but not least, it is 100% NOT ethical! Writing malware is a crime. End of story.

Finally – what about the US Federal Computer Act?? And other legislation? Is this ‘contest’ even legal in the US? Is the agency responsible for monitoring e-crime aware of it?

So, it all boils down to… should we have public and unstructured ‘contests to test’ criminal technologies run by uncertified/unproven people? What about a ‘live robbing a bank contest’ to test bank security systems? Or maybe a ‘drugs distribution trial in a school’ – to test the narcotics police?

Anything can be taken to a ridiculous extreme – code analysis included. Let’s all take a deep breath and focus on developing protection technologies, not ‘modifying malcode for fun’.

Drawing the line

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox