The Race to Zero

The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008.

The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

There are a number of key ideas we want to get across by running this event:
1. Reverse engineering and code analysis is fun.

2. Not all antivirus is equal, some products are far easier to circumvent than others. Poorly performing antivirus vendors should be called out.

3. The majority of the signature-based antivirus products can be easily circumvented with a minimal amount of effort.

4. The time taken to modify a piece of known malware to circumvent a good proportion of scanners is disproportionate to the costs of antivirus protection and the losses resulting from the trust placed in it.

5. Signature-based antivirus is dead, people need to look to heuristic, statistical and behaviour based techniques to identify emerging threats

6. Antivirus is just part of the larger picture, you need to look at controlling your endpoint devcies with patching, firewalling and sound security policies to remain virus free.

We are not creating new viruses and modified samples will not be released into the wild, contrary to the belief of some media organisations

Above all we want the contestants to have fun!
------------------------------------------------

The website also has a graphic that show the contest is given a sample and then modifies it to evade detection. This is script kiddie 101.

The key ideas they claim to want to get across do not warrant creating new malware.

1) Reverse engineering and code analysis is fun.

If that's what you want to teach, then grab some samples and start reverse engineering them and analyzing them. Modification is not required to get the idea across.

2. Not all antivirus is equal, some products are far easier to circumvent than others. Poorly performing antivirus vendors should be called out.

Gee, Virus Bulletin and other organizations have been testing anti-virus products for more than a decade and proving that not all antivirus is equal. If it was everyone would buy the cheapest one. A statistically miniscule sample set is not enough to make broad conclusions about anti-virus products.

Retrospective testing can easily show which the poorly performing products are without creating any new malware.

3. The majority of the signature-based antivirus products can be easily circumvented with a minimal amount of effort.

Old news to any informed person. There are plenty of new variants out there every day to prove the point without making more.

4. The time taken to modify a piece of known malware to circumvent a good proportion of scanners is disproportionate to the costs of antivirus protection and the losses resulting from the trust placed in it.

Now there's real idiocy. The losses are caused by malware and some hackers, not by trust placed in anti-virus products. Creating new variants, which are of course, new threats, does not teach defense in depth. The person appears to be arguing against using anti-virus at all, which of course bad advice for most users. It displays a complete ignorance of the principals of defense in depth.

5. Signature-based antivirus is dead, people need to look to heuristic, statistical and behaviour based techniques to identify emerging threats

Well here's some old news for you. It doesn't take modifying malware to understand that signature based scanning was never designed as protection against emerging threats. A stupid contest won't prove what is already known.

6. Antivirus is just part of the larger picture, you need to look at controlling your endpoint devcies with patching, firewalling and sound security policies to remain virus free.

And here they contradict what they said in item 4.

Finally they add a foot note:

"We are not creating new viruses and modified samples will not be released into the wild, contrary to the belief of some media organisations

Above all we want the contestants to have fun! "

Yes modifications are new viruses. Mistakes do happen and the modified variants can get let loose into the wild. The organizers have zero control over the participants to ensure that the modifications will not be released and publically posted.

The statement "Above all we want the contestants to have fun!" truly shows the point is not about any of items one through six.

Next they have the rules of engagement...

-------------------
Rules of Engagement
The following rules apply to all contetants:

* 1. Contestants can work in teams of up to 4 people
* 2. Modified virus samples must be functionally the same as the original
You can modify mutexes, filenames, process names, IP addresses, etc as long as the code functions the same <Randy's note> Script kiddie tricks
* 3. Modified malcode samples must still exploit the vulnerability it was intended for
Samples of vulnerable software will be provided to contestants to test their exploits against
* 4. Modified samples will not be submitted to antivirus vendors unless authorised by contest participants <Randy's note> This contradicts their FAQ which I will get to
* 5. Race to Zero staff may analyse virus submissions to draw conclusions/trends, etc
* 6. Techniques used to perform mutations will not be submitted to antivirus vendors without contestants approval but may be used during our post-contest round-up presentation
* 7. Judges decision is final, no correspondence will be entered into unless beer is supplied
-------------------

Frequenty Asked Questions

Q: Won’t this simply encourage the creation of new malware?
A: No, we don't believe so. The process that will be undertaken by contestants is already happening 24 hours a day, 7 days a week worldwide and it would be naive to think otherwise. It is because of this that we want to analyse how difficult a suitably motivated attackers’ task is to circumvent widely deployed AV defences.

<Randy's note> Of course they are encouraging the creation of new malware. Creating new malware is required to win the contest. The argument that others are doing it already is like saying that because other people steal it is ok to have a theft contest. If analysis of the difficulty is desired then look at what's already been done.

Q: Will the samples generated for the contest be given to AV vendors?
A: We very much hope so, but this is down to each contestant to decide. We are optimistic that contestants will give us permission to pass on their modified samples to the AV vendors that want them, but it is not something we are able to demand of them. All samples, including those submitted to AV vendors will be securely deleted from the Race to Zero systems after the contest analysis is complete.

<Randy's note> Actually requiring samples to be submitted to AV vendors is something that could be part of the rules if the organizers had a wee little bit of spine.

Q: Is this an attempt to undermine the AV vendors?
A: Certainly not. Part of doing security research is tackling questions that may at first appear highly controversial. We feel that there are legitimate questions for us to investigate about the techniques that could be used by attackers. By researching into these areas we hope to be able to bolster the defences against malware that will be available in addition to AV. We are not saying AV has no value, or that people should turn off their AV protection.

<Randy's note> Here is a great contradiction. They claim to hope to bolster defenses, but will not require samples and techniques to be shared with people who are actually writing products to do just that.

Q. What do you mean by signature-based AV?
A. Almost all AV engines today work at a level higher than just blacklisting samples. They have a heuristic component to them which looks for routines common to a family of malware. They may be able to unpack the sample and analyse the underlying code so that if you were to repack the virus with a different packer it would still be detected. In the end though they are still looking for particular patterns or signatures.

<Randy's note> They clearly do not understand the variety of heuristic approaches in use.

Why not a contest to write a better anti-virus program? Well, they are squarely aimed at script kiddies and not at anyone with the technical skill required to write an even mediocre anti-virus program. Lacking the skills to build they encourage destruction.

A pretty lame script kiddie contest quite honestly.

Randy Abrams
Director of Technical Education
ESET LLC