Negative Values: Racing Past Zero

Negative Values: Racing Past Zero

Well, there’s not much doubt about the SecurityFocus view of the Race to Zero event. A report by Robert Lemos is festooned with advertising that states “If you want to stop a hacker…you have to act like one.” Perhaps Symantec, who own SecurityFocus, can afford to be relaxed about the event, since their scanners weren’t represented

Well, there’s not much doubt about the SecurityFocus view of the Race to Zero event. A report by Robert Lemos is festooned with advertising that states “If you want to stop a hacker…you have to act like one.” Perhaps Symantec, who own SecurityFocus, can afford to be relaxed about the event, since their scanners weren’t represented

Well, there’s not much doubt about the SecurityFocus view of the Race to Zero event. A report by Robert Lemos is festooned with advertising that states “If you want to stop a hacker…you have to act like one.” Perhaps Symantec, who own SecurityFocus, can afford to be relaxed about the event, since their scanners weren’t represented in the test panel. All that apart, what are we actually learning as we pass zero?

Well, according to organizer Simon Howard we’ve learned that pattern-based detection isn’t working. Well, no, Simon: signatures actually work very well against known viruses. Do you really think it’s unnecessary to detect old viruses (maybe you should read our earlier blogs on Angelina and Helkern, or Kurt Wismer’s comment piece in the August issue of Virus Bulletin), or are you insisting that we should detect them heuristically? Given ESET’s expertise in heuristics, we’re not going to deny its importance, but in some contexts, signature detection can actually save a lot of processing time, depending on how it’s implemented. And who on earth told you that server-hosted anti-malware doesn’t use behavior analysis?

We’ve also learned that antivirus researchers started using “behavioral detection” in 2006. Except that some of us have been using proactive techniques for many more years than that.

Furthermore, we’ve learned that there’s a certain amount of confusion out there about what constitutes a variant, what is meant by “in the wild”, and what the differences are between an exploit, a vulnerability, and a worm. (I think I’ll tackle those issues in other blogs: this is already taking rather too much of a Sunday afternoon when I’d rather be watching the Olympics).

So, so far, we’ve learned that if you modify malware – whether it’s an old soldier like the Stoned boot sector infector or a recent troublemaker like Virut (a polymorphic which even without handcrafting still causes some products real difficulty) – you can very quickly tweak it enough to hide it from any scanner you target. (Actually, you don’t even have to modify it by hand, but we already knew that, and the chances are that you did, too.)

Still, as Simon says (you have no idea how careful I’m being not to take a cheap shot here), the whole exercise is worth it if all those Moms and Dads who avidly follow SecurityFocus (apparently) change their anti-virus settings to activate the “behavioral features”.  Except, of course, that it’s rather unusual to find a mainstream anti-virus scanner that uses only signature detection, even in its least paranoid settings.

Well, that’s enough goading of the anti-AV crowd who are, no doubt now queueing up to heap abuse upon me. Here’s a wholly serious thought.

When this contest was first publicised, I said that no mainstream anti-virus company would take part directly because of the possible damage to their reputation as an ethical organization. That seems to have been largely true, but one of the teams represented in the contest turns out to have consisted of researchers from a security firm that does operate on the fringes of the anti-malware community, though they don’t actually have their own AV product. I find that a little sad that they’ve endorsed this competition to the extent of actually participating, without at least acknowledging the legitimate concerns of the anti-malware community as a whole. Well, perhaps they did, but those comments weren’t quoted. From some other comments that were made, though, I suspect that they simply weren’t aware of them. :(

David Harley
Malware Intelligence Team

Discussion