Back to Top

Thursday, May 01, 2008

Race to Zero

Disclaimer: I work for a security company. This post (and all others, unless marked explicitly otherwise) represent my own opinions and do not necessarily reflect the views of my current or past employers.

As expected, the announced Race to Zero competition has raised quite some stir, similar to the test performed by ConsumerReports. Here are a few reactions (but you can find many more with your favorite search engine):

Also, you might find it interesting to read reactions to the ConsumerReports scandal.

My thoughts on the issue are:

This is a reaction to the hype created by the marketing departments who claimed outrageous things like 100% detection, the only solution you ever need and so on. The marketing claims have become more reasonable in the last couple of years, but marketing being marketing, they still present a pink and fluffy view. A very good proof of this is that during the underground discussion between malware writers the most widely used products are usually used as targets (in the sense that I've written a malware which isn't detected by product X, where X is a major vendor).

From a philosophical standpoint I can't help but notice that the capitalistic method (let them fight it out in the free market) doesn't seem to work for the same reason private police forces don't really work: the capitalistic approach encourages the quick fix methods, rather than trying to think longer-term (by investing in user-education for example). It also encourages hoarding data rather than sharing it, because companies are incentivised to think of their clients and their clients only, rather than abstract concepts like the humanity or all the Internet users. Disclaimer: I'm generalizing here and know that there are some examples for the contrary.

An other aspects of the same marketing - for profit company - consumer relation is that people have grown accustomed to paying X amount of money (or a subscription fee) for security rather than spending a little time to learn what not to and what to do. Would we allow anyone to drive a car without them first passing a test? This attitude also makes it difficult to sell alternatives like clean connections provided by ISP, where they monitor very strictly the network traffic and block anything suspicious (then again, how would the ISPs know what to block, because the only publicly available sources are those provided by enthusiasts, and security companies guard the information like Fort Knox - although they don't use it in their product) or boxes provided by an independent company who would configure them to have maximum security and care for them (for a subscription fee of course).

And yet an other manifestation of the problem is that people, instead of using security features already built in the software they are using, try to disable it and then add more software to provide security (which is very illogical if you consider that you have a constant minimum bug rate per lines of code greater than zero in all cases - meaning that all software has bugs - and yet somehow you imagine that more software equals more security). From a security point of view less (software) equals more (security) generally.

Now to specifically address some of the blog posts:

The McAfee one was the most balanced and well thought out blog post from a vendor in my opinion. The only problem with it is that it forgets to mention the bigger picture, that this is a hole the AV companies have dug for themselves with the marketing. Also, at the end I feel that the message have defense in depth is somehow equated with buy more products from us. More software doesn't necessarily equate to more security as I said above. Also, security software is many times orthogonal with principles of security design (like least privilege). Example: being a low-rights user in Windows XP I can disable the on-access scanner of some AV products (I don't know if this is the case with McAfee's products, but it's very probable). Now think about it: why should a low-right user be able to do so? Usability? Perhaps, but does security software need to sacrifice in the name of usability principles of secure design? I'm a low privileged user, I can't write to the Windows directory, I can't load drivers, yet I can disable the components of the security product (which supposed to be the key component of my security) at will?

As a next example we could take the one from Offensive Computing. This demonstrates the negative attitude independent people (who are studying malware) have towards the industry (mainly because its marketing). It (or rather the comments) also contain some misunderstanding like: If I was an AV id pay big money for access to this contest. The truth is that those samples are just a drop in the ocean. I really like the idea of engaging AV companies in the contest, but I seriously doubt that it will happen, if for no other reason, then because PR departments are afraid of people reacting like AV companies would write malware and/or be associated with malware writers. Regarding the comment that it is easy to evade AV products (and my prediction that the contest could be over in five minutes): if no variant of a given sample has been observed in the wild, do you really want your AV engine to waste resources checking for all possible and impossible variation of it? Wouldn't you rather expect to detect that one sample as fast and efficiently as possible and be done with it? If however it has been observed that there are (many) variants out there, you can expect (good) AV products to check for modified versions. So if the organizers want to achieve a really spectacular result (like All AV products defeated in the first five minutes), just give the contestants some very plain malware which the AV companies don't expect to have variants. But don't expect anything spectacular from the generic detections either: they are tuned to the modifications which have been observed for the given family by the people behind it, thus when a new group of people (the contestants) try a new method, it is very probable that they will fail to detect them.

This leads nicely into the two posts on the Kaspersky blog. They do have some valid points, but these are eclipsed (again) by the fact that they come from a for-profit company. However I must disagree strongly with the fact that this will have any significant impact. The samples will be more like a drop in the ocean rather than a major source of problem. Also, it seems that he agrees with my prediction that the contest will rapidly be over (although it is a little difficult to tell, given the language barrier):

In fact, it sounds as if most (read all) AV scanners will fail the 'tests' in the 'contest' because it's easy to cheat signature-based scanners and static heuristics.

I have also to disagree with this being a motive for criminals to do more obfuscation. They are already doing so (very heavily) and AV is (by definition) a reactive technology, meaning that the probability of the AV industry giving the criminals ideas is almost nil. The followup post gives a good description of why it is harder for the defender, but sadly they end up contributing to the image of the AV industry as a raving mad man who blames everybody but themselves for the problems.

Just a little detour: they are certainly not alone with this attitude. The McAfee blog post I referenced earlier with regards to the fiasco links to a open letter, the contents of which is:

The more than 100 signatories of this public letter, all security professionals with years of experience in dealing with computer viruses, and who work in all sectors, wish to express their whole-hearted support of the following principle: It is not necessary and it is not useful to write computer viruses to learn how to protect against them.

Besides of the text sounding a little, lets face it, dumb, it also has a healthy dose of the because we say so attitude and does not offer any logical reasons and/or alternative methods, an almost guaranteed recipe for negative reactions. (The flipside is of course that a more detailed document would have been harder to get signatures for) The situation is (again, my opinion):

  • for known malware any (good) product has at least 99% detection
  • for new (unknown) malware the detection rate varies between 40% and 60%
  • for targeted attacks, all products have very low detection rates (in fact, if the product was targeted, as it often happens with the big two, they will have zero detection rate). And yes, it is always possible to write malware that evades some or all AV products.
  • detection won't be available until the company gets at least one sample of the malware, which isn't guaranteed to happen quickly (remember what I said about the lack of communication and the lack of incentive to communicate?), and by the time it happened, depending on the distribution method, it is possible that a fair amount of users are infected
  • disinfection with the highly sticky malware families is near-impossible to do in-system (ie without using external booting media, reinstalling the OS, and so on)
  • with a carefully planned strategy (and remember, criminals are doing this for the money, so they will carefully plan it - at least some of them) it is possible to maintain the low detection rates, we have already seen proof for this with the fake security software and fake video codecs family

So, while some might object to these events as being unscientific, the message that they are trying to send (that in todays world you can't have a one-click security solution by buying AV software and you must put at least some effort into trying to learn what to do and what not to do to avoid malware) is very timely and very true.

The anti-virus rants blog post is a very good one (probably much better than my own ramblings here) and very nicely summarizes the issues from an independent point of view. The only part I find too alarmist is in the beginning about the potential of viral code starting to spread. Malware which has spreading capatibilities (computer viruses) is very rare these days and I really don't think that contestants will be given self-propagating samples. They will most probably receive malware which lacks potential for self propagation (ie trojans, backdoors, and so on). The other reason I don't think that they will use viruses in this contest is because file-infecting code is very fragile (it has many hardcoded values, it contains the bare minimum code to function and usually doesn't try to handle a modified environment), and it is thus very hard to modify and keep it functional the same time.

Finally the blog post from Sophos has the same kind of black or white attitude than the Kaspersky one (pondering the same legal implications - although not as sharply as Eugene). To which my response is: good, lets do something that makes the AV industry look as bad as HID when they threatened with legal action a researcher who planned to demonstrate the security problems of their wireless locking systems. And if this isn't enough, lets ask law enforcement to waste their precious little resources on something which isn't even all that malicious, rather than on real criminals. By the way, in my opinion, these days only security researchers and dumb criminals are prosecuted for illegal computer activities.

Also the post incorrectly attributes the organization of the contest to the organizers of DEFCON:

This year however the organisers of Defcon 16 are diversifying their entertainment by introducing a new game entitled 'Race To Zero'.

In fact their contribution is restricted to hosting it, the rest being done by members of the community.

That's it folks, the end of my ramblings, at least for today. Thank you for reading this, and remember: knowledge is power and you can't get something for nothing. Educate yourself and be safe!

1 comment:

  1. "Besides of the text sounding a little, lets face it, dumb, it also has a healthy dose of the because we say so attitude and does not offer any logical reasons and/or alternative methods"

    technically there is a link near the bottom of the page concerning those alternative methods... it points here ( it's not that great a resource and it's certainly not complete, but they are offering some alternatives..

    also, the document is a petition, a statement of principle, not an open letter as you called it... the open letter that spawned that petition was penned by frisk and can be found here (

    "So, while some might object to these events as being unscientific, the message that they are trying to send (that in todays world you can't have a one-click security solution by buying AV software and you must put at least some effort into trying to learn what to do and what not to do to avoid malware) is very timely and very true."

    unfortunately, the message i get from them is that av is dead, it doesn't work, it doesn't protect people so they should stop paying for it and stop using it...

    "I really don't think that contestants will be given self-propagating samples."

    i really hope you're right, but they explicitly say viruses and malcode... we can hope they didn't mean virus when they said virus, but on the off chance they weren't misusing the term then there's a problem...

    "The other reason I don't think that they will use viruses in this contest is because file-infecting code is very fragile"

    not all viruses are file infectors, and not all file infection techniques are fragile... they'd certainly have the work cut out for them if they had to maintain prepending, appending, or cavity infection capability but a companion infector or a worm would probably not be as much of a challenge...