The Race To Zero
Researchers race to zero in record time
Robert Lemos, SecurityFocus 2008-08-09
LAS VEGAS -- Three teams of security professionals made quick work of a panel of well-known viruses and attacks on Friday, turning the malicious code into benign-seeming bits that major antivirus scanners could not detect.
The controversial Race to Zero contest, run by New Zealand security researcher Simon Howard, allowed each team to try to obfuscate real computer viruses and exploit code samples. Starting with the ancient Stoned virus, contestants were tasked with camouflaging the code and sneaking it by a panel of antivirus engines. After one virus successfully evaded detection, the team got the next in the series.
"The later samples are more difficult to obfuscate," said contest organizer Howard. "And the exploit sample are much harder, because the scanners typically have really good signatures for the underlying vulnerabilities."
By the end of the first day, three teams had worked through all nine samples -- seven viruses and two exploits. The team to finish first -- consisting of three researchers from security firm iDefense -- completed the contest in a little over five hours. However, another team started later but successfully obfuscated all nine samples of malicious code in 2 hours 25 minutes. That team, and another that also completed the contest, were not available for interviews.
The speed with which the teams finished the contest speaks to the problems with current antivirus engines, Howard said.
"Pattern-based detection is not working," Howard said. "Behavioral recognition is the way forward, but it's only in some of the desktop antivirus software and not in any of the server software."
The lesson is not a new one for the antivirus industry. In 2006, antivirus researchers had already started including behavioral detection in their antivirus products to detect low-volume targeted Trojan attacks. The flip side of the problem became evident last year, as online attackers increasingly used obfuscation techniques to produce massive number of variants, taxing antivirus analysts. By the end of 2007, the number of virus variants detected in the wild had reached 500,000.
The Race to Zero contest showed that even old viruses can get by the latest antivirus engines if they are dressed in the right bits. The first virus, Stoned, dates back to 1988. Subsequent viruses form a Who's Who list of well-known malicious code: Netsky, Bagel, Sasser, Zlob, Welchia, and Virut. Three exploits followed: an attack on Microsoft Word, an exploit for Microsoft's animated cursor vulnerability and the Slammer worm, which exploited a flaw in Microsoft's SQL database engine.
While the contest originally included all ten samples of malicious code, Howard had to exclude the Microsoft Word exploit, because most contestants did not have a vulnerable version of Microsoft 2000 to test the exploit on.
The gauntlet of antivirus engines included those made by all the major security-software makers, with the notable exception of Symantec, the owner of SecurityFocus. Howard used antivirus engines' command-line interface to script their behavior for the tests, but Symantec's product only has a GUI interface, and he did not have enough time to create a workaround, he said.
The modification of actual malicious code to bypass antivirus has not pleased many security-software vendors.
"Is it not enough that malefactors of the world are writing and distributing new Malware every day?" antivirus firm Sophos stated in an April blog post. "Or that identity and credit fraud are becoming more popular criminal endeavors? Now, pseudo-benevolent coders are being challenged to add to the quagmire of nasties under the guise of promoting more widespread and generic detection."
Howard argued that he addressed the main concerns of antivirus companies. The network on which the contest took place was closed and not connected to the Internet to avoid any inadvertent leak of code.
"They are scared of the samples being released in the wild," he said. "All samples will be submitted to the antivirus vendors with the name of the team who created it, so if one is released, they will know which team it came from."
The lesson for the participating teams appeared to be that creating obfuscated viruses to get by antivirus software was not too difficult -- if you can get one past all the scanners, you can get all of them past the scanners, said the team of researchers from VeriSign subsidiary iDefense that completed the contest.
"That's what the bad guys do," said Matt Richard, director of rapid response for iDefense. "They find a packer that works and then use it for everything."
Richard and his two co-workers completed the contest in a little over five hours. He argued that the contest is valuable because it teaches the researchers to appreciate the enemy.
"Sometimes you have to write stuff in order to find out how the bad guy would do it," Richard said. "They are doing the same thing we did here, but sitting at home."
For contest organizer Howard, the lesson was less for the antivirus industry and more for companies and home users. He hopes that any coverage of the contest will deliver a message to antivirus users.
"If Mom and Dad read an article and go into their antivirus settings and turn on the behavioral features, then it is all worth it," he said.
It's all about the behavioral searches kids! Ya know, the APT (aka China) is surely developing code or more to the point (re-engineering) it to avoid the big guns. What this really says though, is that no one.. No one.. is safe from a virus/malware/trojan. All you can do is keep up the updates, use a blended solution, and make sure you are auditing logs for traffic.