LAS VEGAS -- Speed is not everything.
Three consultants from security firm Mandiant finished the Race to Zero in just over six hours -- three-and-a-half hours longer than the shortest time -- but managed to sneak all ten virus and exploit samples past major antivirus scanners, taking first place. The security professionals -- Nick Harbour, Steve Davis and Pete Silberman from Mandiant -- successfully obfuscated the ancient Stoned virus, which first infected computers in 1988, solved some tricky issues to exploit an attack on Microsoft Word and elegantly snuck the Slammer worm by antivirus engines, the contest's organizer said in a presentation on Sunday.
The researchers, which dubbed their team "chicagostreetsweepers," took part in the contest to urge companies to not to rely solely on antivirus solutions, said Nick Harbour, principal consultant at Mandiant.
"AV is not a magic security pill," Harbour said in an e-mail interview with SecurityFocus. "We respond to major computer security incidents for a living and AV products are always in place and usually deployed in the vendor-specified manner, yet the bad guys still are able to use slightly modified versions of popular tools ... to pull off everything from bank heists to stealing sensitive government information."
Online attackers have increasingly used obfuscation techniques to produce massive number of variants, taxing antivirus analysts. By the end of 2007, the number of virus variants detected in the wild had reached 500,000.
Antivirus makers have already started including other technologies in their software to attempt to catch obfuscated viruses. In 2006, antivirus researchers had already started including behavioral detection in their antivirus products to detect low-volume targeted Trojan attacks. Moreover, the contest was not a completely fair measure of antivirus products' abilities, as only the virus-scanning component was used. Anti-bot software included in one vendor's product would have caught some of the obfuscated code created for the contest, according to Simon Howard, a security consultant and creator of the Race to Zero contest.
At least three of the four teams that completed the contest were made up of researchers from security firms that do not sell antivirus solutions. The gauntlet of antivirus engines included those made by all the major security-software makers, with the notable exception of Symantec, the owner of SecurityFocus. The system used by the contest scripted the behavior of the antivirus engines via the command-line interface, but Symantec's product only has a GUI interface, said Simon Howard, the security consultant who ran the contest.
On Friday, team "retem" -- made up of two researchers from network protection firm Damballa -- finished the contest in a blazing 2 hours and 25 minutes, the fastest time. The team had brought a custom packer -- a utility used by cybercriminals to turn malicious code into benign-seeming bits -- and blitzed through the first seven virus samples. That's exactly what attackers are doing, said Paul Royal, principal researcher for Damballa.
"You can take any malware sample and pack it with an original packer, go to VirusTotal and get zero of 32 detections," he said.
Royal added that he plans to give antivirus firms his packing software and not distribute it to the public. Mandiant's Harbour has not yet decided what to do with the obfuscation software he created for the contest.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos