, SecurityFocus 2008-08-09
LAS VEGAS -- Three teams of security professionals made quick work of a panel of well-known viruses and attacks on Friday, turning the malicious code into benign-seeming bits that major antivirus scanners could not detect.
The controversial Race to Zero contest, run by New Zealand security researcher Simon Howard, allowed each team to try to obfuscate real computer viruses and exploit code samples. Starting with the ancient Stoned virus, contestants were tasked with camouflaging the code and sneaking it by a panel of antivirus engines. After one virus successfully evaded detection, the team got the next in the series.
"The later samples are more difficult to obfuscate," said contest organizer Howard. "And the exploit sample are much harder, because the scanners typically have really good signatures for the underlying vulnerabilities."
By the end of the first day, three teams had worked through all nine samples -- seven viruses and two exploits. The team to finish first -- consisting of three researchers from security firm iDefense -- completed the contest in a little over five hours. However, another team started later but successfully obfuscated all nine samples of malicious code in 2 hours 25 minutes. That team, and another that also completed the contest, were not available for interviews.
The speed with which the teams finished the contest speaks to the problems with current antivirus engines, Howard said.
"Pattern-based detection is not working," Howard said. "Behavioral recognition is the way forward, but it's only in some of the desktop antivirus software and not in any of the server software."
The lesson is not a new one for the antivirus industry. In 2006, antivirus researchers had already started including behavioral detection in their antivirus products to detect low-volume targeted Trojan attacks. The flip side of the problem became evident last year, as online attackers increasingly used obfuscation techniques to produce massive number of variants, taxing antivirus analysts. By the end of 2007, the number of virus variants detected in the wild had reached 500,000.
The Race to Zero contest showed that even old viruses can get by the latest antivirus engines if they are dressed in the right bits. The first virus, Stoned, dates back to 1988. Subsequent viruses form a Who's Who list of well-known malicious code: Netsky, Bagel, Sasser, Zlob, Welchia, and Virut. Three exploits followed: an attack on Microsoft Word, an exploit for Microsoft's animated cursor vulnerability and the Slammer worm, which exploited a flaw in Microsoft's SQL database engine.
While the contest originally included all ten samples of malicious code, Howard had to exclude the Microsoft Word exploit, because most contestants did not have a vulnerable version of Microsoft 2000 to test the exploit on.
The gauntlet of antivirus engines included those made by all the major security-software makers, with the notable exception of Symantec, the owner of SecurityFocus. Howard used antivirus engines' command-line interface to script their behavior for the tests, but Symantec's product only has a GUI interface, and he did not have enough time to create a workaround, he said.