Saturday, May 03, 2008

an inconvenient truth about race to zero

from noah shiffman's article av vendors race-to-zero clue:
New viruses will not be created and no modified or variant code will be publicly released.
it's amazing to me how many people don't seem to realize that when you modify something you are effectively creating something new... this has been one of the more prevalent misunderstandings i've seen from people in favour of the race to zero contest at defcon this year and one i really didn't expect...

now, i realize i haven't always had as good a definition of variant as i do now... i should be more understanding of people who may not know as much as i do on the subject of malware... but even long before my understanding of variants reached it's current state i still had the logical capacity and intuition to realize that when you modify a virus, especially when you modify it to the point where anti-malware products can no longer detect it, then it is no longer the same as the original virus, it is no longer like anything anyone has seen before, it is (dare i say it) new...

the only way the race to zero won't be producing new virus variants is if cdman83 is right about them probably not using actual viruses in the first place (we can only hope they were dumb enough to misuse the terminology)...

even then, though, they will still be producing new malware... creating new threats is really all this contest will accomplish... demonstrating that known-malware scanning can't detect things that no one has ever seen before (ie. things that aren't known) is like demonstrating a spoon can't cut through bone...

0 comments: