Tuesday, August 12, 2008

Commercial antivirus software rendered useless in hours

At the Race To Zero contest at DEFCON 16 in Las Vegas last weekend, seven sample viruses and three sample exploits were reverse engineered to the point where they could bypass anti-virus software. The task took one team just over two hours.

Race to Zero is a contest where a series of malicious code samples are given that must be modified to be able to circumvent five anti-virus engines, each sample more difficult than the last.

The contest began with the 20-year-old DOS virus Stoned, then followed with Netsky, Bagel, Sasser, Zlob, Welchia, and Virut.

Exploits included three Microsoft vulnerabilities: one for Word, the Vista animated cursor vulnerability, and the SQL database 2000 engine flaw or "Slammer" Worm. The Word exploit was later discarded from play because few contestants actually had a vulnerable version of Windows 2000 to test upon.

A major motivation for holding the contest was to show just how weak signature-based anti-virus software is and how quickly it can be bypassed. Signature-based anti-virus is the original technique that blocks programs that match known malicious signatures, based on pattern matching. While non CPU-intensive, it has reached the point where many consider it obsolete.

In the security community, however, this is a well-covered point, and some -companies already have moved toward more behavior- and rule-based programs.

  • Spammers using Google Sites to bypass filters
  • FBI warns of new Storm worm variant
  • Phoenix BIOS with hypervisor to premiere Monday in NEC laptops
  • ZoneAlarm Pro misidentifies Yahoo Messenger as a Trojan…again
  • Yahoo’s SearchScan irks some Web site owners