Virus-writing contests are still a bad idea

Filed Under: Malware

There has been a right hoohah in the media and blogosphere about the "Race To Zero" contest being arranged for the next Defcon conference.    In a nutshell, the "Race To Zero" organisers think it's a good idea to encourage people to create new malware variants in order to test anti-virus products.

The idea of running a virus-writing competition isn't a new one of course.  In fact, they stretch back at least 15 years.

In 1993, Mark Ludwig, the author of "The Little Black Book of Computer Viruses" and a virus writer himself, publicised what he called the "First International Virus Writing Competition" and urged participants to send in DOS-based functional parasitic viruses.  The one which was the smallest (in other words, took up the least number of bytes on the hard disk) would win a prize of $200 and a subscription to Ludwig's virus-writing periodical, "Computer Virus Developments Quarterly."

The winner of Ludwig's competiton was a malware author called "Stormbringer", a member of the Phalcon/SKISM (Smart Kids Into Sick Methods) virus-writing gang.  By the way, Stormbringer's true identity was later revealed when he attended the Virus Bulletin conference in San Francisco unsuccessfully seeking a job in the industry.  He turned out to be a young chap with a ponytail going by the name of Mike Ellison.

Phalcon/SKISM went on to unveil its own virus-writing competition in the pages of its electronic magazine, 40Hex, although details of who may have won that contest are lost in the mists of time.

The malware competitions run by Ludwig and Phalcon/SKISM were roundly condemned by the anti-virus industry, and similarly most people who work in the computer security field fail to see the benefits of the upcoming "Race To Zero" contest.

The fact is that there is enough malware already.  We don't need contests to create new variants of malicious code.  We have seen more new malware variants in the last six months than in the last 25 years put together.

The "Race To Zero" organisers claim that one of their aims is to prove that signature-based anti-virus software is dead, because it cannot keep up with malware variants.  Well, whoopee-doo!  We know that relying on signature-based anti-virus is dead.  We know because we buried it.

In the early 1990s the first polymorphic, shape-shifting viruses emerged which changed their appearance on each infection.  Some malware came in millions of different combinations, meaning that there wasn't a simple "string" or "signature" to scan for which would be unique to the malware not in legitimate code.  Anti-virus companies all developed new detection techniques to counter these threats way back then, and have continued to develop their technology and defences.

So, although some vendors try to still seek media coverage by claiming that "traditional" anti-virus vendors still rely on signatures for detection, it isn't true and hasn't been for about 20 years.  "Race To Zero", therefore, proves nothing in this regard.

What also galls about the "Race To Zero" competition is that they are urging people to modify self-replicating viruses.  This is the very worst kind of malware to suggest that people experiment with.  Viruses copy themselves over disks, networks, USB sticks, the internet... Is this really the kind of malicious code with which hackers should be experimenting?  It is far too easy for a mistake to happen - remember that these hackers do not have the same secure lab facilities into which the security vendors have invested huge amounts of money - and for a new piece of malware to break into the wild.

The simple fact is that writing new malware teaches you nothing about how to write a better anti-virus.  That's why anti-malware vendors don't create viruses.  If the hackers at Defcon really want to give something back to the community, and prove how clever they are, how about a competition to write a better anti-virus?  How about some of them get together to develop software which works on a multitude of operating systems, can detect hundreds of thousand of different pieces of malware in real-time without making mistakes, and can be seamlessly updated?

If they could do that better than the regular anti-virus companies, then that really would be of interest.

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.