Game Over!

Many people with even a vague interest in security will be aware of Defcon. The Vegas-based hacker conference is held as a yearly event where security experts and enthusiasts alike are able to present and attend lectures addressing various issues in modern IT security.

In addition to all-night parties, no-holds gambling and other Vegas orientated activities the Defcon organisers aim to keep all attendees entertained and occupied with a multitude of games and contests; most notably ‘Capture-the-Flag’, where a network is set up and the goal of each team is to hack the other team’s computers.

This year however the organisers of Defcon 16 are diversifying their entertainment by introducing a new game entitled ‘Race To Zero’[1]. The game provides contestants with malware samples, that are actively detected by anti-virus software, and then rewarded for altering the code to result in a non-detected variant of the said sample.

It seems odd that the focus be on building awareness (that is already present) that signature-based detection is not enough by itself, it has been dead since the early 1990s when utilisation of polymorphic engines became widespread. Essentially Defcon appears to be promoting the development of malicious software, the same set of nasties that infect computers, steal bank details and propogate spam e-mail etc. Is it not enough that malefactors of the world are writing and distributing new Malware every day? Or that identity and credit fraud are becoming more popular criminal endeavours? Now, pseudo-benevolent coders are being challenged to add to the quagmire of nasties under the guise of promoting more widespread and generic detection.

Defcon has, in the past, been the venue for many new and interesting developments in IT security and their beneficial position to security cannot be disputed. I feel, however, that the introduction of this new game will not benefit the security industry in the way it is intended. There are many organisations that perform anti-virus testing on a regular basis. These groups collect the very latest ‘in the wild’ samples and compare detection rates of each vendor. The past results show that Sophos has performed very well when taking part in these anti-virus tests and generic identification of new samples is always kept to a high standard. SophosLabs is constantly developing new technologies to advance generic detection, and handle all submitted samples in fully contained and controlled environments so that there is no chance of an outbreak.

For those who do wish to test vendors’ proactive detection capabilities, taking an older version anti-virus software and measuring its ability to detect the most recent malware is a better method. This method will not contribute to the ever growing body of malcode distributed in the world.

Creation of malware, in any sense, should be condemned, especially when the goal is to produce ‘live’ samples against which users are unprotected (the goal itself is malicious in nature). Personally, I’m against a game that essentially encourages the development of live and potentially destructive software, and believe that protection should be provided by anti-virus vendors that are dedicated entirely to the defence of users against this kind of threat. Unlike other hacker related developments that occur at Defcon, viral code has the potential to escape into the wild and propogate autonomously. Even if the new variants are detected, not everybody has sufficient anti-viral software installed to protect themselves.

Do you want to be a victim of this game?