funsec mailing list archives

Re: DefCon 'Race to Zero'

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 29 Apr 2008 22:16:11 +1200

Blue Boar to Toralv Dirro:

Now there is a very common misconception if it comes to malware and
security. Viruses and Trojans don't try to exploit any vulnerabilities
that need to be fixed, they simply take advantage of features offered by
the OS (modifying files, creating files, establishing connections to
some C&C etc.).


They're not mutually-exclusive. You can have a 
VirusTrojanWormSpywareExploitRootkitBot if you want.


The point, as I'm sure you're more than well aware of already, is that 
_you need not_.

Therefore, a "competition" for bypassing (static, commandline scanner, 
known virus detection type) antivirus is slightly more pointless than a 
fishing in a barrell contest where the competitors are armed with 
bazookas.

Of course it can be done.

Trivially.

Endlessly.

In my sleep.

Sheesh...

Anyone with two brain cells knows that, and moreover did back when 
digital watches were still pretty damn neat and AV software as we know 
it did not even exist.  Although the specific terminology may not have 
been common (or even existed?) then, "default allow" has always been a 
darned stupid "security" stance.

Now, if the competition organizers wanted to compare the level of 
apparent security smarts of typical extant system administrators with 
that hypothetical two-brain-celled creature, they could surely have 
come up with a much more meaningful (and more likely to succeed!) way 
of making that point.

Further flogging the long-dead "if it's new or newly obfuscated the 
known virus scanner orthodxoy will miss mit" horse like this seems like 
an even more foolishly pointless waste of a security researcher's or 
other security professional's time than reading an unexpurgated 
collection of the security list postings of n3td3v and her various 
alter-ego identities...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: DefCon 'Race to Zero', (continued)
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 25)
  - Re: DefCon 'Race to Zero' Colin Keigher (Apr 25)
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 25)
  - Re: DefCon 'Race to Zero' B Potter (Apr 25)
    - Re: DefCon 'Race to Zero' Rich Kulawiec (Apr 26)
    - Re: DefCon 'Race to Zero' Joel R. Helgeson (Apr 28)
    - Re: DefCon 'Race to Zero' Toralv_Dirro (Apr 28)
    - Re: DefCon 'Race to Zero' Nick FitzGerald (Apr 28)
    - Re: DefCon 'Race to Zero' Gadi Evron (Apr 28)
    - Re: DefCon 'Race to Zero' Blue Boar (Apr 28)
    - Re: DefCon 'Race to Zero' Nick FitzGerald (Apr 29)
    - Re: DefCon 'Race to Zero' 'Rich Kulawiec' (Apr 28)
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 25)
  - Re: DefCon 'Race to Zero' Gadi Evron (Apr 25)
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 25)
  - Re: DefCon 'Race to Zero' Gadi Evron (Apr 25)
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 28)
  - Re: DefCon 'Race to Zero' Charles Miller (Apr 28)
    - Re: DefCon 'Race to Zero' Nick FitzGerald (Apr 29)
  - Re: DefCon 'Race to Zero' der Mouse (Apr 28)
- Re: DefCon 'Race to Zero' Jason Eberly (Apr 30)