Defcon, for those who don’t know, is the world’s largest and most famous hacking conference. This year an unofficial contest is being held at Defcon and it is receiving negative feedback from some of the anti-virus (AV) vendors. The goal of the Race-To-Zero contest is to take virus code that is caught by an anti-virus program and modify the code to avoid detection.
Anti-virus software detects viruses using two different methods. The first method is signature based detection. Every known virus has a specific signature that is then matched to a database accessible to the anti-virus software. The second method of virus detection is based on heuristics. The anti-virus program monitors programs for suspicious behavior. Signature based detection is faster but can only detect known viruses while heuristic based detection can detect unknown viruses but is typically more resource intensive.
The anti-virus companies are opposed to the contest for a couple reasons. The first reason is that it makes them look bad if they can’t detect a slightly modified virus that is already in their database. The other reason is that these altered viruses will need to have new signatures created which generates more work for the AV vendors.
Personally, I think the present-day implementation of anti-virus isn’t adequate and this event will only emphasize that point. The current AV solution does help but it is a bandage rather than a fix.
There are some interesting articles on the Race-To-Zero page that represent both sides of the argument regarding the contest.
Note: Please exercise caution when visiting both the Defcon and the Race-To-Zero websites. The sites are frequented by white hats (security researchers), black hats (what the mainstream media calls “hackers”) and grey hats (everything in between).