The Race to Zero

The Race to Zero
There has been a fair amount of controversy as of late surrounding The Race to Zero contest to be unofficially held at DEFCON 16 this coming August. To briefly summarize, contestants are to be given samples of computer viruses/malware and access to a contest portal. The portal will take malware samples submitted by the contestants and run them through a collection of anti-virus engines, checking to see if the samples are detected. The contestants will make modifications to the malware samples in attempts to slip modified samples past the AV engines undetected. In keeping with the mischievous hacker zeitgeist of DEFCON, awards will be given for the 'Most Elegant Obfuscation,' 'Dirtiest Hack of an Obfuscation, 'Comedy Value' and 'Most Deserving of Beer'.

AV vendors were predictably upset by the prospect of this exercise. Most objections seemed to boil down to two main assertions:

  1. The contest involves the creation of new strains of malware, which can serve no constructive purpose.
  2. The contest will only serve to help the bad guys learn new techniques in their arms race with AV vendors.

Contest organizers have stated their goal is simply to demonstrate the limitations of AV software, information that AV customers deserve to have. Their position is that the contest explores legitimate areas of security research and that investigation of AV bypass techniques is a worthwhile goal. Organizers have also pointed out that new malware is being created 24/7x365 in the wild, while at the contest's conclusion any new malware samples created will be securely deleted from the contest systems.

I believe the primary arguments against the contest are specious. In order to engineer the effective detection of computer viruses and malware, one first needs to understand how these things function. Creating your own piece of malware will certainly help someone better understand how malware works. It is not at all clear that the creation of a new virus by a security researcher in a controlled environment has no constructive purpose.

There are some valid criticisms of the contest, however. This contest is not truly representative of malware development in the real world. Today's malware is programmatically generated and engineered to bypass AV detection. Malware authors are no longer manually crafting and testing their creations. The malware ecosystem has moved on to the use of specialized tools for these purposes, written and sold by more highly skilled groups of miscreants.

Despite what the critics are saying, the bad guys are not going to learn anything new from this contest. The groups that develop malware generation kits have gone far beyond the paradigm of hand-crafted AV bypass that is being explored in the contest.

I do believe there are some positives that may come out of this contest. For one, consumers of AV software will gain valuable new insight into AV bypass resistance in a controlled evaluation, albeit a somewhat contrived one. AV software should see improvements as AV vendors that did not fare well feel customer and market demand to improve their products, or face losing business to their competitors. Last but certainly not least, the security research community will learn more about the capabilities and limitations of ubiquitous AV defenses.

My "Race to Zero" prediction? Embarrassing performance from some of the major AV vendors, especially those that haven't made smart investments in strong heuristic detection mechanisms. Expect these AV vendors to attempt a rear-guard marketing action telling us why we shouldn't give any credence to the results, followed by some real improvements in future releases of their products.
Back to all Blogs

Additional Resources


See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.