Re: DefCon 'Race to Zero'

[<Toralv_Dirro () McAfee com>]

> Sorry, there is a lot to be learned by getting inside the 
> mind of a hacker and building software to defeat AV Packages. 
> If you cannot see this then you don't belong in the security 
> industry.  As a security expert, you make security better by 
> constantly thinking of new ways to violate it. If everything 
> the enemy can think of catches you totally off guard, I think 
> you need to get a new job, find a new career, either 
> voluntarily or after you get fired.

Now there is a very common misconception if it comes to malware and
security. Viruses and Trojans don't try to exploit any vulnerabilities
that need to be fixed, they simply take advantage of features offered by
the OS (modifying files, creating files, establishing connections to
some C&C etc.).

AV software is basically looking for all known malware and is trying to
detect new (i.e. unknown) malware based on behaviour or similarities to
known malware. Anything that can be learned from such a contest has
allready been shown back in the early 90s.

The contest may provide some interesting insights if it were up against
behaviour-based protection and HIPS actively running on a system, but
against a bunch of commandline-AV-scanners? C'mon...


cheers,
Toralv






Firmensitz:     Muenchen 
Amtsgericht:     AG Muenchen 
Handelsregister:   HRB 144340 
Geschaeftsfuehrer:   Eric F. Brown, Anthony E. Ruiseal
Bankverbindung:   ABN-Amro Bank N.V. Konto 671 211 9006 
UST-ID:   DE168122444 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.