DMZ Global’s senior security engineer, Simon Howard, had global antivirus software vendors studying his every move at the legendary Defcon hacker conference, held in Las Vegas last week.
Howard ran a competition called the “Race to Zero” in which teams of security pros had to modify nine samples of malware and exploit code to evade anti-virus software from 10 leading vendors.
One team completed the task in just under two-and-a-half hours, but failed to win the contest as two samples did not pass muster when its modified samples were reverse-engineered for judging.
Two other teams also completed the task on the first day and the eventual winner was judged to be a team from security consultancy Mandiant.
The results will be a wake-up call to users as well as vendors.
“Pattern or signature-based anti-virus is dead,” Howard told Computerworld on his return to New Zealand last week. “While a lot of people have behavioural technology, it has not made it into the enterprise space yet.”
Howard says adoption of behavioural anti-virus technology needs to be accelerated.
For home users there is a message as well. Howard says while behavioural screening is included in some consumer anti-virus packages it often needs to be activated separately, rather than through the default boxes provided on installation.
Howard says consumers often get new technologies ahead of enterprises as this market is used as a sounding board for development before enterprise packages are released.
He says the need to manage pop-up information — to provide meaningful information and alerts to users — is a major challenge.
Another solution is whitelisting, where only known good software is allowed on a system. However, Howard says anti-virus systems should still be in use.
Howard wasn’t the only Kiwi attending or presenting at Defcon. He says two consultants from Security-Assessment.com also attended, as well as Ben Hawkes, who studies Windows security.
Hawkes will be presenting at the Kiwicon 2k8 conference, to be held at Victoria University’s Pipitea campus, on September 27 and 28.
According to the programme, he will explore the cutting edge of heap exploitation theory and practice on Windows Vista.
“The focus is on finding previously unknown attack vectors resulting from memory corruption on the heap. These include techniques for controlling execution flow, by attacking only the heap implementation and not the application itself, and techniques for attacking the application in conjunction with the heap. Additionally, several design changes to further improve the security of the Vista heap will be suggested,” the event programme says.
The heap is the component in charge of dynamic memory management and is used to some extent in every Windows Vista process.
DMZ Global is a security management company owned by TelstraClear.