By Liam Tung
Wednesday, April 30 2008 09:28 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62040791,00.htm

A hacking competition will attempt to prove that signature-based antivirus is dead but security vendors said, apart from signatures, antivirus is alive and well.

White could be the new black after this year's Race to Zero competition at the Defcon security conference. Hacking competitors will be encouraged to tweak known viruses in an attempt to foil signature-based blacklists of several major antivirus engines.

Some representatives of antivirus companies claimed the competition is "not a good idea" and that it would not show anything vendors do not already know.

"Security research should center around bettering detection not evasion," Dave Marcus, security research and communications manager at McAfee Avert Labs told ZDNet.com.au's sister site, CNET News.com.

But the organizers of Race To Zero said antivirus vendors have lied to consumers, and have failed to deliver what they claim their products do.

"We're just pointing out the basic flaw in signature-based antivirus," competition organizer, Simon Howard told ITRadio.com.au podcast Risky Business.

"[Antivirus] is their bread and butter and I can't really believe they're still making money on this stuff. For example, you see a new AV pattern is released and then you notice it's detecting a whole lot of viruses on your machine, when in actual fact you were infected with these viruses months ago and the AV vendors have just caught up," he said.

Howard is not alone on this front. Leading security expert Bruce Schneier has called the security industry a "lemon market", similar to second-hand cars, because consumers would not know how a product performed until it was too late.

In 2006, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), revealed that the most popular antivirus applications failed to detect 80 percent of new malware.

Simon Clausen, MD of antivirus company PC Tools, said the competition would not reveal anything new--not to security vendors anyway.

"Proving signature-based technology is outdated has already been done and we're already moving to the next stage. All major AV companies have for a long time been aware that malware writers' goal is obfuscation. We don't need proof. Every day we see attacks far more malicious and cunning than what will come out of this competition," he told ZDNet.com.au.

"Every AV company worth its salt is investing in R&D to counter these attacks," he added.

Sean Richmond, technical support manager at Sophos, threw down a gauntlet to the competition organizers: "Write a detection engine that can withstand modifications to the test set in the same way as what we--AV vendors--do on a regular basis. And test whether it requires updates to the products in minutes--that would be really interesting and might come up with novel ways of dealing with malware."

Yet despite the apparent shortcomings of signature-based antivirus software, there was consensus that antivirus is essential to use.

"It is still good to have AV software on there, don't get me wrong but it's not a panacea," conceded Race to Zero's Howard.

IBRS security analyst James Turner said: "I wouldn't advise anyone not to use antivirus software--not even if you own a Mac these days."

However, there is a problem with the use of blacklists, said Turner. "When the majority of stuff you're handling is malicious, it makes more sense to use a white list because that deals with the exception--blacklists only work if 'bad' is in the minority."

PC Tools' Clausen said the security industry has been looking beyond blacklists.

"I would very much disagree that AV is dead. Really, traditional signature-based AV is going to be dead in a few years, but what every antivirus company is evolving towards, like us, is behavioral AV technology, so AV will be alive," he said.