Security researchers are an odd bunch – seriously! Having finished the annual pilgrimage to Las Vegas, walked the hallowed halls of Blackhat and Defcon, and navigated bars more akin to an Earth-bound Mos Eisley of Star Wars fame, it’s clear that each year’s events get weirder and more tiresome.
As expected (and what always tends to happen) various speakers try to out-hype each other with their “sky is falling” rhetoric, and then proceed to deliver a talk that is 80% background info and 20% hand-waving/good-stuff. It’s not always that way, but my tactic in recent years has been to walk in on the last 15 minute of the talk since that’s where the red-meat is. Another outcome from the combined events are the shouts about ‘ethics’.
If you ever encounter a bunch of geeks more vocal about the ethics of disclosure, yet more prone to throw out those ‘ethics’ as soon as it gets in the way of their own research, let me know. There’s certainly no shortage of opinions concerning disclosure ethics during the paired conferences.
Which leads me to an interesting cry over ethics from one of the folks over at Kaspersky labs in their blog Some Researchs Lack Basic Ethics.
The argument is over the release of an automated malware packing system called PolyPack, developed as a research project by the University of Michigan.
PolyPack is a research project at the University of Michigan aimed at understanding the impact of malware packers on modern antivirus products. PolyPack highlights the failure of signature-based antivirus against common, widely available packers, investigates the role that diversity plays in the capabilities of both the packers and antivirus engines, and demonstrates the ease and efficacy with which an attacker could deploy an online packing service for nefarious purposes in a deployment model known as crimeware-as-a-service (CaaS).
The PolyPack web service uses an array of packers and antivirus engines to evaluate the effect that each packer has on the detection capabilities of the antivirus engines. Our current implementation employs 10 of the most common packers observed in the wild and 10 popular antivirus engines. A submitted binary is packed by each of the 10 packers and then analyzed by each of the 10 antivirus engines. The details of a few example results are available to the public.
It’s an interesting suite of packing techniques designed to show how malware can be automatically obfuscated and bypass the latest generations of anti-virus technologies. Lets be clear though, there’s nothing new going on here – this kind of “stuff” has been around for quite some time now and represents a core technology used by professional malware authors to build their deliverable infectious packages. Granted, most of the advanced packer technologies used by cyber-criminals are more often deployed in a federated production model rather than a single advanced packer package – but the output is still the same.
This has obviously incensed one of the Kaspersky researchers – “In general, there seems to be a disconnect between the ethical standards of anti-virus veterans and those of newcomers to the security industry”. Which is an interesting turn of phrase from my perspective. I’d probably be classed as a “veteran” in the security space, but I disagree about the divergence of ethics. The ethics spectrum from security professionals is pretty broad – always has been, always will be – and it’s naive to try and split things between the old-farts and the security newbies. At its very least it’s more of a question about who pays the bills and what legal system to have to adhere to.
Perhaps more telling was the comment -
Well, there’s no need to speed up malware evolution. That will only help the bad guys, not the good guys. So I really can’t see a positive outcome from this ‘project’. Next to the fact that it’s completely unethical it may also be highly illegal.
Somehow I think that the “malware evolution” will proceed at its own pace, irrespective of PolyPack. Like I said, this is merely a representation of the tool suites already in the hands of professional cyber-criminals – and are already used to perpetuate crimeware and build botnets. From what I’ve observed, there’s still a lot of education on the topic that needs to be communicated – and that’s what University of Michigan are attempting to do. I certainly don’t see this as illegal either.
The same kinds of arguments cropped up in the mid-1990′s over vulnerability scanners, and again in the mid-2000′s with exploit toolkits like Metaspolit. I’d like to see professional consulting teams using these kinds of packing tools as a way of verifying the integrity of their customers defensive layers and their ability to thwart malware infections. In fact it’s already happening… pentesting with malware under control.
To argue over the merits of making tools like this available (and btw it’s not available publicly) and wrapping it the guise of questionable ethics, appears to me to be a vendor getting red and puffy and screaming “its not fair!”.
Armed with the current generation of packers, builders, cryptors, and other federated malware building ensambles, it’s a near trivial task to create malware that can’t be proactively detected with anti-virus technologies. Sorry, but that’s where we’re at. You’re better off arguing over the ethics of good and evil.
– Gunter Ollmann, VP Research
[...] Ethics Behind Anti-virus Evasion [...]