Wednesday, August 25, 2010

a malware writer's conference?

WTF? no, seriously, what the f@%k??

ever since i first read about this a day or so ago on brian krebs' blog i've been struck by the utter stupidity of this idea.

to say that such a conference would have a strong law enforcement contingent present would be stating the patently obvious.

if security companies sent representatives it would be for the same reason - not to learn from these malware writers, but to learn about them. profiling these sorts of people for the purposes of assisting law enforcement is something security researchers have been doing behind the scenes for a long time.

but even disregarding the practical complications of exposing oneself to greater scrutiny by attending, the supposed beneficial objective (and i say supposed because the site itself makes no hint at any beneficial objectives whatsoever) of helping security researchers learn about the next generation of malware is just as stupid.

anti-malware vendors do not have any difficulty figuring out malware. each of the several dozen companies out there has it's own army of reverse engineers picking these things apart all the time, and they've gotten so good at it and automated so much of it that in 2006 the average piece of malware could be processed in about 5 minutes. and since it's automated by computer, moore's law should make that process even faster now.

if (and i'm speaking hypothetically here) anti-malware companies have problems, understanding malware isn't among them. keeping up with the volume of malware is perhaps a challenge, but unless the malware writers are offering to stop what they're doing, there's little they can say or do to help that ameliorate problem.

arguably, the vendors also have a problem getting 'ahead of' the threat - which is to say that they can't assist in protecting you until after they've seen the malware (except, of course, they can - you just need to be using the right tools). the reason for this is because predicting malware (necessary if you expect a known malware scanner to be able to stop things that haven't been seen yet) is a bit like predicting the weather - no one can do it reliably. i don't see malware writers being able to help in that regard, even if they are showing off so-called next-gen malware. i also don't see them agreeing to stop performing malware q/a, which would nullify any advance in malware prediction they could offer.

last but not least, the concept of an ethical malcoder is laughable at best. comparisons to ethical hackers ignore the fact that hacker was originally a benign term that was later twisted by the media to include criminals. the term ethical hacker simply tries to highlight the benign examples that have been masked by the inclusion of a malicious set. malware creation, on the other hand, has never been benign - the most one could hope to do is highlight the non-financially motivated malware writers that have been masked by the inclusion of the financially motivated set, but those non-financially motivated ones are still pretty far from benign or ethical. until they understand their responsibility to the wider population and their impact on it and stop what they're doing, it will remain that way.

this isn't like vulnerability research, where developing exploits for newly discovered vulnerabilities serves to highlight flaws that need to be fixed. malware (in the general sense) does not depend on any flaw and thus it's creation does not provide the same benefits. advancing the state of the art of attack does not serve the common good, it is not a positive contribution and can by no means be considered ethical.

4 comments:

Aodrulez said...

Maybe you should juz check the site www.malcon.org & www.isac.org.in .once you are done...u can talk as much as you want. People laugh at first,then start thinking about it & then realize that it was right.

-Anonymous.

kurt wismer said...

maybe you should read this post again - i HAVE checked the malcon site. i'm not talking out of my ass, this conference is a bad idea all around. it has no potential for benefiting the public at large except as a way to flush targets for law enforcement.

Anonymous said...

"this isn't like vulnerability research, where developing exploits for newly discovered vulnerabilities serves to highlight flaws that need to be fixed"

As long as you dont consider an Exploit, as a type of malware..you are being naive.

kurt wismer said...

i DO consider exploit code as a type of malware. however it is a very special case that explicitly depends on software flaws.

that means that exploits and exploits alone have a valid beneficial impact on security, and then only in certain circumstances.

malcon, however, isn't limiting itself to exploits. it's not sploitcon.