Today's assignment : Coding an undetectable malware

Today's assignment : Coding an undetectable malware

Summary: Today's dynamic Internet threatscape is changing so rapidly, that the innovations and creativity applied by malware authors can easily render an information security course's curricular on malware outdated pretty fast, or worse, provide the students with a false feeling of situational awareness about today's malware that's driving the entire cybercrime ecosystem at the end of the day.

TOPICS: Security

Today's dynamic Internet threatscape is changing so rapidly, that the innovations and creativity applied by malwareMalware authors can easily render an information security course's curricular on malware outdated pretty fast, or worse, provide the students with a false feeling of situational awareness about today's malware that's driving the entire cybercrime ecosystem at the end of the day. In fact, one can easily spot an outdated academic curricular on the basis of the malware it's discussing, and whether or not the lecturer is even bothering to imply that antivirus software the way it is, and the way it's been for the past couple of years, is only mitigating a certain percentage of the threat, next to eliminating it entirely and urging everyone to "keep their antivirus software up to date."

George Ledin, a professor at Sonoma State University thinks that coding malware helps students better understand the enemy. What is Ledin trying to achieve anyway?

"Ledin insists that his students mean no harm, and can't cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can't escape. Rather, he's trying to teach students to think like hackers so they can devise antidotes. "Unlike biological viruses, computer viruses are written by a programmer. We want to get into the mindset: how do people learn how to do this?" says Ledin, who was born to Russian parents in Venezuela and trained as a biologist before coming to the United States and getting into computer science. "You can't really have a defense plan if you don't know what the other guy's offense is," says Lincoln Peters, a former Ledin student who now consults for a government defense agency."

To code an undetectable malware in an academic environment in order to scientifically prove that signatures based malware scanning wouldn't detect the just coded malware, or to keeping providing a false feeling of security by the wrongly positioned antivirus software? That's the question Sonoma State University's George Ledin seems to asking, and he's naturally receiving a lot of criticism from companies "making their living fighting viruses" reaching such heights as companies speculating on not hiring his students, now capable of coding malware. The companies however, forget one thing - how easy is in fact to "generate" an undetectable piece of malware using the hundreds of malware builders that they are aware of, ones that come very handy for internal benchmarking purposes for instance.

For the past couple of years, antivirus software has been a pure reactive security solution, namely compared to pro-activeThe Race to Zero approaches embraced by the vendors who are in catch-up mode with the malware authors, it was reacting to known threats. Two months ago, Eva Chen, Trend Micro's CEO made some very bold, but pretty realistic statements on signatures based malware scanning, and how the entire industry was wrongly positioned for the past 20 years :

"In the antivirus business, we have been lying to customers for 20 years. People thought that virus protection protected them, but we can never block all viruses. Antivirus refresh used to be every 24 hours. People would usually get infected in that time and the industry would clean them up with a new pattern file. In the last 20 years, we have been misrepresenting ourselves. No-one is able to detect five and a half million viruses. Nowadays there are no mass virus outbreaks; [malware] is targeted. But, if there are no virus samples submitted, there's no way to detect them."

Precisely, so what Ledin is blamed for is in fact an outdated fact by itself starting from the basic nature of how antivirus software works. The very same outdated approach of proving a known fact will be taken by the upcoming "The Race to Zero" undetectable malware coding contest to be held at this year's Defcon security conference. Moreover, in between vendors counting how much malware they are detecting, taking a peek at publicly obtainable statistics on detection rates for malware in the wild, you will see how dynamic "the best antivirus software" position is, since it literally changes every day. And theoretically, even "the best antivirus software" wouldn't be able to detect the malware coded by Ledin's students, or the one that someone requested to be coded for hire, a service that's been getting increasingly popular these days due to its customerization approach.

Ironically, the IT underground is a step ahead of George Ledin, using distance learning approaches by including videoPinch tutorials on how to use malware kit, including practical examples of successful attacks and providing tips from personal experience while using it. Coding an undetectable malware in 2008 isn't rocket-science, with do-it-yourself malware builders providing point'n'click features integration that used to be only available to a sophisticated malware author a couple of years ago. Then again, having an undetected malware, doesn't mean that they'll be able to successfully spread it and infect millions of users, so from a strategic perspective it's all about the tactics and combination of tactics that would use in their campaign.

Before you judge Ledin's vision, ask yourself the following - does coding malware ultimately improve the career competitiveness of his students in the long-term, or isn't what he's trying to prove a known fact already?

Related posts:

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hardly news

    The story on Ledin is hardly news. The security community has known about the inadequacies of signature-based approaches to detection of ANYTHING (all flavors of malware, intrusions, etc.) for years. Heck, I've been demonstrating to my students how trivial it is to bypass AV since 1995. And the challenge of polymorphism has been a regular topic at BlackHat, government security conferences, ...

    Newsweek ran the article like it was some kind of revelation. Maybe for Kushner it was. If so, he hasn't done his homework. It is typical of the grab for readership, invoking FUD over reality. However, it makes a great article for my students, particularly in the "we haven't been paying attention" category.
  • Good anti-malware analysts should have...

    created some pretty crafty malware themselves and I'm not talking about using Metasploit or NeoSploit or other kits, rather I am talking about languages native to the exploited platform.
    They should also know the ins and outs of how a casual application programmer codes and of course the platform architecture if the language doesn't abstract it.

    These AV/"Security" companies that threaten not to hire these students is analogous to "Stop playing with my toys or I'm going to put them all away", simply ridiculous.

    Signatures are a no brainer, but it takes pure analytical thinking to monitor the vectors of, and disassemble an exploit. Without that type of "BlackHat" analytical thinking then they have no hope at all.
  • While it is perhaps a known fact that is being proved

    additional studies aren't a bad thing.

    What I think we really get out of this are people with a skill set who know how to code like malware programmers, so there is a talent pool from which to draw on for folks who really know how to secure code against malware.
  • RE: Today's assignment : Coding an undetectable malware

    I personally feel that Mr.Ledin's way of teaching is fantastic and much needed for the hour.. This is what is missing in many security related trainings and feel its the best way to create tomorrows security visionaries & experts.

    And as for companies speculating on not hiring his students, I am surprised at their short sightedness.

    Mr.George Ledin, if you are reading this, then I just want you to know that I'm proud that people like you still exist who can impart the true culture of hacking. Keep up the good work.

    Best Regards,

    Rajshekhar Murthy
    CEO - Orchidseven Infosec.
  • Where can I get in touch

    with one of those students? I have some sort of homemade malware that has appeared in my java application. Theres no info on this and I cant find a solution.
    Maybe these students would be my brst bet. I dont have a huge company and big bucks to pay for removal and Im not sure where to start looking. Im just a java developer, I havent much interest or ability for malware.
    Maybe I could afford to pay a student...