Back to Top

Tuesday, May 13, 2008

Who are behind the RaceToZero contest?

The RaceToZero has captured the publics imagination (or shall I say the medias) as the latest member of the AntiVirus is dead movement.

As I tried to explain in my previous post, the results of the game are rather predictable (no detection after 5 minutes) unless the organizers are really mean (giving the contestants a polymorphic file-infector for example). To reiterate:

If no variation of a given sample has been observed ITW, there is no reason for the AV engine to search for variations of it (it would be a waste of resources and would just slow down the users computer). Even if variations have been observed (or it is known for the given family to use a given kind of variation), generic routines are targeted at detecting samples modified that way and (probably) won't detect samples from the contestants which are modified in other ways (because such samples were not observed ITW).

This is not to say of course that AV engines don't have a couple of tricks up their sleeves, and I wanted to invite the contest organizers to make the contest a little more fair. Since it seems that they have made up their mind about submitting the resulting samples, I suggested (as a private person, not as the representative of any company, standard disclaimer applies) to submit the original samples to the companies in advance. This would be (somewhat) similar to the given companies observing that modified versions of the samples are circulating ITW. I said somewhat because under normal circumstances the company would have the modified versions also so that the method for modification can be studied.

Unfortunately, as of this date, I haven't got any answer to my e-mail, however their mailserver leaked some interesting information. I've sent the original mail to their public contact address, and after a day I got the following NDR back (email address obfuscated to discurate spam bots):

This is the mail system at host grindhouse.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

 (expanded from ): host
    smtp.hp.com[15.216.28.48] said: 450 4.7.1 Client host rejected: cannot find
    your hostname, [210.48.62.17] (in reply to RCPT TO command)
Reporting-MTA: dns; grindhouse
X-Postfix-Queue-ID: 5BD209C503
X-Postfix-Sender: rfc822; x_at_y_or_z __at__ yahoo.com
Arrival-Date: Sun,  4 May 2008 19:36:13 +1200 (NZST)

Final-Recipient: rfc822; richard.j.smith __at__ hp.com
Original-Recipient: rfc822;contest __at__ racetozero.net
Action: failed
Status: 4.7.1
Remote-MTA: dns; smtp.hp.com
Diagnostic-Code: smtp; 450 4.7.1 Client host rejected: cannot find your
    hostname, [210.48.62.17]

...original message...

Although this isn't 100% (email being an unauthenticated protocol which can be easily manipulated), it seems that the original contact address is set up to forward the messages to an address at HP. The IP mentioned in the headers (210.48.62.17) is from the same provider who hosts the RaceToZero website and a reverse DNS lookup resolves to mail.mince.ac.nz. My theory is that because of a misconfiguration or some temporary fluke, the HP mailserver rejected this message (BTW, I did try to send the email directly to the HP email address, but still got no response).

The interesting part about this automated reply is that it implies that Richard J Smith is also involved in the organization of the contest (although I'm sure that he does this as an individual, not as a representative of the company). We know of course about an other organizer, Simon Howard, who appeared on the Risky Business podcast to talk about the contest.

Searching a bit around didn't reveal much. He seems to be a security researcher at HP, who co-authored a paper about Blaster (Why HP did not get "Blastered". Warning, PDF!) and has some reversing questions.

Update: corrected curse -> course. Proof that a spell checker doesn't catch everything. Thanks.

2 comments:

  1. is it just me or are there far too many richard smith's in the malware universe?

    ReplyDelete
  2. That's what I thought at first too (Richard Smith sound similar to John Doe :)), but given that it refers to a HP address, it is fairly certain that this is a real person with this name.

    ReplyDelete