The computer security community is used to vilifying the hackers and malware authors who choose to use their talents for evil, instead of good. Now a new hacking conference is trying to bring malware authors out of the shadows and wondering, in the words of Rodney King, if we “all just can’t get along.”
Malcon, a security show scheduled for December in Mumbai, India, is billed as the first of its kind: a “common platform” for the world’s most talented Virus authors, exploit writers and toolkit creators — and the security pros who spend careers trying to thwart or apprehend them.
The conference is the brainchild of Rajshekhar Murthy, a Mumbai-based IT security expert, and head of Information Security at an Indian telecommunications firm. (Murthy asked Threatpost to withold the name of his employer.)
In a phone interview with Threatpost, Murthy said the Malcon conference was in the spirit of DEFCON, the now (in)famous hacking conference that is held each year in Las Vegas. Like DEFCON, Malcon is intended to raise the level of security awareness within the IT community by fostering more direct interactions between malware authors and the security pros hired to thwart them.
“We’re having tremendous problems with malware and cyber crime,” Murthy said. “But we don’t do a good job of detecting malware. We’re too focused on reaction.”
Inviting malware authors to the table will give security professionals a better understanding of how malware works and help to engender more proactive defenses, he said. Selected presentations from Malcon will be reprised at a second conference, Club Hack 2010, in Pune India, he said.
Murthy was careful to say that the conference didn’t condone the creation of malicious programs.
“We know there’s a lot of anger – people say that ‘malcoders are bad.’ We agree with that. Those guys are bad. The point is, we can’t ignore them,” he told Threatpost. In coaxing malware authors out of the shadows and giving them a forum to contribute what they know, the white hat security community benefits, he argued.
Malcon organizers’ call for papers cast a wide net, asking for papers and proofs of concept (where applicable) in areas such as hacking tools, malware (rootkits, trojans, botnets, viruses, keyloggers), Web based attacks as well as innovations in malware infection and self defense (AV detection, antivirus exploitation and anti reversing.
Murthy said that any malicious programs or proof of concept code revealed at Malcon would be shared with the security community immediately so that signatures could be created for it.
He hp[es the conference will change attitudes in his native India, where even well-intentioned security and vulnerability research has historically been frowned upon.
“Software development counts for 80 percent of India’s revenue. But if developers in India aren’t ready for security or create loose or insecure products, its bad for our reputation.”
While Murthy isn’t sure his new show will have the pull to draw top malware authors from North America, China, Russia and Eastern Europe, he hopes it provides a venue for young, talented and curious computer scientists in India.
He wouldn’t disclose how many individuals had registered for the Malcon show so far, but said it may take a few years to establish the show. “I hope that, five years down the road, we’ve helped to create a culture of security research.”
The issue of legitimizing malicious code authoring has historically been a prickly topic in the IT industry. In 2003, the University of Calgary in Canada got into hot water after it offered a class to students in virus writing. Several anti malware vendors at the time pledged not to hire students who had taken the course.
Attitudes have softened since then, as penetration testing and ethical hacking have come to be perceived as important tools in network defense and product design. Still, within the antivirus community, there’s little tolerance for anyone who tries to blur the lines between malware authors and the researchers who analyze their creations.
“I think they’re coming from a nieve standpoint,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab. (Editor’s note: Threatpost.com is an online publication of Kaspersky Lab.) “I don’t really expect the Koobface Gang to show up and sit around singing Kumbaya and cooperating in malcode writing together,” he said. “The profit motivation is really the only motivation for (malware authors) a lot of the time.”
The computer security community already has forums for offensive security research, where “responsible” experts from security and anti malware companies share knowledge about attacks and exploits, Baumgartner said.
He also took exception with the comparisons to the DEFCON conference. “It seems like DEFCON is encouraging people to push the envelope, but not to break the law,” he said.