I was pretty bummed this year when I found out that a previous engagement would prevent me from traveling to Las Vegas for the annual back-to-back Black Hat and Defcon security conventions. But I must say I am downright cranky that I will be missing MalCon, a conference being held in Mumbai later this year that is centered around people in the “malcoder community.”
According to the conference Web site, MalCon is “the worlds [sic] first platform bringing together Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares. Spread across the world, malcoders now have a common platform to demonstrate expertise, get a new insight and be a part of the global MALCODER community. This conference features keynotes, technical presentations, workshops as well as the EMERGING CHALLENGES of creating undetectable stealthy malware.”
The call for papers shows that this security conference is encouraging malware writers of all shapes, ages and sizes to bring and share their creations. “We are looking for new techniques, tool releases,unique research and about anything that’s breath-taking, related to Malwares. If your presentation, when given with all its valid techno-Jargon can give our moderators a head-ache, you are right up there. The papers and research work could be under any of the broad categories mentioned below. You can submit working malwares as well.”
Among the “malwares” encouraged are novel phishing kits, botnets and mobile phone-based malware, malware creation tools, cross-platform malware infection techniques, and new malware self-defense mechanisms, such as anti-virus exploitation techniques.
At first, I didn’t know what to make of this conference, which was initially brought to my attention by a clueful source in the botnet underground. My hoaxmeter went positively bonkers after I pinged both of the e-mail addresses listed on the site and each e-mail bounced.
But then I caught up with Rajshekhar Murthy, the coordinator for the conference. Murthy said MalCon will be hosted on Dec. 3 in Mumbai, and then again on Dec. 5 at the Clubhack 2010 conference in Pune, India, which has apparently attracted oft-quoted security expert Bruce Schneier as a leading speaker.
Murthy confirmed that the idea behind the conference was indeed to attract malware writers.
“You are right, the major goal of the conference is to encourage and foster the creation of malcode. But it is done for all the good reasons,” Murthy wrote in an e-mail to KrebsOnSecurity.com. “There are only a handful companies that dominate and sell Anti-malware / Anti-virus programs, compared to a huge number of malcoders who release a million new malwares every year. The approach to the problem is always ‘Reactive’ and is done if the malcode is detected in time.”
Murthy continued: “While a conference can be done by inviting the best / well known security experts who can share statistics, slides and ‘analysis’ of malwares, it is not of any benefit to the community today except that of awareness. The need of MalCon conference is bridge that ignored gap between security companies and malcoders. They have to get on a common platform and talk to each other. Just like the concept of ‘ethical hacking’ has helped organizations to see that hackers are not all that bad, it is time to accept that ‘ethical malcoding’ is required to research, identify and mitigate newer malwares in a ‘proactive’ way.”
For his part, Schneier said he does not agree with the idea that better malware is needed to fine-tune computer security tools.
“The bad guys produce more than enough malware to stimulate research,” Schneier wrote in an e-mail.
At any rate, it’s time to get working on your malwares already, people! Final papers are due Nov. 10. Oh, and if anyone decides to go and can snag me a T-shirt from the con, I’m an extra large.