August 24, 2010

I was pretty bummed this year when I found out that a previous engagement would prevent me from traveling to Las Vegas for the annual back-to-back Black Hat and Defcon security conventions. But I must say I am downright cranky that I will be missing MalCon, a conference being held in Mumbai later this year that is centered around people in the “malcoder community.”

According to the conference Web site, MalCon is “the worlds [sic] first platform bringing together Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares. Spread across the world, malcoders now have a common platform to demonstrate expertise, get a new insight and be a part of the global MALCODER community. This conference features keynotes, technical presentations, workshops as well as the EMERGING CHALLENGES of creating undetectable stealthy malware.”

The call for papers shows that this security conference is encouraging malware writers of all shapes, ages and sizes to bring and share their creations. “We are looking for new techniques, tool releases,unique research and about anything that’s breath-taking, related to Malwares. If your presentation, when given with all its valid techno-Jargon can give our moderators a head-ache, you are right up there. The papers and research work could be under any of the broad categories mentioned below. You can submit working malwares as well.”

Among the “malwares” encouraged are novel phishing kits, botnets and mobile phone-based malware, malware creation tools, cross-platform malware infection techniques, and new malware self-defense mechanisms, such as anti-virus exploitation techniques.

At first, I didn’t know what to make of this conference, which was initially brought to my attention by a clueful source in the botnet underground. My hoaxmeter went positively bonkers after I pinged both of the e-mail addresses listed on the site and each e-mail bounced.

But then I caught up with Rajshekhar Murthy, the coordinator for the conference. Murthy said MalCon will be hosted on Dec. 3 in Mumbai, and then again on Dec. 5 at the Clubhack 2010 conference in Pune, India, which has apparently attracted oft-quoted security expert Bruce Schneier as a leading speaker.

Murthy confirmed that the idea behind the conference was indeed to attract malware writers.

“You are right, the major goal of the conference is to encourage and foster the creation of malcode. But it is done for all the good reasons,” Murthy wrote in an e-mail to KrebsOnSecurity.com. “There are only a handful companies that dominate and sell Anti-malware / Anti-virus programs, compared to a huge number of malcoders who release a million new malwares every year. The approach to the problem is always ‘Reactive’ and is done if the malcode is detected in time.”

Murthy continued: “While a conference can be done by inviting the best / well known security experts who can share statistics, slides and ‘analysis’ of malwares, it is not of any benefit to the community today except that of awareness. The need of MalCon conference is bridge that ignored gap between security companies and malcoders. They have to get on a common platform and talk to each other. Just like the concept of  ‘ethical hacking’ has helped organizations to see that hackers are not all that bad, it is time to accept that ‘ethical malcoding’ is required to research, identify and mitigate newer malwares in a ‘proactive’ way.”

For his part, Schneier said he does not agree with the idea that better malware is needed to fine-tune computer security tools.

“The bad guys produce more than enough malware to stimulate research,” Schneier wrote in an e-mail.

At any rate, it’s time to get working on your malwares already, people! Final papers are due Nov. 10. Oh, and if anyone decides to go and can snag me a T-shirt from the con, I’m an extra large.


31 thoughts on “MalCon: A Call for ‘Ethical Malcoding’

  1. Frank Bar

    I did a quick WHOIS check for malcon.org and it seems to be run by some group called “OrchidSeven”. They seem to offer a multitude of somewhat dubious hacking bootcamps and security certifications. Under their “News and Events” tab at the bottom of the page I noticed a link to labeled “India’s Youngest Hacker from Orchidseven!”. Apparently the group made the newspapers in Mumbai a few years back for offering a 12-year-old kid a research fellowship. The “whiz hacker” reportedly passed his MCSE exam at age 7. As cute as he is, this hefty heavyweight hacker can pwn your box faster than you can say Little Debbie’s Snack Cakes. I wonder if he attending the conference?

    1. Neelabh Rai

      Yes, the boy too was present there and surprisingly was also in the panel members for replying in the discussions. However, the interesting part was whenever he spoke it felt to me like another Indian Government official is saying something. By the way, his name is SHANTANU.

  2. Geo

    OrchidSeven offers security certifications and university courses (!) … have a look at the curriculum:
    – Using SMS and Chat for effectively gaining trust
    – How SMS has taken over our lives…

    I believe the target audience is l33t haxors with deep pockets. So .. I’m out.

  3. Jim

    Could be I’m missing something in my reading. I’m reading a group of malware authors is sponsored by an organization supporting malware is coming together with a gaggle of computer geeks for the common good of computer security? Pretty well supports my suspicions that malware detection vendors and malware authors are under the same umbrella. While so many malware authors are gathered, how bout haul them off to jail?

    1. Maureen

      I had that same thought…or feed them all eggs from Dutch Farms…

    2. Eric

      I appreciate malware writers & anti-malware people. Collectively they cause improved security in *nix operating systems & software. The world benefits. They also keep me from using, paying for & slaving to repair Windiz systems. Without them I would still be using Windiz.
      Thanks guys!

    3. Neelabh Rai

      Unfortunately, very few malware authors were present. The maximum attendance was of the Govt. Servants of India and few independent Cyber Security Researchers. I found that only nulcon hackers were present and were supposedly supported by the conference organizers.

  4. Bob James

    I heard it was being held in a huge tent. The MalCon tent.

  5. Jonathon

    If a bunch of drug lords decided to host a large conference where everyone could come and share their best techniques on making meth, smuggling drugs, and killing cops; would we stand by and let them do it?

    Maybe I am not comparing apples to apples, but even the activities at DefCon are bad enough for me to question whether such conferences really ought to be held.

    I guess if I’m a good enough hacker/malware developer, I can quit my day job and become a “security researcher” and just spend all day trying to find new ways to exploit the software we use every day. (I’m NOT saying there aren’t legitimate security researchers out there.)

    1. El

      Sounds like someone got caught by a hacker with kiddy porn on his box. Get fucked.

    2. KFritz

      I detest the malware enterprise. It takes some of the fun out of the internet for me, and ruins the finances of the unwary and unfortunate. But it you’ve ever seen what becomes of the ‘lives’ of hard drug users @ the end of their addiction, you’d know that aside fr/ murder, sexual predation, or large scale environmental pillage (give me my life back!) no crime compares to dealing in hard drugs

  6. T.Anne

    While I can fully understand people being upset that a gathering like this can take place – if it’s being used in a good way, what’s wrong with it? I think it falls in the “it takes one to know one” type category – how are you going to catch them or protect against them if you don’t think like them?

    Jonathon compares them to drug lords – but what if they’re the undercover cop within that whole string? Is that person just as bad as the rest since he’s trying to help end it but first has to get involved to do so?

    If these people understand security experts are going to be there too – I’d compare them more to the undercover cop than to the drug lords… I would think they’d know the combination of the two was to help security as a whole (but perhaps I give too much credit). Could it be questionable – yes, could there be some people there in hopes of bettering their malware – yes… but could there be a positve to come out of it too – yes. If we can learn to think more like them we can better prepare for future attacks. And if they’re willing to help us – why not?

    1. Joe

      I’d be interested in going to this. More because I’m interested in learning the intricacies of how different peaces of malware work and dangling with those who write it. I don’t write malware though. I don’t feel there is anything unethical with writing malware either.

      The people who are being unethical are those making anti-virus applications, advertising anti-virus applications, etc. The Internet is a KNOWN wild-west and users are responsible for all computer failings here. They may not be held responsible for intrusions there own bank account- as it wasn’t a system they control. But there own system they control is. Yes- it may be hard to secure. Anti-virus is security theater too. The question is can MS Windows be secured? I’d argue no. So the next question is who can you blame?

      There is blame. BUT you are blaming the wrong parties here. Viruses, spyware, and other malware get on users systems because of security vulnerabilities and user design flaws. It is partially end-users responsibility too- but largely it comes down to bad OS design. Microsoft Windows & Mac OS X environment are too lenient about what end-uses can willy nilly install with just a click of a button that does not go through some sort of net. Defaults should be changed so macros, scripts, and other content are non-executable by default similar to copy GNU/Linux’s approach to security and use repositories or some other white-listing. Anything else the user should have to go through a number of clicks to install- to the point that no legitimate software would use it.

  7. Neima

    Visualize yourself at Mal-con right now, if you do this intensely enough, you may very well find that something happens at the last minute that enables you to attend, sounds odd, but it works!

    By the way, you don’t look like an extra large.

  8. Maureen

    Although I shouldn’t be, I’m amazed. As someone already mentioned, it’s a sure bet that there will be law enforcement there. Even if they can’t be arrested for just talking and sharing technology and practices, isn’t just being visible there a gamble on their parts?

    1. Neelabh Rai

      You are right. In the MALCON, not only the law enforcement agencies were present but the people from Intelligence Agencies, Defence Intelligence Agencies were also present. The interesting part was that when I recognized one of them in the conference, he was in a shock and said instead that he is just an unemployed one and was here to look for an employment opportunity. Wow! What a lie…

      Instead I had observed that the people from Intelligence Agencies were monitoring those people specifically who were attending their workshops esp. the one on Exploit writing.

  9. KFritz

    Most commercial malware comes fr/ the former Soviet Bloc. I assume that the governments of these various states, esp Russia and Ukraine, tolerate the malefactors who write and ‘administer’ the malware–for various reasons.

    To hazard a guess, not many of the pros fr/ the former Soviet sphere will attend, especially if their local secret services have any input on the subject. The lower their profile the better. They MAY send talent scouts to watch the proceedings fr/ the periphery.

  10. David Chasey

    My assumption is the malcoders will be deceptive and try to lay traps. The idea from this perspective is for the conference to become a part and parcel of the deception that is the creation of malware. But there certainly would be some that “turn to the good.” Perhaps someone who knows a lot about game theory could calculate all of this and tell us whether or not he/she sees an overall plus or a minus.

  11. Bob James

    I think opening a MalCon tent is a good thing. The exchange of information is valuable. The vulnerabilities are out there discovered or not, public or not. At least some of the undiscovered vulnerabilities out there are in use by “for profit” MalContents as well as governments. Getting the discussion in public helps security folks discover what they don’t know. As for acting against the people that are at the conferences, the information gathered would be mostly intelligence for future actions against these people where specific hard evidence has been gathered. As for the educational aspects for the MalContents, I think it’s mainly a ego trip for them rather than learning the trade/hobby….no actor goes to the Emmys to learn how to act. I guess it stimulates them to some degree but I think there are plenty of methods for this exchange of information.

  12. jon

    don’t worry we only build malware to use on bad people this makes it ok

  13. Alfonzo Delpozo

    What does it take to get shut down in this country? Maybe someone in the media should do a little investigative reporting, because there seems to be a bigger problem here than a few isolated incidents. Aren’t these factory farms repeat offenders?

  14. Ugh

    Hopefully there will be a few black vans outside with the words Free Beer Inside written on the side.

  15. Maxzitr

    Well I checked orchidseven.com and apparently its quite interesting. They helped me get some things cleared out. I informed that my pockets aint deep and boy am i glad they are quite easy with that. the course is a lot cheaper in cost compared to what others are offering as per the topics.
    I hope i make it to Malcon.

  16. Neelabh Rai

    To me, attending the MalCon seems more like a marketing gimmick than a serious talks / discussions. Orchid Seven was more interested in launching their initiative called as “National Security Database (NSD)” and to showcase it, in my opinion, the conference was termed as an International. Nothing was there as such International. Only one person from France was present. Is being present from another country gives the sense and meaning of an International Conference? I don’t think so.

    Additionally, I met many independent cyber security researchers present there in the conference and surprisingly, no one was interested to be a part of NSD. NSD was supposed to create a database of those people who will be a part of crusaders’ team and will be checked by Orchid Seven. The key issue which was a major concern of the independent cyber security researchers was the clauses of NSD. One can’t submit their research papers in any conference, and the members of NSD had to work anonymously (&, as a volunteer…. no paid service!).

    I just wasted my time and money, I think so, by being a part of MalCon. Except meeting few old & new friends, I didn’t received much knowledge (which I had supposed to receive being in such conferences).

    So, in my opinion, its’ a strict No-No if someone is planning to be a part of 2nd MalCon in future, if any.

    1. maxtor

      I think for the fact that its a first kind of attempt, its obvious you wont find too many malware authors walking right into it happily. I was there at the conference too and it did not feel like they were interested to launch this NSD – it was more of a response to a query to an audience?

      At least there exists one good hacker convention in India. You seem to have more of a personal take on this.

Comments are closed.