In his keynote at Shmoocon Peiter Zatko brought up a pretty cool example applying game theory principals to security. The redux was “if you think the game is illogical, you’re probably missing something”.
In this case the game involved the new feedstock of AV companies; Botnets. His observation; the botnets writers had implemented a simple XOR cipher that was pretty obvious as part of their protection scheme. This cipher had roughly a ten day lifecycle from release to detection to AV signature release. When the ten days were up the botnet writers would alter the cipher and the cycle would start again.
At one point, the cipher was changed to a stronger AES version. After ten days, nothing. So what happened? According to Zatko, the weaker cipher system was put back. Nuts right?
The theory is that it takes a few minutes to change the cipher, and ten days to get caught. That’s a pretty good investment and the AV companies are happy because they get to say they’re releasing sigs all the time. If you take away the low hanging fruit, maybe the AV companies will figure out how to block the bot in a more fundamental way. Something that takes more than five minutes to fix.
So in the end it’s in both parties interest to keep the cycle alive. AV isn’t providing a solution, and everyone is making money prolonging the problem. And the ironic part is the AV client is probably happier too. I mean, look at all these signatures I’ve applied this month, what a good investment.
I guess the bright side is guys at DARPA like Mudge are digging into this, taking it seriously, and most importantly, being given the latitude to talk about what they’re seeing.