Malware Convention -- Not a Good Idea

Anyone who was ever concerned by the concept of hacking conventions such as Black Hat -- which has evolved into a reputable venue for security defenders -- should brace themselves: An event called MalCon is on the horizon, which will provide a fine venue for malware creators to hone their craft, as well as, theoretically, an opportunity for malware fighters to bolster their arsenal to fight malware.

Artwork: Chip Taylor
The organizers of the MalCon, which will take place in Mumbai and Pune, India, have attempted to put a positive spin on the event, as noted by security guru Brian Krebs. According to the conference website, MalCon is "the worlds [sic] first platform bringing together Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares."

[ Also on InfoWorld.com: How to thwart the new DLL hijacks | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter.]

In addition to showcasing the top whitepaper submissions from malware researchers and coders, the event will offer training workshops on topics such as coding malware, analyzing malware, and reverse engineering. Said workshops are recommended for those who "[want] to develop or code [their] own virus / malware for research" (italics are mine) and for those who "aspire to advance their professional skills in security research and malware analysis."

The whole event sounds about as wholesome, innocent, and security-minded as a nuclear-bomb building convention in Tehran. Sure, some people might attend to learn a bit more about fighting malware, but it's bound to be more of a magnet for ne'er-do-wells who are eager to put their newfound knowledge to malicious use.

I ran it by InfoWorld Security Adviser blogger Roger Grimes for a reality check, and here's what he had to say: "No good can come from the conference. It's probably being held in India because there are a lot of 'legitimate' companies there, very out in the open, that produce bad software for other people.

"There have been similar projects before: virus coding books (plenty of them), dozens of malware ezines, etc., and none add to the good side of the equation," he added.

The conference coordinator Rajshekhar Murthy attempted to put a positive spin on the conference, Krebs reported. "While a conference can be done by inviting the best / well known security experts who can share statistics, slides and 'analysis' of malwares, it is not of any benefit to the community today except that of awareness. The need of MalCon conference is [to] bridge that ignored gap between security companies and malcoders. They have to get on a common platform and talk to each other."

And the capper from Murthy: "Just like the concept of 'ethical hacking' has helped organizations to see that hackers are not all that bad, it is time to accept that 'ethical malcoding' is required to research, identify and mitigate newer malwares in a 'proactive' way.'"

This article, "No good can come of a malware convention," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Subscribe to the Security Watch Newsletter

Comments