Perspective: Is an antivirus gap looming?

I was recently out with friends from the antivirus industry. They work as analysts for a major firm, and we were talking about our respective views on malicious code. I left the conversation disappointed and frustrated at the increasingly blind host-based antivirus world.

My background is in information security (exploit code, software vulnerabilities, intrusion detection and network malware), as is the background of some of my friends. We have spent a lot of time over the past few years working on things like IDS signatures and the consequences of getting them wrong.

As such, many of my infosecurity friends look at the state of antivirus signatures and wonder why variants can't easily be detected. Especially in the first few hours of a massive malware outbreak, the failure to detect leaves many of us frustrated. When my friends in security operations are facing an outbreak, time is of the essence, and their patience for signature updates has worn thin.

These two fields have rarely had to meet in the past. Infosecurity researchers rarely applied rigorous academic studies to malware, seeing malcode as an uninteresting topic. Antivirus researchers rarely concerned themselves with vulnerabilities and exploits. Despite this history, we're beginning to see a convergence of the two, one that will probably be totally complete in the next five years.

The pressure on the antivirus firms is visibly increasing, and they're going to have to do something about it.

Some of this is due to how the online world has changed this decade, and how a lot of malware has taken advantage of security flaws that can only be discovered through infosecurity research.

But some of this convergence is about filling the gap left by the antivirus companies. This gap between problems and solutions is twofold. First, it's about coverage of malcode samples and threats that they face. AV simply doesn't detect enough of the things out there on the front lines. The second gap comes from the response time. Fed up with the delays, the infosecurity community has taken action to fill the void.

While no one would openly suggest running a computer without some form of antivirus tool, most agree the protection it offers is increasingly disappointing. When I analyze malware I typically find variants of well-worn families with names like "Banker," "SDBot" and "Peacomm," yet most fresh samples aren't detected by most antivirus vendors.

Anyone tasked with helping to protect a user base from common Internet threats has seen this and is increasingly frustrated with antivirus methods. So why do we still insist on telling people to scan their computers with updated antivirus tools when we know the odds that all of the malware will be identified and removed is marginal? It's because we don't have better options, yet.

The antivirus world first developed in an era of poorly connected users, when viruses spread over floppies and file downloads. The world had fewer virus authors, and far fewer virus users, or people who modify others' virus software for their own use. In short, time was a luxury that everyone had in abundance.

This isn't the case any longer, and it hasn't been for several years. The time that the antivirus industry had to turn around signatures and disperse signatures to those in need has dwindled from a day to a couple of hours. Couple that with the large number of minor variants that appear for almost every family means that traditional signature-based antivirus is under duress, it simply fails to meet the needs of network security operators in the current threat landscape.

The frustration felt by many in the network and desktop security operations world is palpable. There have never before been so many users of malware analysis tools like multi-antivirus scanners like VirusTotal and Jotti, sandboxes like Norman, Sunbelt and now Anubis, and so many outsiders testing antivirus software. The pressure on the antivirus firms is visibly increasing, and they're going to have to do something about it.

The failure of antivirus companies to adapt to the dramatic malware appearance rates in 2007 tells us there's time for a change and there's room for a new class of tools. "AV is dead" is the battle cry of a new industry analyst report. Antivirus companies may not be going the way of the dodo, but to many customers, the concept of antivirus as the last line of defense has been thrown out the window. It's time for a better approach, one that can keep up and really defend networks.

Biography
Jose Nazario is a senior security researcher with Arbor Networks.

More Perspectives

[roxtafari]

No more antivirus

I am a comuter tech with 18 years experience. I stopped using AV software about five years ago and haven't had any problems since(outside of some minor adware). AV software is simply not effective anymore and most is so bloated it kills performance. Most of it never get's past the mail servers at my various hosting companies. Follwing best practices and not clicking on suspicous links, partenered with a robust backup plan is the way to go.

[atglabs]

Mind the Gap, please.....

I believe the points the author was making are these: (1) AV analysts are only concerned with creating signatures, while Infosecurists study ways to detect and block exploits; (2) AV products don't detect enough variations soon enough; (3) Products that perform AV scanning are increasingly ineffective.

His first point has some basis in the mass-market anti-malware products, but many smaller, more innovative companies already imbrogliate threat research, detection, and removal efforts. When a product's techniques for detecting and blocking exploits are co-developed by the threat analysts, rules rather than simple signatures are used to ID threats with polymorphic unpackers and virtual machines. This is a two-way process that advances the detection technology as new threat analysis uncovers new transmission and camouflage mechanisms.

The second point reflects the widespread lack of effective zero-day detection methods in most anti-malware products that rely primarily on conventional signatures. With the explosion of variations in camouflage and packing for even common exploits, no efficient methods exist for scanning files against databases of signatures no longer in the hundreds-of-thousands of entries, but rapidly approaching millions of entries. The handwriting was on the wall several years ago, but only a few progressive products embraced advanced detection methods to avoid this tar pit.

An finally, he is correct that just scanning with most of the market-leading antivirus products is increasingly ineffective. This can be seen in the best independent analysis of anti-malware products that I know about, namely the work at <a class="jive-link-external" href="http://www.av-comparatives.org/" target="_newWindow">http://www.av-comparatives.org/</a>

There you can see comparisons of the best products and the market-leading products, performed twice each year in two categories. First, the products are tested to see how well they can detect an independent set of in-the-wild malware. A few months later, the products are retested with the original set of "signatures" to see how well they detect new exploits in a (admittedly artificial) test of their zero-day abilities.

The really good products, without updating their databases, catch an amazing number of zero-day exploits that appear. The not-so-good ones show the problems you are pointing out -- namely that there is a delay from the appearance of an exploit until a signature update allows the scanning tool to detect the exploit.

A couple of other points about your perspective article. You use the term AntiVirus, although I'm sure you know that rootkits, keyloggers, etc. are not viruses; blended threats are using the important DNA of each of these types of malcode to make the term AntiVirus less useful. At some point, we need to be using terms like Anti-Malware to describe the coming generations of threats. Also, it is not necessary to wait for a new set of tools to attack the problem -- we just have to look to companies other than the big market leaders.

(Disclosure: I used to work for one of the "big" anti-spyware companies, but currently have no financial or functional association with any anti-malware company.)

[anarchyreigns]

I just laugh at Windows users!

Ubuntu anyone?

[Zatoichis Sword]

Agreed

I prefer the Mac OS, but on my PCs I only run Linux.

[webdev511]

I just laugh at users...

because no matter how secure the OS may be, stupid users can always mess it up.

[mbenedict]

Strongly disagree...

I've seen so many unpatched Unix / Linux / *BSD systems in my life it's not funny. Not just the OS but the applications which are installed.

The irony with Windows is because all of the security issues they've had, there's a strong framework of tools out there (from third parties &#38; from Microsoft) to *manage* security.

These same tools don't exist on other environments. One of my clients has 30,000 employees... imagine running 30,000 Mac or Linux desktops, it would be completely unmanageable. Plus we'd *still* have to run Anti-Virus, etc., on each box (even on the Mac/Linux), and it would have to be rolled out "by hand."

That's why corporations all stay with Windows. It's not about security in isolation, it's about the balance of knowing your risks and being able to manage it (that is, deploy so called "mitigation controls".)

Many departments in the US Federal Government tried to convert to Linux / Macs but the end results have not shown improvements in overall security. Maybe the exception is in some parts of the intelligence community.

[Penguinisto]

Why not?

Fedora Core 7 with a side order of OSX 10.3.9 for me, please. :)

[suyts]

True,

if you want a toy at home. Just got one, it's nice. The apps at work require windows. They don't work with oos'es. Macs either. Security isn't a problem of the software. It is a criminal problem. Hunt them down like the dogs that they are and make them serve real hard time in a federal prison. We did this for bank robbers, we can do this for malicious code writers. The nature and purpose of software is to enable the user to do something, not to un-enable. The nature of a malicious person is to do bad things and exploit weaknesses. After MS is gone, then what? Believe that Macs and Linux are impregnable? Yeh, that's gotta be true. Man's first perfect endeavor. Hunt them down like the dogs that they are. That is the only way to thwart such behavior.

[cary1]

My Ubuntu story

After reading praises of Linux by Cnet users, I actually gave Ubuntu 7 a try. To be honest, I didn't have a choice. I had installed a new drive and I couldn't find my Windows CD...

Anyways, on first look it looked pretty sleek, almost like Windows XP, I used Firefox and Openoffice :(, but soon I realized a fact I had ignored till now: there are hardly any programs available to run on this OS.

Later that day, I went to Yahoo website to download Yahoo Messenger. After digging thru their website, I actually found it. Believe it or not, these are the instructions on Yahoo website:

"Save the file to your machine.

Log in as root and type: dpkg -i ymessenger_1.0.4_1_i386.deb to install the application.

Run /usr/bin/ymessenger from X Window to launch the application."

Wow! That's almost like DOS... I guess I need to be a geek or study Computer Science in college to use it. After tinkering with it for another 4 hours, I found out how to login as root. By then I had lost all my patience and I was cursing myself for loosing the Windows CD. I really wanted to go back to the "Double Click to Install" OS

I called HP right away and paid ten bucks for a replacement CD

Yes, there are hardly any viruses for Linux, but so are the apps. Sorry Ubuntu... maybe in my next life, I'll give you another try.

[josephrot]

I just laugh at Windows users

At last count, there are known, but not rampant (yet) virus and other attacks that can take advantage of UNIX/Linux and Mac.

As unfortunate as this fact may be, and it is, it may also be time to stop "laughing" at other users.

[santuccie]

No thanks

I have x86 and x64 copies of Ubuntu, and I'm not impressed. Poor software support (as with all Linux distros), unreasonable complications just to install a new program, locking up when opening multiple applications...and they say Linux is more stable than Windows, BAH! You guys are just playing with new toys, because you give up too quickly. And I hold to that comment.

I know security, and I've made Windows XP invincible. Watch for this info on the web...you'll be hearing about it before too long.

[offonoff]

Monoculture

Monoculture breeds disease. We cannot afford to apply ever
increasing levels of pesticide. Diversity is the solution. Get a
Macintosh, load Solaris, plant a different crop. And follow
standards for information exchange and reject anything that smells
of monopoly. Free market, level playing field - engage the anti-
trust laws!

[solrosenberg]

Not an accurate analogy

Sorry, computer software is not agriculture. The analogy completely ignores network effects and economies of scale. While there certainly are many great reasons to use something other than Windows, "diversity" isn't one of them. Which is easier, securing one OS or securing five OSes?

[intrepi]

I have to agree with you but I hope MS stays here

I try and support the people I believe are worth my support rather than buying software that makes my life easier. Ironically, I have never owned a Mac, nor have I ever used one to any extent but I can tell you, I have been seriously considering buying a new Mac laptop with the new Leopard OSx. I'm using Xandros Professional 4.0 which is a Debian based upgrade from Xandros Business Edition 3.0 as well as XP, if and when I need it but it get's booted up less as time moves on and I get to learn more about linux. For anyone, that is a die hard Windows user, I hope you are able to hang in there as Windows is a great OS but it's one I can no longer support due to issues with it's license terms and conditions. In short, I can't agree to validate, verify and certify to Microsoft that it's their product over and over again with no end in sight via some guy in India who I can't understand due to his limited English abilities. No slant or racist remarks as I wish I could speak East Indian as well as he thought he could speak English, Lol. Nice people, I wish Microsoft much success and all those who work for them. I wish I could continue supporting MS but it's just gotten to the point I have to jump ship. Linux, Mac or whatever else turns up will work for me well enough.

[Penguinisto]

Sucks to be a Windows user...

Many of us have known this for quite a long time: A/V ain't gonna catch most of it, let alone all of it.

You could download and patch-in updated definitions every five minutes (with the A/V supplier supplying them at that rate), and it does exactly bupkis to protect the typical Windows user.

I won't say that other OSes are invulnerable to viruses, but with OSX having zero (so far) successful viruses in the wild, and Linux' last wild virus --anything worth worrying about, anyway-- occurring about five years ago? Couple that now with the intrinsic malware-resistant structuring inherent in Linux and OSX/BSD (or any flavor of *nix for that matter)?

Sure, as markets shift, so will the focus of malware writing, but seriously - the hardened nature of *nix coupled with a heterogeneous OS environment will make it much harder to exploit, dropping the majority of script kiddies out of contention entirely.

Now compare that to the swiss-cheese mickey-mouse security that Windows has (which honestly is not an OS designed for such).

Sure, the astroturfers and fanboys will come a'screaming about how [i]they[/i] never got bit, etc etc. Problem is, the Internet is full of examples that show them to be full of something else entirely when it comes to the basic premise that 'doze is dangerous for the data you may hold precious.

In short, the smart money is on getting the hell away from Windows post-haste.

/P

[i_am_still_wade]

Security through obscurity is no safety blanket

Macs are more secure only because so few people use them. Security through obscurity. If you are writing a virus and want to do the most damage, you are going what more people use. I promise you this, if OSX had the market penetration Windows does, then the problem would be just as bad. Maybe not as bad on Linux or Unix, but still very bad.

If you get away from Windows and go to OSX, the virus writers will shift too. People want to go after what has the highest chance of success. And that means what the majority of people use.

The smart money is on not counting on obscurity to keep you safe at night.

[intrepi]

Windows does have a solid placement in our OS's

I have had to move on from Windows as well but I have to say it wasn't because of my malcontent or dislike for MS or it's products. Without MS, many other OS's would be somewhat lacking in direction of where to go and what to produce in the time frame that they have produced it. Try and look at the whole PC picture, Mac, Linux, Windows, Unix and if I missed any, it wasn't intentional as I believe the more developers we have, the more OS's we have now and always, will improve PC usage as a whole. Kind of like a football team, if it had no opponents, it's unlikely they would get any better than what they are as there would be no reason to

[markwdalton]

In the computing world, we call these bugs

When a vendor (Microsoft) and (fill-in spyware/virus detection company) leave known design flaws and bugs in their system and software, we call these bugs.

Every so many lines of code will have a bug, the question is also how much damage can that bug/design flaw cause.

Microsoft has gotten better, implementing the 40 year old concept of users and administrator a few years back.

However, they are still plagued with reliability issues, like I did a update last weekend on solid hardware. If I used Firefox the system was stable, when I used Internet Exploder.. The system crashed for every patch. Fortunately, on my real computers and work computers I use Linux.
(But a Mac would be great also).

Mark

[stlwest]

Could use image software

Software like Centurion Guard and Deep Freeze have the ability to protect your primary system image, viruses can get in and screw up the works, however power cycling takes you right back to a nice clean virus free computer.

The technology has now been around for some time. Go in and FDISK your drive, boom no drive, power cycle and there is your stuff just like you left it. That was about 10 years ago so I figure it is pretty solid by now.

Of course I haven't implemented it in my environment yet but it looks promising, hey my computer is freaking out, OK press the power button until it turns off, now turn it back on. Done.

[ralfthedog]

Remember to put your data on a second hard drive. :)

You could just partition your drive, but it would be sad to find out that all of your data was erased with your boot partition.

[swelchcn]

Addressing the "AntiVirus Gap" with Alternative Methods

I agree with the basic premise of this article that the security gap left by anti-virus technologies in terms of un-addressed threats is increasing in size.

We have been researching alternative approaches to mitigate zero-day attacks that malware poses on Windows systems. This area has received a lot of focus from researchers in the past, specifically in terms of locking-down systems in order to protect them. However, these approaches usually adversely affect the user-experience and maintainability of end-user systems.

We have been prototyping an approach that addresses common internet threats, including zero-day attacks, while attempting to minimize the impact on system usability and maintainability.

Interested in finding out more? <a class="jive-link-external" href="http://alphaworks.ibm.com/tech/axe" target="_newWindow">http://alphaworks.ibm.com/tech/axe</a>

[psource]

What's the problem, again?

I, too, find many forms of viruses that pass through antivirus software undetected. VirusTotal has been a big help in confirming that yes, these peculiar files are forms that my antivirus does not yet detect. So my vendor gets informed, and they add detection.

What I find, though aren't new vulnerabilities. Its the same old stuff. A fully patched system isn't affected by the variants that manage to get past the antivirus software.

As it was said in the article, antivirus is the first line of defense. The new virus variants use new tricks to get through the line, to evade antivirus detection.

[intrepi]

Does it really matter, consumers buy into it

Personally, I have bought, used and continued using some form of antivirus, adware and registry management software. Most are more than 1 year subscriptions but I will say Windows is getting to be too restrictive, too controlling, too expensive and too difficult to agree to it's terms and conditions of it's licensing agreement. I have bought some commercial versions of linux as some are not to my liking, others are. Question - Can I do or get by without Windows - definitely and I have. I can no longer support Microsoft as they have become the insensitive, money mongers that I seriously, dislike. The time of Bill Gates and his up and coming enterprise, worthy of support, is over. Microsoft is and has been too demanding of my time, input and has no limits on where or what it will do to continue forcing me to activate, verify and do it over and over with no end in sight, enough is more than enough. Time for Microsoft to devise an automated way of assuring themselves I own their products. If they can't find a way, then I will move on to other PC OS's like linux or maybe the new Mac's leopard OSx.

[Labor Rations]

Use OS/2 it is virus-proof!

OS/2 will work for you, and never get infected by a virus. OS/2 is a secure OS that is bullet-proof and virus-proof.

Don't listen to those Penguinistas, Linux is virus-proof because it is based on an OS/2 codebase.

[b8375629]

Hilarious FUD

"Don't listen to those Penguinistas, Linux is virus-proof because it is based on an OS/2 codebase."
--------------------------------------

Your point? Your point?

Nobody uses OS/2 except for the dreamlike technoid geeks living in computer labs circa 1992.

However Linux does have a user base that OS/2 will probably never have because a lot of the third-party code that's in OS/2 is still owned by Microsoft. Given Microsoft's hand in it, it is doubtful they will ever make OS/2 fully open-sourced.

Nice try, though. Feel free to correct the Wiki if I'm wrong.

<a class="jive-link-external" href="http://en.wikipedia.org/wiki/OS/2" target="_newWindow">http://en.wikipedia.org/wiki/OS/2</a>

[santuccie]

Not

OS/2 support ended on New Year's Eve, and Linux is hardly malware-proof. It might have a tougher shell than Windows, and it might have the advantage of obscurity, but that doesn't make it more secure. In fact, the lack of active exploits causes that little thing called complacency.

If the open source community ever manages to focus their work on a single distro to get it half-way ready for Prime Time, they still won't have any real security solutions setup. Their library is infinitely small, because there's no demand.

If any one distro of Linux ever saw the heat that Windows sees, there would be a retaliatory explosion of third-party security products. People still think Mac OS is secure, while researcher Dino Dai Zovi has proven otherwise. In fact, he said in an interview with Computerworld that the Mac operating system is in fact less secure than Windows Vista.

The point? Obscurity is no substitute for security. The advantage of using the OS that is the biggest target is learning where the vulnerabilities are and what to do about it. Since learning how to ace PC Security Test 2007 with Windows XP and IE6, I have discovered that all one needs to make Windows invincible is an ordinary SPI firewall, and blocked write-access to browser settings, system registry, and the kernel. You'll learn more when my new site is up...you'll be hearing about it.

By the way, if there is an operating system out there that's virus-proof, it's OpenBSD, not Linux. OpenBSD has gone four years and running without the discovery of a single vulnerability.

[rgfrancisco]

os2 virus-prooof

can you give me complete details or proof that
os2 is REALLY a virus-proof

[cyclelogicpress.com]

Suggested Downloads are Different

"It's because we don't have better options, yet."
Actually we do. It's called a Mac. :)

From theregister.co.uk:

File of the Week for Mac OS X
NetNewsWire 2.0

Top Picks for Mac
QuickTime
Tiger Cache Cleaner
Firefox
HandBrake
<a class="jive-link-external" href="http://downloads.theregister.co.uk/Mac/" target="_newWindow">http://downloads.theregister.co.uk/Mac/</a>


File of the Week for Windows
CleanMyPC Registry Cleaner

Top Picks for Windows
Datacatch Librarian
Handy Recovery
Cucusoft Ultimate DVD and Video Converter Suite
Webroot Spy Sweeper
Registry Mechanic
Spyware Doctor
<a class="jive-link-external" href="http://downloads.theregister.co.uk/Windows/" target="_newWindow">http://downloads.theregister.co.uk/Windows/</a>

[Sue Miller]

How about NOD32 for an alternative AV?

Any comments on this alternative from other users or you guys doing the AV research? I've heard it works in an alternate way as it searches for malware. Not sure. Welcome your comments.

[wbenton]

AV Alone may be out the door...

But AV is Anti-Virus. What about Anti-Worm, Anti-Trojan, Anti-Malware, Anti-Spyware, Anti-You Name it.

They must all be combined, but even then, most of them are signature based.

There has been talk time and again and actual products which claim to offer Heuteristic scanning, but for the number of years that it's been supposedly offered using various methods by numerous vendors... there still seems to be no final "THIS IS THE WAY" Heuteristic scanning method.

Thus a new Heuteristic method... even after all these years has yet to truely come about. And for the ones already out, many if not most of them have false-positive problems which continue to plague each method.

Thus some NEW type of "Hybridistic" rather than "Heuteristic" method needs to come out which can adapt to the constantly changing variants.

But such a "Hybridistic" method needs to look NOT AT a "Signature Base" but AT A "Source Code Base" sort of mentality to discovery which code is save and which code is is malignant by looking at signatures.

However, the signatures I'm referring to are not Virus/Malware/Spyware/Trojan/Worm based signatures, but authentication signatures found in good code which would not be found in malignant code.

That will be the future wave of pre-vention rather than post-vention which current signature based anti-virus and anti-trojan/worm sofware currently offers.

Thus it's going to require a combined effort by Operating System manufacturers as well as application to offer validatable (non-spoofable) signature-based programs to be able to weed out the malware from the good-ware!

Walt

[scottgator]

Antivirus software

Of all the Antivirus software products that Microsoft (Windows XP is my OS) suggests using, which one has the highest likelihood to detect recent viruses, malware, etc.?