Perspective: Is an antivirus gap looming?

I was recently out with friends from the antivirus industry. They work as analysts for a major firm, and we were talking about our respective views on malicious code. I left the conversation disappointed and frustrated at the increasingly blind host-based antivirus world.

My background is in information security (exploit code, software vulnerabilities, intrusion detection and network malware), as is the background of some of my friends. We have spent a lot of time over the past few years working on things like IDS signatures and the consequences of getting them wrong.

As such, many of my infosecurity friends look at the state of antivirus signatures and wonder why variants can't easily be detected. Especially in the first few hours of a massive malware outbreak, the failure to detect leaves many of us frustrated. When my friends in security operations are facing an outbreak, time is of the essence, and their patience for signature updates has worn thin.

These two fields have rarely had to meet in the past. Infosecurity researchers rarely applied rigorous academic studies to malware, seeing malcode as an uninteresting topic. Antivirus researchers rarely concerned themselves with vulnerabilities and exploits. Despite this history, we're beginning to see a convergence of the two, one that will probably be totally complete in the next five years.

The pressure on the antivirus firms is visibly increasing, and they're going to have to do something about it.

Some of this is due to how the online world has changed this decade, and how a lot of malware has taken advantage of security flaws that can only be discovered through infosecurity research.

But some of this convergence is about filling the gap left by the antivirus companies. This gap between problems and solutions is twofold. First, it's about coverage of malcode samples and threats that they face. AV simply doesn't detect enough of the things out there on the front lines. The second gap comes from the response time. Fed up with the delays, the infosecurity community has taken action to fill the void.

While no one would openly suggest running a computer without some form of antivirus tool, most agree the protection it offers is increasingly disappointing. When I analyze malware I typically find variants of well-worn families with names like "Banker," "SDBot" and "Peacomm," yet most fresh samples aren't detected by most antivirus vendors.

Anyone tasked with helping to protect a user base from common Internet threats has seen this and is increasingly frustrated with antivirus methods. So why do we still insist on telling people to scan their computers with updated antivirus tools when we know the odds that all of the malware will be identified and removed is marginal? It's because we don't have better options, yet.

The antivirus world first developed in an era of poorly connected users, when viruses spread over floppies and file downloads. The world had fewer virus authors, and far fewer virus users, or people who modify others' virus software for their own use. In short, time was a luxury that everyone had in abundance.

This isn't the case any longer, and it hasn't been for several years. The time that the antivirus industry had to turn around signatures and disperse signatures to those in need has dwindled from a day to a couple of hours. Couple that with the large number of minor variants that appear for almost every family means that traditional signature-based antivirus is under duress, it simply fails to meet the needs of network security operators in the current threat landscape.

The frustration felt by many in the network and desktop security operations world is palpable. There have never before been so many users of malware analysis tools like multi-antivirus scanners like VirusTotal and Jotti, sandboxes like Norman, Sunbelt and now Anubis, and so many outsiders testing antivirus software. The pressure on the antivirus firms is visibly increasing, and they're going to have to do something about it.

The failure of antivirus companies to adapt to the dramatic malware appearance rates in 2007 tells us there's time for a change and there's room for a new class of tools. "AV is dead" is the battle cry of a new industry analyst report. Antivirus companies may not be going the way of the dodo, but to many customers, the concept of antivirus as the last line of defense has been thrown out the window. It's time for a better approach, one that can keep up and really defend networks.

Biography
Jose Nazario is a senior security researcher with Arbor Networks.

More Perspectives

[roxtafari]

No more antivirus

I am a comuter tech with 18 years experience. I stopped using AV software about five years ago and haven't had any problems since(outside of some minor adware). AV software is simply not effective anymore and most is so bloated it kills performance. Most of it never get's past the mail servers at my various hosting companies. Follwing best practices and not clicking on suspicous links, partenered with a robust backup plan is the way to go.

[atglabs]

Mind the Gap, please.....

I believe the points the author was making are these: (1) AV analysts are only concerned with creating signatures, while Infosecurists study ways to detect and block exploits; (2) AV products don't detect enough variations soon enough; (3) Products that perform AV scanning are increasingly ineffective.

His first point has some basis in the mass-market anti-malware products, but many smaller, more innovative companies already imbrogliate threat research, detection, and removal efforts. When a product's techniques for detecting and blocking exploits are co-developed by the threat analysts, rules rather than simple signatures are used to ID threats with polymorphic unpackers and virtual machines. This is a two-way process that advances the detection technology as new threat analysis uncovers new transmission and camouflage mechanisms.

The second point reflects the widespread lack of effective zero-day detection methods in most anti-malware products that rely primarily on conventional signatures. With the explosion of variations in camouflage and packing for even common exploits, no efficient methods exist for scanning files against databases of signatures no longer in the hundreds-of-thousands of entries, but rapidly approaching millions of entries. The handwriting was on the wall several years ago, but only a few progressive products embraced advanced detection methods to avoid this tar pit.

An finally, he is correct that just scanning with most of the market-leading antivirus products is increasingly ineffective. This can be seen in the best independent analysis of anti-malware products that I know about, namely the work at http://www.av-comparatives.org/

There you can see comparisons of the best products and the market-leading products, performed twice each year in two categories. First, the products are tested to see how well they can detect an independent set of in-the-wild malware. A few months later, the products are retested with the original set of "signatures" to see how well they detect new exploits in a (admittedly artificial) test of their zero-day abilities.

The really good products, without updating their databases, catch an amazing number of zero-day exploits that appear. The not-so-good ones show the problems you are pointing out -- namely that there is a delay from the appearance of an exploit until a signature update allows the scanning tool to detect the exploit.

A couple of other points about your perspective article. You use the term AntiVirus, although I'm sure you know that rootkits, keyloggers, etc. are not viruses; blended threats are using the important DNA of each of these types of malcode to make the term AntiVirus less useful. At some point, we need to be using terms like Anti-Malware to describe the coming generations of threats. Also, it is not necessary to wait for a new set of tools to attack the problem -- we just have to look to companies other than the big market leaders.

(Disclosure: I used to work for one of the "big" anti-spyware companies, but currently have no financial or functional association with any anti-malware company.)

[anarchyreigns]

I just laugh at Windows users!

Ubuntu anyone?

[offonoff]

Monoculture

Monoculture breeds disease. We cannot afford to apply ever
increasing levels of pesticide. Diversity is the solution. Get a
Macintosh, load Solaris, plant a different crop. And follow
standards for information exchange and reject anything that smells
of monopoly. Free market, level playing field - engage the anti-
trust laws!

[Penguinisto]

Sucks to be a Windows user...

Many of us have known this for quite a long time: A/V ain't gonna catch most of it, let alone all of it.

You could download and patch-in updated definitions every five minutes (with the A/V supplier supplying them at that rate), and it does exactly bupkis to protect the typical Windows user.

I won't say that other OSes are invulnerable to viruses, but with OSX having zero (so far) successful viruses in the wild, and Linux' last wild virus --anything worth worrying about, anyway-- occurring about five years ago? Couple that now with the intrinsic malware-resistant structuring inherent in Linux and OSX/BSD (or any flavor of *nix for that matter)?

Sure, as markets shift, so will the focus of malware writing, but seriously - the hardened nature of *nix coupled with a heterogeneous OS environment will make it much harder to exploit, dropping the majority of script kiddies out of contention entirely.

Now compare that to the swiss-cheese mickey-mouse security that Windows has (which honestly is not an OS designed for such).

Sure, the astroturfers and fanboys will come a'screaming about how [i]they[/i] never got bit, etc etc. Problem is, the Internet is full of examples that show them to be full of something else entirely when it comes to the basic premise that 'doze is dangerous for the data you may hold precious.

In short, the smart money is on getting the hell away from Windows post-haste.

/P

[markwdalton]

In the computing world, we call these bugs

When a vendor (Microsoft) and (fill-in spyware/virus detection company) leave known design flaws and bugs in their system and software, we call these bugs.

Every so many lines of code will have a bug, the question is also how much damage can that bug/design flaw cause.

Microsoft has gotten better, implementing the 40 year old concept of users and administrator a few years back.

However, they are still plagued with reliability issues, like I did a update last weekend on solid hardware. If I used Firefox the system was stable, when I used Internet Exploder.. The system crashed for every patch. Fortunately, on my real computers and work computers I use Linux.
(But a Mac would be great also).

Mark

[stlwest]

Could use image software

Software like Centurion Guard and Deep Freeze have the ability to protect your primary system image, viruses can get in and screw up the works, however power cycling takes you right back to a nice clean virus free computer.

The technology has now been around for some time. Go in and FDISK your drive, boom no drive, power cycle and there is your stuff just like you left it. That was about 10 years ago so I figure it is pretty solid by now.

Of course I haven't implemented it in my environment yet but it looks promising, hey my computer is freaking out, OK press the power button until it turns off, now turn it back on. Done.

[swelchcn]

Addressing the "AntiVirus Gap" with Alternative Methods

I agree with the basic premise of this article that the security gap left by anti-virus technologies in terms of un-addressed threats is increasing in size.

We have been researching alternative approaches to mitigate zero-day attacks that malware poses on Windows systems. This area has received a lot of focus from researchers in the past, specifically in terms of locking-down systems in order to protect them. However, these approaches usually adversely affect the user-experience and maintainability of end-user systems.

We have been prototyping an approach that addresses common internet threats, including zero-day attacks, while attempting to minimize the impact on system usability and maintainability.

Interested in finding out more? http://alphaworks.ibm.com/tech/axe

[psource]

What's the problem, again?

I, too, find many forms of viruses that pass through antivirus software undetected. VirusTotal has been a big help in confirming that yes, these peculiar files are forms that my antivirus does not yet detect. So my vendor gets informed, and they add detection.

What I find, though aren't new vulnerabilities. Its the same old stuff. A fully patched system isn't affected by the variants that manage to get past the antivirus software.

As it was said in the article, antivirus is the first line of defense. The new virus variants use new tricks to get through the line, to evade antivirus detection.

[intrepi]

Does it really matter, consumers buy into it

Personally, I have bought, used and continued using some form of antivirus, adware and registry management software. Most are more than 1 year subscriptions but I will say Windows is getting to be too restrictive, too controlling, too expensive and too difficult to agree to it's terms and conditions of it's licensing agreement. I have bought some commercial versions of linux as some are not to my liking, others are. Question - Can I do or get by without Windows - definitely and I have. I can no longer support Microsoft as they have become the insensitive, money mongers that I seriously, dislike. The time of Bill Gates and his up and coming enterprise, worthy of support, is over. Microsoft is and has been too demanding of my time, input and has no limits on where or what it will do to continue forcing me to activate, verify and do it over and over with no end in sight, enough is more than enough. Time for Microsoft to devise an automated way of assuring themselves I own their products. If they can't find a way, then I will move on to other PC OS's like linux or maybe the new Mac's leopard OSx.

[Labor Rations]

Use OS/2 it is virus-proof!

OS/2 will work for you, and never get infected by a virus. OS/2 is a secure OS that is bullet-proof and virus-proof.

Don't listen to those Penguinistas, Linux is virus-proof because it is based on an OS/2 codebase.

[cyclelogicpress.com]

Suggested Downloads are Different

"It's because we don't have better options, yet."
Actually we do. It's called a Mac.

From theregister.co.uk:

File of the Week for Mac OS X
NetNewsWire 2.0

Top Picks for Mac
QuickTime
Tiger Cache Cleaner
Firefox
HandBrake
http://downloads.theregister.co.uk/Mac/


File of the Week for Windows
CleanMyPC Registry Cleaner

Top Picks for Windows
Datacatch Librarian
Handy Recovery
Cucusoft Ultimate DVD and Video Converter Suite
Webroot Spy Sweeper
Registry Mechanic
Spyware Doctor
http://downloads.theregister.co.uk/Windows/

[Sue Miller]

How about NOD32 for an alternative AV?

Any comments on this alternative from other users or you guys doing the AV research? I've heard it works in an alternate way as it searches for malware. Not sure. Welcome your comments.

[wbenton]

AV Alone may be out the door...

But AV is Anti-Virus. What about Anti-Worm, Anti-Trojan, Anti-Malware, Anti-Spyware, Anti-You Name it.

They must all be combined, but even then, most of them are signature based.

There has been talk time and again and actual products which claim to offer Heuteristic scanning, but for the number of years that it's been supposedly offered using various methods by numerous vendors... there still seems to be no final "THIS IS THE WAY" Heuteristic scanning method.

Thus a new Heuteristic method... even after all these years has yet to truely come about. And for the ones already out, many if not most of them have false-positive problems which continue to plague each method.

Thus some NEW type of "Hybridistic" rather than "Heuteristic" method needs to come out which can adapt to the constantly changing variants.

But such a "Hybridistic" method needs to look NOT AT a "Signature Base" but AT A "Source Code Base" sort of mentality to discovery which code is save and which code is is malignant by looking at signatures.

However, the signatures I'm referring to are not Virus/Malware/Spyware/Trojan/Worm based signatures, but authentication signatures found in good code which would not be found in malignant code.

That will be the future wave of pre-vention rather than post-vention which current signature based anti-virus and anti-trojan/worm sofware currently offers.

Thus it's going to require a combined effort by Operating System manufacturers as well as application to offer validatable (non-spoofable) signature-based programs to be able to weed out the malware from the good-ware!

Walt

[scottgator]

Antivirus software

Of all the Antivirus software products that Microsoft (Windows XP is my OS) suggests using, which one has the highest likelihood to detect recent viruses, malware, etc.?