Anti-virus and anti-spam: a technology update
Anti-virus software is possibly the archetypal security product. It was the first, is the most ubiquitous and certainly the best known defence against the bad guys. But with so many high-profile malware successes (such as Stuxnet and Zeus and other botnets that comprise millions of infected computers) we need to ask ourselves if it is still up to the job. Are the bad guys winning the arms race? What are the latest developments in malware, and what is the AV industry doing to combat them? These are the questions we need to examine before answering the ultimate question: is anti-virus software still relevant?
In this article we are going to use ‘virus’ and ‘malware’ interchangeably. There is a technical difference between a virus and a worm and a trojan. But for the user, there is no meaningful difference: they are all malware and all bad for you. “The key thing to recognise,” says James Lyne, senior technologist at Sophos, “is that these things are now so inextricably linked together that this aged distinction between things like viruses, worms, trojans and spam actually doesn’t make a lot of sense at all – it’s all really just ‘bad stuff'”. For example, he explained, bots on compromised PCs are used to deliver spam that contains social engineering scams designed to trick users into visiting malicious websites that will infect the user with a trojan that opens a back door to allow in a root kit containing a keylogger and spyware. Anti-virus software doesn’t just seek to protect you from viruses – it seeks to protect you from all of this bad stuff. We’ll just call it all ‘malware’.
Current developments in malware: what are the attackers doing?
Modern malware has evolved from a demonstration of personal prowess into a serious, organised, criminal business; and is driven by the same motives as any legitimate business – a desire to maximise ROI. This explains the two primary characteristics of today’s malware: it follows the market; and is increasingly sophisticated.
Follows the market
Wherever there are large concentrations of users, there will also be malware. This explains the malware campaigns on Facebook and Twitter. But it also tells us what is likely to happen next, which will start with increasing malware for the Mac (a new Mac version of KoobFace is discovered by Intego, a Mac security specialist, as I write this article). The criminals will follow the numbers, and as the Mac and other Apple products increase in popularity, so will the criminals start to attack them. One of the biggest computing movements today is ‘mobilization’ – the growth of mobile computing using smartphones and tablets. As these markets grow, so will they attract malware. Similarly, market growth in virtual machines will lead to attacks on the hypervisor. The AV industry is aware that there are proof of concept attacks on virtual machines, but nothing has yet been found in the wild. But it will happen; and is an area where all AV companies are watching – and waiting.
It is only with a degree of tongue in cheek that Luis Corrons, technical director of PandaLabs, comments, “We’re becoming evermore interconnected. Everything is connected to everything else – and it’s all connected to the internet. I don’t know that we’re going to install anti-virus for the fridge – but who knows.” Basically, when there are enough fridges connected to the internet, there will be fridge malware.
James Lyne described one example of the increasing sophistication in malware. “Polymorphism,” he said, “has been around for about 20 years. It’s where the malware continually changes itself to avoid detection – but it has been easy for the AV vendors to defeat it. We’d get hold of a copy, extract and analyse the engine that creates the new copies and work out all the possible future versions. That would give us generic detection for that whole polymorphic family. But today the bad guys are using server-side polymorphism where the engine is not in the malware but on legitimate business websites. Every time it is refreshed, what is downloaded is different in content to the previous download – and after a couple of hundred downloads, they kill that site and move on to another. That way none of us vendors can get hold of the engine to write any form of generic protection.”
Current developments in anti-malware: what are the defenders doing?
There doesn’t appear to be a major advance in AV technology on the near horizon. “Right now,” says David Harley, ESET research fellow & director of malware Intelligence, “it’s more a case of multiple/hybrid technologies (found in nearly any modern AV) advancing by improving individual components. Obviously, some products stress certain components more than others.”
Christopher Boyd, GFI senior threat researcher, suggests “virtual sandboxing, which allows threats to be intercepted and executed inside a virtual machine running a Windows-like pseudo environment, allowing for more accurate detection and safer quarantine and disposal.”
But probably the biggest single development has been the evolution of product-based reputation feed back (not to be confused with community-based reputation systems such as the Web of Trust). Rik Ferguson Trend Micro’s, senior security advisor, explains his own company’s reputation system. It is born out of the marriage, in the cloud, of three separate databases: bad emails, bad URLs and bad files. “Let’s take a hypothetical worst-case scenario,” he said. “You get an email from a bot that has only just been infected – and the email is well-crafted so that it looks OK. We can’t see anything wrong with it, so we allow it. In this case, email reputation has failed. The email contains a link to a malicious website that has only just been registered. Again, we don’t yet know it’s bad – so we allow you to click the link, and again the reputation system has failed. You click the link and visit the website which uses a zero-day exploit to infect you with a new trojan that the bad guys have already tested against all the AV products. We haven’t seen this trojan, so we allow you to download it – and you’re infected. Email, URL and file reputation systems have all failed. But,” he stresses, “the first thing that the trojan will seek to do is phone home, either to tell its owner that it has landed, or to download additional components. At this point we will almost certainly recognise this as suspicious behaviour and block it. We will also relay the URL source of the suspect file to TrendLabs who will download the page content and analyse it.” Instantly, the URL database and file database are updated with the new reputations. And, “if a new email comes in pointing to that URL that we now know to be suspicious, we can recognise the email as also suspicious and can add details to our email reputation system. And all of this is based on the behaviour of a file that we had previously thought was OK; and all of these new reputations are, thanks to the cloud, instantly available to all of our other customers.”
Future solutions for the malware problem
We have a choice. We can carry on as we are, trying to improve our anti-malware defences in a perpetual leapfrogging process with the bad guys – or we can think out of the box and be radical. One approach could be Trusteer’s Rapport product. It’s purpose is not primarily to find and eliminate viruses; but to specifically protect online bank transactions from malware (such as Zeus). Rapport is anti-malware; but not as we know it. Its primary purpose is to protect the browser. It doesn’t go looking for malware on your PC. Rather it defines a browser behavioural policy – and if the browser tries to behave differently, it knows that there is malware involved. “It’s like behavioural detection,” explains Amit Klein, Trusteer’s chief technology officer, “but it’s not behavioural in the sense that we monitor all the behaviour of a suspicious binary – rather we wait for the malware to come to us – for it to ‘attack’ the browser; and that’s where we stop it cold.”
Scott Charney’s Internet Health Certificate
A more radical approach could be the Internet Health Certificate proposal put forward by Microsoft’s Scott Charney (Collective Defense – Applying Global Health Models to the Internet). Charney’s idea is that we should take a lead from the World Health Organization: you may need to prove your health before you can do certain things or go to certain places. In other words, users may need a health certificate for their computers before they are allowed access to the internet. The AV industry is not generally impressed. Who says a computer is healthy? Who defines computer health. “I’d be pretty unhappy if it turned out that the health of my systems was being certified by someone whose knowledge of security wasn’t much higher than the average,” comments ESET’s David Harley. “Or even the sysadmin responsible for the Microsoft servers that are used to relay spam…”
Nor is the technical problem trivial. “The technical issue is the volume of edge cases,” continues Harley. “I don’t think a ‘just about good enough’ heuristic approach combines well with a utilitarian ‘greatest good for the greatest number’ approach, in this case.”
Trend Micro’s Rik Ferguson raises a practical issue. “What happens,” he asks, “in the case of false positives? if users are incorrectly quarantined, will they be able to claim something back in lost productivity, lost purchases on eBay, or whatever it may be?”
“It’s an interesting idea,” concedes Trusteer’s Klein. “But with the current infection rates where your machine can be clean one day and infected the next, I’m worried about the implications for an ISP handling millions of customers, some of whom keep getting re-infected. In practice, I’m not sure how we can really adopt this – I’m not sure how the ISP, where the rubber meets the road, will be able to handle this under current pricing structures.”
With apparently so little going for this idea, you have to wonder how it got air time. The answer might be in Scott Charney’s title: vice president of trustworthy computing. Microsoft, of course, is a leading member of the Trusted Computing Group (TCG). The TCG has developed specifications for how to control what can and cannot run on a computer – and this can already be achieved via Intel chips (Intel is another member of the TCG) installed on the majority of the world’s PCs. So if a third-party (your company? Microsoft? Intel? Your ISP? the Government?) defines what can run on your PC for you to be allowed access to the internet, you automatically have a health certificate because nothing else, neither malware, nor pirated software, nor illegal music, nor porn, nor any new software not sanctioned by the controlling organization, is capable of running. The problem is solved. Some might say at the cost of personal freedom.
Some of the marketing hype around anti-virus products seems to imply that AV software is all you need to be safe. It is not. You need layers of different security. In fairness to them, none of the anti-virus technologists will suggest that AV is enough. You need to complement it with data loss prevention technologies, ID theft prevention, firewalls, URL filters and more. How will the market develop? “Slowly and painfully,” says Harley. “Customers who expect 100% success will continue to be disappointed. Pure AV will become rarer: the technology will continue to be further integrated with other defensive technologies.”
New technologies such as Rapport can help in niche areas; ideas such as trusted computing could solve the problem but at the cost of personal liberty. Now I am not the biggest fan of the way in which the anti-virus industry markets itself. But of this I am certain: we cannot, and must not try to, do without it. The anti-virus industry is not merely relevant; it is still essential.