Home > All, Security Issues > Anti-virus and anti-spam: a technology update

Anti-virus and anti-spam: a technology update

December 7, 2010 Leave a comment Go to comments

Anti-virus software is possibly the archetypal security product. It was the first, is the most ubiquitous and certainly the best known defence against the bad guys. But with so many high-profile malware successes (such as Stuxnet and Zeus and other botnets that comprise millions of infected computers) we need to ask ourselves if it is still up to the job. Are the bad guys winning the arms race? What are the latest developments in malware, and what is the AV industry doing to combat them? These are the questions we need to examine before answering the ultimate question: is anti-virus software still relevant?

This article was written for, first published by, and reprinted here with the kind permission of
Infosecurity Magazine.

 

In this article we are going to use ‘virus’ and ‘malware’ interchangeably. There is a technical difference between a virus and a worm and a trojan. But for the user, there is no meaningful difference: they are all malware and all bad for you. “The key thing to recognise,” says James Lyne, senior technologist at Sophos, “is that these things are now so inextricably linked together that this aged distinction between things like viruses, worms, trojans and spam actually doesn’t make a lot of sense at all – it’s all really just ‘bad stuff'”. For example, he explained, bots on compromised PCs are used to deliver spam that contains social engineering scams designed to trick users into visiting malicious websites that will infect the user with a trojan that opens a back door to allow in a root kit containing a keylogger and spyware. Anti-virus software doesn’t just seek to protect you from viruses – it seeks to protect you from all of this bad stuff. We’ll just call it all ‘malware’.

Current developments in malware: what are the attackers doing?

Modern malware has evolved from a demonstration of personal prowess into a serious, organised, criminal business; and is driven by the same motives as any legitimate business – a desire to maximise ROI. This explains the two primary characteristics of today’s malware: it follows the market; and is increasingly sophisticated.

Follows the market

Wherever there are large concentrations of users, there will also be malware. This explains the malware campaigns on Facebook and Twitter. But it also tells us what is likely to happen next, which will start with increasing malware for the Mac (a new Mac version of KoobFace is discovered by Intego, a Mac security specialist, as I write this article). The criminals will follow the numbers, and as the Mac and other Apple products increase in popularity, so will the criminals start to attack them. One of the biggest computing movements today is ‘mobilization’ – the growth of mobile computing using smartphones and tablets. As these markets grow, so will they attract malware. Similarly, market growth in virtual machines will lead to attacks on the hypervisor. The AV industry is aware that there are proof of concept attacks on virtual machines, but nothing has yet been found in the wild. But it will happen; and is an area where all AV companies are watching – and waiting.

James Lyne

James Lyne, senior technologist at Sophos

It is only with a degree of tongue in cheek that Luis Corrons, technical director of PandaLabs, comments, “We’re becoming evermore interconnected. Everything is connected to everything else – and it’s all connected to the internet. I don’t know that we’re going to install anti-virus for the fridge – but who knows.” Basically, when there are enough fridges connected to the internet, there will be fridge malware.

Technical sophistication

James Lyne described one example of the increasing sophistication in malware. “Polymorphism,” he said, “has been around for about 20 years. It’s where the malware continually changes itself to avoid detection – but it has been easy for the AV vendors to defeat it. We’d get hold of a copy, extract and analyse the engine that creates the new copies and work out all the possible future versions. That would give us generic detection for that whole polymorphic family. But today the bad guys are using server-side polymorphism where the engine is not in the malware but on legitimate business websites. Every time it is refreshed, what is downloaded is different in content to the previous download – and after a couple of hundred downloads, they kill that site and move on to another. That way none of us vendors can get hold of the engine to write any form of generic protection.”

Current developments in anti-malware: what are the defenders doing?

There doesn’t appear to be a major advance in AV technology on the near horizon. “Right now,” says David Harley, ESET research fellow & director of malware Intelligence, “it’s more a case of multiple/hybrid technologies (found in nearly any modern AV) advancing by improving individual components. Obviously, some products stress certain components more than others.”

Has the AV industry shot itself in the foot?
We’ve all seen the adverts and claims: “Our product detects 99% (or even 100%) of viruses.” And yet we still get infected. And we still hear of new viruses being missed by almost all of the AV products when tested against VirusTotal. Something is clearly wrong.
When you look at the small print, you see that what appears to be “100% of viruses in the wild” is actually “100% of viruses that are included in the WildList”: and “in the wild” and “in the WildList” are two completely different things. I don’t believe it was designed to be misleading; but it is misleading and I believe that AV companies know that it is misleading.
This might have worked ten years ago, when users were more technically naive. But today’s user can see the anomaly: and the result is a loss of trust in the AV companies that will only increase unless and until they start to be more honest in their claims. The AV marketing bods need to be more like the AV technical bods; who are far more likely to tell you how it really is.

Christopher Boyd, GFI senior threat researcher, suggests “virtual sandboxing, which allows threats to be intercepted and executed inside a virtual machine running a Windows-like pseudo environment, allowing for more accurate detection and safer quarantine and disposal.”

Reputation-based classification

But probably the biggest single development has been the evolution of product-based reputation feed back (not to be confused with community-based reputation systems such as the Web of Trust). Rik Ferguson Trend Micro’s, senior security advisor, explains his own company’s reputation system. It is born out of the marriage, in the cloud, of three separate databases: bad emails, bad URLs and bad files. “Let’s take a hypothetical worst-case scenario,” he said. “You get an email from a bot that has only just been infected – and the email is well-crafted so that it looks OK. We can’t see anything wrong with it, so we allow it. In this case, email reputation has failed. The email contains a link to a malicious website that has only just been registered. Again, we don’t yet know it’s bad – so we allow you to click the link, and again the reputation system has failed. You click the link and visit the website which uses a zero-day exploit to infect you with a new trojan that the bad guys have already tested against all the AV products. We haven’t seen this trojan, so we allow you to download it – and you’re infected. Email, URL and file reputation systems have all failed. But,” he stresses, “the first thing that the trojan will seek to do is phone home, either to tell its owner that it has landed, or to download additional components. At this point we will almost certainly recognise this as suspicious behaviour and block it.  We will also relay the URL source of the suspect file to TrendLabs who will download the page content and analyse it.” Instantly, the URL database and file database are updated with the new reputations. And, “if a new email comes in pointing to that URL that we now know to be suspicious, we can recognise the email as also suspicious and can add details to our email reputation system. And all of this is based on the behaviour of a file that we had previously thought was OK; and all of these new reputations are, thanks to the cloud, instantly available to all of our other customers.”

Future solutions for the malware problem

We have a choice. We can carry on as we are, trying to improve our anti-malware defences in a perpetual leapfrogging process with the bad guys – or we can think out of the box and be radical. One approach could be Trusteer’s Rapport product. It’s purpose is not primarily to find and eliminate viruses; but to specifically protect online bank transactions from malware (such as Zeus). Rapport is anti-malware; but not as we know it. Its primary purpose is to protect the browser. It doesn’t go looking for malware on your PC. Rather it defines a browser behavioural policy – and if the browser tries to behave differently, it knows that there is malware involved. “It’s like behavioural detection,” explains Amit Klein, Trusteer’s chief technology officer, “but it’s not behavioural in the sense that we monitor all the behaviour of a suspicious binary – rather we wait for the malware to come to us – for it to ‘attack’ the browser; and that’s where we stop it cold.”

Scott Charney’s Internet Health Certificate

A more radical approach could be  the Internet Health Certificate proposal put forward by Microsoft’s Scott Charney (Collective Defense – Applying Global Health Models to the Internet). Charney’s idea is that we should take a lead from the World Health Organization: you may need to prove your health before you can do certain things or go to certain places. In other words, users may need a health certificate for their computers before they are allowed access to the internet. The AV industry is not generally impressed. Who says a computer is healthy? Who defines computer health. “I’d be pretty unhappy if it turned out that the health of my systems was being certified by someone whose knowledge of security wasn’t much higher than the average,” comments ESET’s David Harley. “Or even the sysadmin responsible for the Microsoft servers that are used to relay spam…”

Nor is the technical problem trivial. “The technical issue is the volume of edge cases,” continues Harley. “I don’t think a ‘just about good enough’ heuristic approach combines well with a utilitarian ‘greatest good for the greatest number’ approach, in this case.”

Rik Ferguson

Rik Ferguson, senior security advisor, Trend Micro

Trend Micro’s Rik Ferguson raises a practical issue. “What happens,” he asks, “in the case of false positives? if users are incorrectly quarantined, will they be able to claim something back in lost productivity, lost purchases on eBay, or whatever it may be?”

“It’s an interesting idea,” concedes Trusteer’s Klein. “But with the current infection rates where your machine can be clean one day and infected the next, I’m worried about the implications for an ISP handling millions of customers, some of whom keep getting re-infected. In practice, I’m not sure how we can really adopt this – I’m not sure how the ISP, where the rubber meets the road, will be able to handle this under current pricing structures.”

With apparently so little going for this idea, you have to wonder how it got air time. The answer might be in Scott Charney’s title: vice president of trustworthy computing. Microsoft, of course, is a leading member of the Trusted Computing Group (TCG). The TCG has developed specifications for how to control what can and cannot run on a computer – and this can already be achieved via Intel chips (Intel is another member of the TCG) installed on the majority of the world’s PCs. So if a third-party (your company? Microsoft? Intel? Your ISP? the Government?) defines what can run on your PC for you to be allowed access to the internet, you automatically have a health certificate because nothing else, neither malware, nor pirated software, nor illegal music, nor porn, nor any new software not sanctioned by the controlling organization, is capable of running. The problem is solved. Some might say at the cost of personal freedom.

Conclusions

Some of the marketing hype around anti-virus products seems to imply that AV software is all you need to be safe. It is not. You need layers of different security. In fairness to them, none of the anti-virus technologists will suggest that AV is enough. You need to complement it with data loss prevention technologies, ID theft prevention, firewalls, URL filters and more. How will the market develop? “Slowly and painfully,” says Harley. “Customers who expect 100% success will continue to be disappointed. Pure AV will become rarer: the technology will continue to be further integrated with other defensive technologies.”

New technologies such as Rapport can help in niche areas; ideas such as trusted computing could solve the problem but at the cost of personal liberty. Now I am not the biggest fan of the way in which the anti-virus industry markets itself. But of this I am certain: we cannot, and must not try to, do without it. The anti-virus industry is not merely relevant; it is still essential.

 

Developments in consumer anti-virus
The biggest single development in consumer anti-virus product is the growth of the free product. Many companies now provide free online scanners – Trend Micro’s HouseCall and Symantec’s Security Check are good examples. There is also a growing number of free products you download and install on your computer: AVG and Avira are the best known. More recently Panda has launched a new free version.
Petter Lautin, Panda Security’s MD for UK and Ireland, explains the rationale: “A Morgan Stanley survey in America has shown that 46% of consumers rely on free security software, and that’s expected to increase to nearer 60%. I’d be surprised if things in Europe are very different; so that’s a fact of life we can’t ignore. Secondly, believe it or not, there are many people out there who are still not using any anti-virus product at all. For them, this is a perfect way to start because it gives you the basic anti-malware protection that everyone needs to have. From there we can start to talk about what you should have rather than must have: a firewall, ID theft protection and all sorts of things on top of that.”
ESET’s David Harley has a pragmatic view. “The economics of the marketplace, though, are that the consumer market isn’t really profitable. It costs more than some companies can afford to support those customers, measured against the profit margin. That’s why some companies make single-user licences so expensive compared to their corporate deals. So for years, the deal with free AV has been a trade-off: fewer bells and whistles and often less detection/disinfection, and restricted support (forums, but not telephone support).
There is a rider to this – there is still a dearth of free AV software for the Mac. “There is a limited number of free antivirus tools for Mac,” explains Laurent Marteau, CEO of Intego, one of the relatively few Mac AV vendors, “but they have not had a major effect on the market. With Mac antivirus software, none of the companies offering free tools have the infrastructure to find Mac malware and update their software in a timely manner.”
But expect this to change. Panda has now entered the Mac market – and I suspect it will offer a free Mac version in the future. [And since this was written, see: Sophos launches free Mac anti-virus for home users].

 

Categories: All, Security Issues
  1. anti-virus
    April 2, 2013 at 9:40 pm

    im pretty sure the first thing the hackers do when a new anti-virus is released is go and buy it and try and work around it. So not so sure that they will ever get one over the hackers

    Like

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s