The Current State of the Malware/AntiVirus Arms Race 139
An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"
Viruses will never go away (Score:3, Insightful)
Re:Viruses will never go away (Score:4, Insightful)
No mention of the effect of whitelisting? (Score:2, Insightful)
This story is all over industry security portals at the moment, and has appeared in theregister, securityfocus, and others.
Jack
Oh please... (Score:5, Insightful)
Basically it's impossible to write the perfect AV software. It simply does not work. The perfect AV software could, of course, exist: Simply disallowing ANY kind of user interaction and installation of additional products. Perfect computer. Useless, but perfectly safe.
The problem is that malware does not use anything "special" that makes it easy to say "something that uses function X or accesses Y is malware". Doesn't work that way. What malware does it usually not much different from normal program activity. They access the windows registry, create keys there, they create and alter files (not necessarily system files, which would be "suspicious" behaviour to say the least), they plug into Internet Explorer, they open ports for incoming connections, they transfer data to and from the computer.
It's not anything that is by defintion "bad". How'd you want to create the "perfect" AV product?
Re:No mention of the effect of whitelisting? (Score:3, Insightful)
An awful lot of modern malware doesn't comprise "viruses" in the classical sense, it comprises trojans. The only way to absolutely prevent a trojan from running is by preventing the user from running arbitrary software. This may fly in a corporate environment, but never for home use.
Basically, it comes down to either being vulnerable to malware, or not letting the computer do what the user tells it to.
(The latter, of course, being the driving force behind so-called "trusted computing"...which is pretty much exactly what you're advocating)
Re:From TFA (Score:3, Insightful)
Why is there very little "commercial" malware for Firefox? Firefox has quite a few security bugs and holes that can be exploited for phishing and identity theft, still, virtually all commercial malware relies on WinXP and IE. Why? Because of the numbers.
Writing malware for IE means that you can infect about 3/4 if not more of possible targets, while malware for FF means you will reach about 1/4 at best. So for which one do you develop if your goal is to infect as many targets as possible?
Since today most malware kits rely on user stupidity rather than system flaws, the system's own security is no deciding factor anymore. I'd rather attribute it to the number of possible targets and, of course, that the malware writers are used to the Windows architecture and can (ab)use it very creatively.
Re:Viruses will never go away (Score:2, Insightful)
a) keeping the source code in plain sight,
b) having a plethora of distributions similar enough that skills transfer, but sufficiently different that many kinds of attackes are harder,
c) not treating the users and admins like a bunch of sheep, but instead requiring they learn a bit
are three reasons you hear far less about virus attacks in the non-proprietary world.
Someone will supply the counter-argument that lack of market penetration == lack of virus penetration, and I will yawn and enjoy a relatively un-penetrated life.
Re:From TFA (Score:4, Insightful)
Let's say some nefarious guys are trying to get their malware installed on everyone's computers. So they buy some exploit code that targets IE. They say "Great, this will infect 3/4 of the computers out there!"
Now if these malware distributors are approached by some other guy who says "I can sell you exploit code that targets Firefox"... do you think the malware distributors will say "no thanks" or will they say "Great, that covers the other 1/4 of computers out there!" (Maybe they will pay less for that exploit, but they will surely use it if it's available.)
Since Firefox's market share is not insignificant (10% to 25%?), there should be a market for such exploits. Similarly, there should be a market (perhaps smaller, but still a market) for the 4% Mac users. It appears that despite this, the targeting of Mac and Firefox is very much less than Windows/IE (more than can be accounted for by market share alone).
I'm sure that part of it has to do with market share. However inherent security is also part of the equation. (And frankly I don't know why such a statement is so controversial on Slashdot... why should security be based on only one factor in the first place?)
Viruses can't defend themselves against.. (Score:2, Insightful)
Re:Viruses will never go away (Score:3, Insightful)
Re: Oh Please... (Score:2, Insightful)
It seems to me that the malware authors are putting at least if not more effort into research, development, and quality assurance than the major OS and AV vendors expend on improving their products. I wonder if that is a function of the malware authors being compensated more directly as a result of their efficiency? They don't appear to be trying to bundle a "malware suite" or get additional revenue from licensing and support.
I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."
Comment removed (Score:3, Insightful)
Re:Viruses will never go away (Score:2, Insightful)