The Current State of the Malware/AntiVirus Arms Race

An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"

Viruses will never go away

[Rosco P. Coltrane]

not because virus writers are clever, but because A/V companies are always very careful not to make too successful products, otherwise they'd kill the golden goose.

Re:Viruses will never go away

[doti]

And how will they compete with Free software anti-virus?

No mention of the effect of whitelisting?

[Anonymous Coward]

There doesnt seem to be any mention of whitelisting in the arms race between malware and desktop management systems in this article. Companies like Trinamo are championing the approach of designating only a handful of applications as being "approved" for execution, denying viruses, trojans, malware, and other junk like toolbars a chance to run before they can do any harm. They have a bunch of free information on the subject online. http://www.trinamo-solutions.com/downloads/downloa d.html [trinamo-solutions.com]
This story is all over industry security portals at the moment, and has appeared in theregister, securityfocus, and others.
Jack

Oh please...

[Opportunist]

This conspiracy is about as old as the AV industry. At least you spared us this time the drivel about AV vendors first of all creating malware so they can sell their stuff.

Basically it's impossible to write the perfect AV software. It simply does not work. The perfect AV software could, of course, exist: Simply disallowing ANY kind of user interaction and installation of additional products. Perfect computer. Useless, but perfectly safe.

The problem is that malware does not use anything "special" that makes it easy to say "something that uses function X or accesses Y is malware". Doesn't work that way. What malware does it usually not much different from normal program activity. They access the windows registry, create keys there, they create and alter files (not necessarily system files, which would be "suspicious" behaviour to say the least), they plug into Internet Explorer, they open ports for incoming connections, they transfer data to and from the computer.

It's not anything that is by defintion "bad". How'd you want to create the "perfect" AV product?

Re:No mention of the effect of whitelisting?

[Control Group]

Your idea boils down to making the computer no longer a general-purpose device. This, obviously, defeats the purpose of having a computer in the first place.

An awful lot of modern malware doesn't comprise "viruses" in the classical sense, it comprises trojans. The only way to absolutely prevent a trojan from running is by preventing the user from running arbitrary software. This may fly in a corporate environment, but never for home use.

Basically, it comes down to either being vulnerable to malware, or not letting the computer do what the user tells it to.

(The latter, of course, being the driving force behind so-called "trusted computing"...which is pretty much exactly what you're advocating)

Re:From TFA

[Opportunist]

Hey, there is rather little malware for Vista! For the same reason there is virtually none for Mac or Linux: It doesn't pay.

Why is there very little "commercial" malware for Firefox? Firefox has quite a few security bugs and holes that can be exploited for phishing and identity theft, still, virtually all commercial malware relies on WinXP and IE. Why? Because of the numbers.

Writing malware for IE means that you can infect about 3/4 if not more of possible targets, while malware for FF means you will reach about 1/4 at best. So for which one do you develop if your goal is to infect as many targets as possible?

Since today most malware kits rely on user stupidity rather than system flaws, the system's own security is no deciding factor anymore. I'd rather attribute it to the number of possible targets and, of course, that the malware writers are used to the Windows architecture and can (ab)use it very creatively.

Re:Viruses will never go away

[smittyoneeach]

F/OSS, itself, is the ultimate anti-virus.
a) keeping the source code in plain sight,
b) having a plethora of distributions similar enough that skills transfer, but sufficiently different that many kinds of attackes are harder,
c) not treating the users and admins like a bunch of sheep, but instead requiring they learn a bit
are three reasons you hear far less about virus attacks in the non-proprietary world.
Someone will supply the counter-argument that lack of market penetration == lack of virus penetration, and I will yawn and enjoy a relatively un-penetrated life.

Re:From TFA

[kebes]

Market share is certainly a factor, but I think it's a stretch to say that it's the only factor.

Let's say some nefarious guys are trying to get their malware installed on everyone's computers. So they buy some exploit code that targets IE. They say "Great, this will infect 3/4 of the computers out there!"

Now if these malware distributors are approached by some other guy who says "I can sell you exploit code that targets Firefox"... do you think the malware distributors will say "no thanks" or will they say "Great, that covers the other 1/4 of computers out there!" (Maybe they will pay less for that exploit, but they will surely use it if it's available.)

Since Firefox's market share is not insignificant (10% to 25%?), there should be a market for such exploits. Similarly, there should be a market (perhaps smaller, but still a market) for the 4% Mac users. It appears that despite this, the targeting of Mac and Firefox is very much less than Windows/IE (more than can be accounted for by market share alone).

I'm sure that part of it has to do with market share. However inherent security is also part of the equation. (And frankly I don't know why such a statement is so controversial on Slashdot... why should security be based on only one factor in the first place?)

Viruses can't defend themselves against..

[Sloppy]

..people who decide to not run them. Whenever someone emails you a virus, or offers you a virus on their webpage, if you decide to not save it, chmod +x it, and run it (whether as root pr your usual level of access), then for some geeky technical reason I don't understand, its defense code fails to activate.

Re:Viruses will never go away

[kestasjk]

This XP install has been going for over a year and hasn't got malware yet, and I don't use any anti-virus or anti-spyware apps. If you don't download spyware, use some common sense, and run under a user account and not an admin you don't get malware.

Re: Oh Please...

[a-zarkon!]

It seems to me that the malware authors are putting at least if not more effort into research, development, and quality assurance than the major OS and AV vendors expend on improving their products. I wonder if that is a function of the malware authors being compensated more directly as a result of their efficiency? They don't appear to be trying to bundle a "malware suite" or get additional revenue from licensing and support.

I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Viruses will never go away

[MajinBlayze]

This always makes me laugh:

hasn't got malware yet

followed by:

I don't use any anti-virus or anti-spyware apps

Honestly, I used to have the same view; Then one day I was having some hd problems, and started watching traffic. After restarting my computer, it wouldn't boot, as something had corrupted my MBR. After that, I learned not to trust so much, and ultimately got interested in Linux. If for nothing more than the fact that there are fewer viruses/malware for the platform.