Antivirus Software Performs Poorly Against New Threats 183
Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"
so its like the human immune system? (Score:5, Interesting)
who would have thought?
What's the impact of those new viruses? (Score:5, Interesting)
In about 15 years I've seen (and fixed) about ten infections, all on computers from friends or colleagues. All those infections were with known viruses or rootkits. You might say that new viruses go unnoticed, but even if they have infected a computer, shouldn't an antivirus scanner detect it later? Yeah I know it "should", but will it? I never see anything about them. Anyway, how often do all these new viruses actually have an impact?
Film at 11... (Score:5, Interesting)
Whitelist is old news (Score:5, Interesting)
The article mentions whitelist technology as the next step beyond conventional signature-based blacklist systems. But that's what I used three years ago, with RegRun [greatis.com]. As soon as an executable is run that it doesn't recognize, RegRun pops up an alert asking you if it's legitimate. Of course, this is useful only for the technologically savvy.
But now instead of that, I employ the ultimate in virus recovery (albeit not virus control). Using the multi-boot software BootIt Bare Metal [terabyteunlimited.com] (like a commercial version of GRUB, GParted, and other utilities rolled into one), I keep a clean OS on a separate partition that I can copy over the main partition at any time. Of course, I keep data on fileservers instead of my local hard drive.
Industry Incentives (Score:4, Interesting)
While this is a classic arms-race (i.e. each has incentive to stay one step ahead) - I would argue that there is asymmetry in the incentives in the attackers (malware writers), and defenders (anti-virus, and computer security software writers). I believe the long-term outcome of this is that the window of exposure for popular platforms will continue to grow, despite advances in: patching hosts, general user education, availability of firewalls, etc
An illustration of the basic asymmetry is this:
A lone coder in an impoverished country has a lot more to gain by writing a single virus/piece of malware than does an anti-virus company to write detection for that single virus. Think: bread for your family vs. one more item crossed off in a list of tens (if not hundreds) of thousands.
Additionally, the virus only has to be active for a short time to make the labour worth it. Write a new one every month, by the time it gets to the a/v companies, cash is in the bank.
Multiply this by the number of coders that are out of work, in countries that have other things to worry about, and the increasing availability of tools and education for the job.
It is a losing battle, long term.
Cautionary tale (Score:3, Interesting)
I like to think of myself as being pretty good when it comes to security and AV protection. I've been using computers since the C64 era and I remember when Michelangelo was making waves, long before rootkits. I even wrote a small DOS virus in assember myself (never released it, just as a study). I don't run crap downloaded from torrent sites and all my software is licensed. I keep a Windows XP inside a VM for stuff I'm not sure about.
Last month I got infected. I got sloppy and I just run something from an unknown origin (not a crack or some crapware, a legitimate installer). Some alarm bells sounded right away in my brain (the installer should have been signed and I got a warning that Windows Security has been disabled). I spent the next 5 days running AV tests on the drive. I used Live CDs from Kaspersky and MS to boot clean. I pulled out the drive and scanned it on a clean computer. I run separate AV and Rootkit finders. They all said the system is clean but I still didn't feel right. Finally, I run Malwarebytes Anti-Rootkit and it found it! No false positive, it really was a trojan svchost.exe. Needless to say I nuked everything from orbit - repartitioned and reformatted the drive, installed everything fresh and restored my files from backup. I even changed all the passwords.
Re:Cautionary tale (Score:4, Interesting)
He had an uneasy feeling and confirmed it. It's possible there was more to the infection that wasn't found. The only safe way to recover from a virus is a nuke from orbit and restore from backups.
Anti-Virus - scamming people since day 1.... (Score:4, Interesting)
IMO, this is all to be expected, and hints at the true, underlying problem. The entire concept of anti-virus software developed under false pretenses.
If you read Wired magazine's lengthy story on John McAfee, for example, you learn that the guy was little more than a scammer, ever since his college years. He started out giving away "free" magazine subscriptions that he lied and told people they won, and then convinced them to pay him a "shipping and handling" charge to receive them.
He only got the idea to form his anti-virus company after reading a few news stories about the successful spreading of the first virus programs (which were really developed as an experiment to see how far they'd replicate -- not to do any damage to systems). He thought it was really scary stuff (which he claims is largely because he was beat as a child by his dad, and the idea of a computer virus suddenly attacking a machine for no known/good reason was similar in his mind).
His company only become really financially successful after he fear-mongered to the media at every turn, trumping up relatively small virus infections as "liable to wipe out entire corporations!" and so forth. (Remember, in the beginning, McAfee actually gave his product away for free - knowing home users would start recommending and/or installing the product where they worked too, and the real money was in getting companies to pay for licensing.) Obviously, others saw the flow of money and wanted a piece of that action, so they, too, started anti-virus or "computer security" companies with similar strategies.
Don't get me wrong. I'm sure there really are people in the computer security or anti-virus business with good intentions. Some people out there really DO think they've "built a better mousetrap" and aren't just trying to sell a bill of goods for easy money. But at best, this stuff is a rapidly moving target. In fact, the traditional virus is hardly even a problem anymore, since most malicious software writers have moved on to malware as more effective for their purposes. (Why try to make complicated code that secretly attaches to valid files and replicates itself at every turn when you can just trick a clueless user into voluntarily downloading and running your destructive application instead?)
Over the years, I've watched companies spend huge money on dedicated appliances that purported to be "advanced firewalls" and "intrusion prevention systems" and the like -- only to become pretty much obsolete when a new "security" company popped up and offered up a replacement solution that was more clever and relevant to the latest variations of threats. Meanwhile, how much money was REALLY saved by having any of this? That's the beauty of the scam, of course... there's no way to quantify it. You can make up all sorts of pretend statistics!
Re:so its like the human immune system? (Score:3, Interesting)
Nope. Computer viruses are intelligent design, not evolution.
Re:Whitelist is old news (Score:2, Interesting)
I swear I saw a buffer-overrun attack (/ jailbreak) on an mp3 player using a maliciously malformed ID3 tag. Even "data" can be a vector for an attack as soon as it's read by a vulnerable application.