Sometimes a technology outlives its usefulness. A good example is the automobile carburetor. While we have known the performance gains and fuel savings of multi-port direct fuel injection for decades, some (NASCAR!) still cling to the use of the outdated, yet familiar carburetor. Much the same has occurred with the technology to fight Malware. Anti-virus has become the “carburetor” of keeping malicious code off of our systems.
What is A/V software?
Anti-virus is still primarily a signature based system. In other words, we define a code pattern that we want to detect and then search memory or the hard disk for that pattern. This is referred to as “application black listing”, because we are defining the bad applications we want to keep off of the system.
Where do A/V signatures come from?
Typically an A/V customer will become infected and report the problem to their vendor. The A/V vendor can then generate a pattern, which permits their other clients to be protected from this same strain. Its also possible for the signature to get generated if the code is found in the wild prior to release, or if another vendor generates a signature.
What about heuristics?
Heuristics looks at suspect behavior and then white lists known to be good applications. For example we may check all attempts to create a user account on the system and then check to see if the application is a known administrator tool. This technology has some really cool potential, but it also has a number of flaws. The primary problem, and the reason heuristics sees little to no use, is the fact that its prone to false positives. Try to use a 3rd party tool to manage your user accounts and the A/V heuristic engine is probably going to block it.
The business model of Malware
When anti-virus was first developed, Malware had two specific traits:
- Malware distribution was slower than signature distribution.
- Malware writers were mostly script kiddies attempting mass propagation.
Neither one of these items are applicable in today’s environments. Symantec states that in 2009 they are averaging a new Malware signature every eight seconds. For F-Secure, this frequency is closer to a new signature every four seconds. Do you update youy A/V every 4-8 seconds? Does your A/V vendor even release a new signature file every 4-8 seconds? You see the problem. Even if you diligently update A/V every night, 11,000-20,000 new signatures and pieces of Malware have ticked by.
But let’s talk a bit more about item #2; script kiddies and mass propagation. Around 2001 or so I noticed a change in the Malware world. The folks who really knew what they were doing stopped doing mass release. Think about it, most Malware writers usually start when they are very young. When you are still in school and living at home, its trivial to release your code for free. At some point however you need to get a job and start earning some income. When you personally reached that place in life, what did you do? For most of us, it involves looking at what we are good at and trying to match that up to a high paying job.
So if you are good at writing Malware, where are the high paying jobs? Some possibilities:
- Extortion – Steal info and sell it back.
- Espionage – Steal info for a competing company, government, etc.
- Steal data with value in the wild – bank logon, credit card info, etc.
- Resell botnet and Malware services – Become a gun for hire. Typically spam distribution of DDoS.
While we still have some number of script kiddies doing mass propagation (think of them as Malware writers in training), the smart attackers have turned it into a profitable business model. When it’s a business model, the code of course has monetary value. This means an attacker will not risk mass propagation of high end Malware code. They are going to sit on it and only use it when there is the potential for a high rate of financial return. So we can’t count on the truly nasty stuff being mass propagated anymore. The stuff you need to worry about most is used in a targeted fashion.
Why does my A/V fail so often?
A couple of problems should be immediately apparent with the above model. To start, because we are black listing bad applications, the assumption is everything else is OK. If we do not have a signature identifying the application as malicious, we assume it is safe to run. This means that all Malware without a signature is free to infect the system. This model also assumes some level of acceptable losses. Typically there is a lag time between when systems get infected and when we get a signature to protect ourselves. This could be hours, days or in some cases even months.
Problems under the hood
One of the biggest issues with A/V software is the signatures. Most of us would not even consider purchasing a NIDS or NIPS which does not provide access to the signatures, but that’s exactly what you get with an A/V system. This leads to little to no sanity checking of signatures within the industry, as well as limited customization capability. For example I have yet to see an A/V vendor give me the ability to let my network administrator group run a password cracking tool from known to be secure machines. If I have any customization capability at all it is a tedious process to get specific applications approved for use, and even then enforcement is limited.
So where do we go from here?
With all these problems, its no wonder that application control (sometimes called application white listing) is starting to replace A/V software as the tool of choice for controlling Malware. I’ll get into application control in part 2 of this post.