MoMusings

I decided to write this entry after watching the fall-out from a statement made by Graham Ingram [the general manager of the Australian Computer Emergency Response Team (AusCERT)] on the 19th of July 2006 at a security event hosted by MessageLabs.

To say that his statement that anti-virus products “don’t work” and his claims that if you are running anti-virus then “eight out of 10 pieces of malicious code are going to get in” is somewhat dramatic, is an understatement.

His reasoning for this last statistic is “What is happening is that the bad guys, the criminals, are testing their malicious code against the antivirus products to make sure they are undetectable. ” Part of his defence for his view is that, in his own words, “We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers“.

So, how many of you out there are wondering, is he right and, if so what can we do about it?

Now I’m sure that some of these quotes from Mr Ingram have been taken out of context by the various articles published since the security event, such as the following quote “eight out of 10 pieces of malicious code are going to get in“. Does he really mean that 80 percent of malware is not being detected by anti-virus software? I hope not and I seriously doubt it as other more reliable sources claim that the quote is in relation to new [unknown] malware rather than existing malware which has been around weeks, months or years and is detected by anti-virus software.

However, if you look at the statistics from a number of surveys and my own sample capture statistics you might be forgiven for thinking that ‘Anti-Virus’ is past its sell by date and useless, that is until you are made aware that the core reason for lots of computers being infected by malware that is already detected by anti-virus software is down to ‘WetWare‘ failures [the human behind the keyboard]. What they are not doing is updating their protection, sometimes for 2 or more years, or they have disabled the anti-virus to stop it slowing down their computer. I’ve blogged about this issue before.

So, is 80 percent of new malware getting past anti-virus products? To best answer this let me state the following:

• Traditional anti-virus is a mostly reactive solution; in other words in most cases if the anti-virus doesn’t yet know about the malware then it can’t detect it.
• Modern anti-virus use lots of techniques to augment the traditional methods, such as Heuristics, Behaviour Blocking, Hashing, Sandboxing, Emulation and so on, these help to make modern anti-virus solutions more pro-active and able to detect some new malware without an update [signature or engine].
• Now add in anti-spyware, anti-rootkit, anti-stealth, personal firewall, buffer-overflow, personal IDS/IPS and anti-tamper features and the level of pro-active protection increases.
• However, there is NO 100 percent solution to the malware problem, not even if you use a Mac or a*NIX based system.

OK, on to the answer; let me use a modified version of the quote often attributed to P.T. Barnum:

“You can fool some anti-virus all of the time, all anti-virus some of the time, but you can’t fool all anti-virus all of the time.”

In other words, if you use a multi-layered, multi-vendor, defence in depth approach to the problem [including practising Safe-Hex], then the window of opportunity for new malware is pretty small, not quite closed, but almost so.

Ingram’s quote regarding the quality of malware is interesting, although hardly breaking news, as the creation of malware has moved from the hobbyist to professional programmers and is now almost solely driven by professional criminal gangs; this has been going on for at least two years.

Malware writing is now a business; not a game for the stereo-typical spotty, socially awkward youths. They used to be interested in infamy, peer recognition and the intellectual challenge[1], or so they tried to convince us that these were their motives. In fact the vast majority were no better than the electronic equivalent of vandals, bullies and cowards hiding behind their ‘l33t‘ handles and pseudonyms.

So, is the sky really falling? No, this is just the latest twist in the arms race that has gone on between malware authors and anti-malware researchers since the beginning of the problem; the difference is that the good guys who have always been professional programers are now facing a foe which is no longer, to a large extent, hobbyists and wannabes, with the occasional semi-professional developer thrown into the mix. They are now facing a level playing field, as the new breed of malware authors are better programmers and are being paid by organised crime gangs to produce their wares. In other words malware authorship has now come of age and found a career waiting for it with open arms and piles of cash.

As to the vast quantities of new malware, well the truth is that for the first six months of 2005 we saw 25 new ones each and every day, for the same period in 2006 we saw 28 new ones, hardly a massive growth!

And on the level of complexity of malware, yes they are getting more complex, it has always been easier to create malware than anti-malware; the bad guys only have to get lucky once to infect your system, whereas the anti-malware has to get lucky every time. In other words a targeted attack is quite likely to succeed unless your protection can mitigate every possible attack vector and methodology and this will be very expensive at least computationally. Remember your security is only as good as your weakest link, and unfortunately that is usually the person behind the keyboard.

Likewise, Ingram’s statement that the bad guys are testing their creations against anti-virus software to make sure they are not detected is also not breaking news. If he had been involved in this arena as long as some of us, he would know that this has been going on almost since the start of the malware problem.

This move from ‘for-fun‘ to ‘for-profit‘ malware authorship, means that the anti-malware researchers and developers we have, have to work harder and longer and think even more ‘outside-the-box‘ than they do now. We also need to find and train more good guys to help in the fight before those we already have are outnumbered, surrounded and down to their last bullet! Hopefully this scenario will never come to pass.

Links:

• Eighty percent of new malware defeats antivirus [ZDNet]
• Why popular antivirus apps do not work [ZDNet]
• 80 Percent of new malware does what to anti-virus? [anti-virus-rants]

[1] in reality malware authors come from all age-groups, females also wrote malware, not just males and some were also socially adept.