The trouble with anti-virus

Sobig and Blaster epidemics expose scanner problems

Analysis Traditional techniques aimed at stemming the flood of viruses and worms are failing to keep pace with the rise in malicious code.

Users have known this for years - at least intuitively. Even vendors admit - at least privately - that there's an issue. Now, for the first time, there's research to back up this gut instinct.

The research, carried out at Hewlett-Packard's research labs in Bristol, analysed the effectiveness of the signature update approach to virus detection and elimination against a computer model designed to mimic viral spread. The model showed that the signature update approach is fundamentally flawed, simply because worms can spread faster than anti-virus signature updates can be distributed.

Even if AV vendors produce an antidote to a virus as soon as it appears, the model breaks down because of the time it takes deliver a fix to desktops. Within this "window of vulnerability" a worm can take hold, HP researcher Matthew Williamson concludes.

Williamson's research (explained in more detail in this week's New Scientist) is due to be presented at AV industry's annual showpiece conference, Virus Bulletin, in Toronto later this month.

Immunity is illusory

For real-life validation of HP's research we need look further than the rapid spread of the Sobig-F and Blaster worms last month - to say nothing of the prolific Slammer worm earlier this year.

The value in HP's research lies in showing that people can get infected with fast-spreading viruses even when they regularly update signature-based anti-virus detection tools.

In fairness to AV vendors, they do say their software is only one part of a comprehensive security policy which (these days) should include filtering email at the enterprise gateway and keeping patches up to date.

But that's only part of the answer because such an approach still leaves home users exposed to fast-spreading worms. If a substantial minority of them get infected, the Internet gets swamped with useless traffic or flooded with viral email. And this viral email is a nuisance even for people using systems (Linux, Apple, OS/2 and Unix) immune to the original viral infection.

Who cares about improving product - when the share price is soaring?
So there's a problem - but one that the mainstream AV industry has no financial incentive to solve. Quite the opposite, in fact. The worse things become the rosier the financial future looks for AV vendors, at least in the short term.

A survey by market analysts IDC out this week predicts that anti-virus software market will grow from $2.2 billion last year to $4.4 billion in 2007.

IDC believes "increasing consumer knowledge regarding attacks" (read publicity regarding the Blaster, Nachi and Sobig worms) and the rise in monthly subscription renewals for virus protection are driving growth in the market.

AV gravy train heading for derailment?
But buried in IDC's report there's a sting in the tail for AV vendors.

The analyst notes that many organisations are adopting a "layered security" approach that combines technologies such as desktop anti-virus, server and gateway anti-virus, content filtering, and proactive techniques such as behaviour analysis and heuristics to combat viruses.

"IDC believes traditional signature-based anti-virus technologies and behaviour-based analysis technologies will increasingly be used together, allowing for a greater degree of accuracy in detecting known and unknown threats," it reports.

Change control

AV vendors are very good at bashing behaviour-blocking technologies, saying they generate false positives or are hard to implement, but they should be concerned. Behaviour-blocking technologies are being repositioned as intrusion prevention systems and have been backed by major players like Cisco and a raft of smaller start-ups.

Intrusion prevention vendors have learnt the lesson from user criticism about false positives from intrusion detection systems. And, unlike AV tools, intrusion prevention technology has the potential of blocking zero-day exploits.

The AV industry is profoundly conservative, which has suited it well in the past. But if major players don't alter their posture they could find their products relegated to disinfection tools with intrusion prevention technologies and managed services that scan email for infectious content occupying the front line against malicious code.

Firms, like Avecho, looking to develop alternatives to traditional scanning technology, are highly critical of traditional AV vendors.

Nick Scales, chief executive of Avecho, says: "Current AV does not protect against new items or worm/Trojans such as SQL Slammer or Blaster. They fundamentally are not designed to do this."

The company, which also runs the managed email services, has developed a technology called GlassWall that protects against malicious code without the need for signatures updates, essentially by parsing traffic through a system that removes viruses from Internet traffic.

Avecho GlassWall is available for license but traditional AV providers are not prepared to talk to Avecho, which Scales presents as evidence that they are deliberately failing to grasp to nettle and look for a better solution to the viral problem. He contrasts this stance with the more favourable response he has received from networking suppliers about the possibility of embedding Avecho's technology in silicon.

Revolution or evolution?
Firms like Avecho, MessageLabs and Cisco (which bought behaviour blocking firm Okena earlier this year) are calling for a fundamentally different approach to how we fight malicious code. However, there are those who believe evolution rather than revolution is the best way forward.

Peter Tippett, CTO at the ICSA Labs research division of TruSecure, which validates AV products at part of its security testing programme, argues that simple steps can make existing infrastructures far more secure.

"If companies apply file filtering to block infectious attachments and change Outlook so that it points at the restricted zone we reckon the risks of getting infected can be reduced by a factor of 20. We've advised this for years," he told The Register.

According to Tippett, the Sobig virus caused less disruption to businesses then the Lovebug, and Blaster was roughly equivalent to Code Red. However, overall, virus and worm infections have grown 11 per cent a year, according to TruSecure.

Some Reg readers had urged a change in the way email works as a comprehensive means of dealing with the viral scourge. Tippett, pointing out that the IETF moves at a glacial pace, is dismissive of this idea. He is also far more cautious than others we've spoken to about the potential of behaviour-blocking technologies. However, he readily concedes our point that AV products are as useful as a chocolate teapot in dealing with fast-spreading worms.

Tippett said: "You'll never catch zero-day exploits with AV and intrusion detection products by using more rapid updates. AV products don't deal with and never will deal with first day viruses."

"Ringing the bell after the torpedo hits doesn't make you more secure," he added. ®

Related stories

Why Sobig is bad for privacy and AV vendors
AV bigwigs weigh in on Sobig debate
Blaster rewrites Windows worm rules
US warns nuke plants of worm threat
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'
Is it a worm, a virus, or a trojan?
US Reps question anti-virus companies' integrity

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022