|
Signature based detection has been used for many years by Anti Virus companies. The technique looks for a unique signature to then warn the user on threats.
The concept of signature based virus detection works by calculating a checksum of a file on disk or memory. The signature is generated using algorithms such as MD5 or SHA256. The signature is generated by scanning through the file and calculating a unique signature. Here’s an example of a signatures for Notepad which comes with Microsoft Windows.
MD5: 388b8fbc36a8558587afc90fb23a3b99
SHA256:fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093
This signature is unique to this version of Notepad but if just one small part changes then the value can change dramatically. Here are the same signatures after just one byte has been changed
MDF: bab1784383f9fafc0ce87a6af447a6f2
SHA256:29ffe776201d1364cde84d50ad2f6427be9696d3b1fafc6cb28e2adbfe232d24
Anti Virus companies have used signatures as one of the core components to the detection of Viruses and Trojans for many years.
The early days
In the early 90’s there were very few viruses and the methods for them to transfer from PC to PC was limited. The floppy disk was the most common method of transfer. Today the majority of PCs are connected to the internet and this has allowed a number of criteria to change. This has made the number of Viruses increase dramatically.
Under this environment traditional anti virus companies are having significant difficulty keeping up with new threats that are coming out. The average user is now expected to download significant updates each week to make sure there machine is protected.
The weakness of traditional Anti Virus can be demonstrated by encrypting a known virus with a utility that allows it to decrypt as it starts. The modified virus will go undetected because its signature will be different.
This technique can be used over and over again to create new variants of the same virus which makes the Anti Virus product useless at detecting the threat.
Anti-virus products also use heuristic detection which allows them to detect various patterns within memory and compares them to what a virus may look like. This causes a number of false positives and doesn’t prevent a new zero day threat.
The biggest issue to signature based detection is the speed at which A/V companies can update their signature list. Anti Virus companies have researchers to disassemble and study new viruses. The researchers have to see a virus in the wild and then report back to base before customers PCs can be updated. This leaves a time period where new zero day threats can attack users PCs.
Why is this happening
- Tutorials and material on how to write viruses is much easier to get. Websites such as (www.ryan1918.com) features many code snippets for would be malware authors to learn or use.
- The internet has allowed Viruses to spread much faster from PC to PC.
- The growth of community websites such as MySpace and Facebook have allowed millions of users to congregate in one location making dispersal of malicious code much easier.
- The use of PCs in the home and workplace by much less savvy users has made the life of malware authors easier due to the naivety of the victim.
|
The Future of security
A new method to prevent attack is to only allow good applications access. For example Microsoft Word can access your documents but another application will prompt the user for permission. Threats can also be detected by their actions regardless of what they look like. A virus that has a specific action such as changing security settings of a PC can be detected and blocked.
Security technology can also leverage community based feedback so that real-time stats can be collected on what other users have done.
About the Author:
John Safa is CTO of DriveSentry.
Go Back
|
