|
Viruses and worms are hitting with more malicious payloads, spreading and mutating faster than ever—clearly putting a strain on many anti-virus vendors’ ability to effectively respond to new threats.
Historical Perspectives
Before we look ahead, it’s important to look back and understand how the threat landscape has changed. For example, in 2000 the infamous “I Love You” virus spreading to more machines then any previous malware. Prior to 2000, according to ICSA Labs, the number of virus-related incidents were impacting 1000 machines and expected to double every year.
In 2001, we were overwhelmed when Code Red infected 359,000 hosts in just 12 hours, but then SirCam emerged as the year’s biggest outbreak, dominating 50% of all virus reports. Finishing out 2001, Code Red did not even appear on the top 10 list of most anti-virus providers (despite all the hype surrounding the virus).
In 2003, the SQL Slammer doubled its reach every 8.5 seconds, taking out as many servers as Code Red in only 15 minutes. Further, in a survey using 2003 data from ICSA Labs, the rate of infections on 1,000 machines had grown to 108 infections per site per month. From a speed perspective, however, Sobig.F was the clear leader; at its peak, one in 17 emails on the Internet contained Sobig, according to several estimates.
In 2004, there was a 51 percent increase in the number of new viruses and worms. Interestingly, we were subjected to a rivalry between two virus creators—Bagle and NetSky, each creator releasing every more dangerous variants while trying to out maneuver the other. We ended that year with NetSky leading the pack, garnering 22 percent of all infections. And not just one version, but over 30 different variants of NetSky were seen. However, looking at speed alone, MyDoom led the way and surpassed the previous year’s Sobig virus. Reportedly 1.2 million copies of MyDoom were detected in the first 24 hours after its release with an estimated peak of the virus-to-email ratio of one in 12.
In 2005, Sober grabbed the headlines. Some reports suggested that Sober at its peak was responsible for 25 percent to 43 percent of all malicious emails reported. Using the popular malicious code-to-email ratio, Sober held its own at one in every 13 emails containing the malicious code. Further, security experts claim October 2005 will go down in history as the month with the greatest number of different viruses reported—a whopping 1,685. Also in 2005, the CSI/FBI crime report delivered the bad news that—for the first time ever—losses associated with viruses and malicious code surpassed losses associated with the theft of intellectual property.
In 2006 the year began with 19 different email virus threats, with four considered to be massive and included multi-wave attacks of seven different variants. Consumers were at greater risk in 2006 due to anti-virus vendors prolonged response times in providing signature updates for their software. According to a report by TamingtheBeast.net, in January 2006 the average response time for antivirus vendors to release updates was eight hours.
The malware landscape was clearly changing in 2006. Traditional viruses and worms outpaced Trojans by a factor of four to one. Malware writers had shifted from simply doing harm to a users’ PC, as had become typical of earlier threats, to assuming remote control of the PC and incorporating the compromised machine into a Botnet.
By 2007, a clear trend began to take hold—Web-borne malware. And this is now generating explosive growth. In January 2007, roughly 5,000 web pages containing downloadable malware were detected on a daily basis; by June 2007 that number had increased to nearly 30,000 malicious malware-loading web pages detected daily.
Web-borne malware is poised to largely replace traditional email delivery methods. Email-borne malware will not go away completely, however; in fact, in the first half of 2007 more powerful variants of old malware appeared. For example: The NetSky Trojan, which first appeared in 2004, reappeared briefly in 2006, and reappeared again to reach the Number 1 position in the top 10 virus list for March, April, May and June of 2007.
Regardless of the many perspectives we may draw from this historical data, we can all agree on two things:
- We have gone from single instances of viruses and worms that took weeks or months to inflict measurable damage, to malware that spreads within hours or minutes, and quickly evolves into hundreds of variants—each more malicious then the last. The pressure on anti-virus vendors will continue as malware becomes extremely difficult to identify and block.
- We are shifting from the traditional email delivery vehicle for malware to one using compromised web servers to deliver web-borne malware. The delivery methodology is further complicated through the use of encoding and obfuscation techniques that have proven to be effective in preventing detection by traditional anti-virus products.
|
Most vendors would like us to believe that staying safe is as simple as keeping our anti-virus software up-to-date. However, looking at the historical data, the time required for vendors to respond is lagging dramatically and increasingly leaves considerable “windows of opportunity” for exposure.
Response Time Performance
In February 2003, VirusTRN published a report covering 15 anti-virus products and the W32/Sober.c Worm. It showed vendor response times ranging from minimum 10 hours and 20 minutes, to maximum 55 hours and 35 minutes. Keep in mind that in the above relative time-frame, we were seeing other viruses whose distribution was doubling in size every 8.5 seconds, and yet other viruses that were appearing in 1 of every 17 emails. Not a comforting thought when you consider that the window of opportunity for the above event ranged from 10 Hours and 20 Minutes to 55 Hours and 35 Minutes.
Examining 2005 Bozari.B virus data from AV-Test.org, in a field of 40 vendors’ anti-virus products, we saw a welcome change: Seven vendors were able to detect the virus proactively without having to receive an update at all. However, for the balance of vendors, the story remained the same: The reported range of response times varied from a minimum of 1 hour and 6 minutes to a maximum of 40 hours and 8 minutes.
Looking at the Zotb.B virus in 2005, also from the AV-Test.org report, in a field of 37 anti-virus vendors, again, seven were able to catch the malicious code without having to receive an update and the balance of vendors had response times ranging from minimum 1 hour and 5 minutes to maximum 63 hours and 29 minutes. However, only three of the seven vendors noted were the same as previously caught the viruses without requiring updates.
By 2007 one would have thought that anti virus malware detection capability would have advanced to the point where vendor response in terms of signature updates would not be a necessary consideration in keeping a network secure. Unfortunately that is not the case, in a May 2007 test by AVTest.org published by PC Magazine showed that traditional anti virus vendors were still failing at effectively protecting their customers from malware threats. In fact the worst offender only captured 62.12 % of the malware used in testing and the average detection rate for the 29 anti malware products was only 86.95 %. While 86.95% might sound like reasonable protection consider that the test used a total of 606,901 malicious files and that with a product that could protect you from 86.95% leave you exposed to over 79,000 pieces of malware.
Simply put, traditional anti-virus technology has clearly failed to advance and is leaving clients dangerously exposed to today’s malware threats.
Different Approaches to Anti-Virus
Signature-based anti-virus
Signature-based anti-virus is the most dated technology. It’s an exact science that produces definitive results—either the virus matches the known signature or it doesn’t. One of the big advantages to signature-based anti-virus is speed. It takes fewer CPU cycles to compare malicious code to known signatures. While this is no longer advanced technology, it has showed renewed popularity in adding it to all-in-one security suites because it minimizes performance impact.
Since signature-based anti-virus only offers strong protection against known threats, it is not effective—at least immediately—against new variants and offers very low protection against the newest Web-borne threats. Signature-based anti-virus is fully dependent upon a vendors’ ability to react quickly and develop signatures for new threats and then release them to users.
Advanced signature-based anti-virus
In order to better protect against variants of known threats, vendors have been able to improve upon traditional signature-based anti-virus by reducing the signature of a known vulnerability down to a smaller segment of malicious code. This methodology, however, really only provides the probability of a threat and thus is prone to false positives. Lastly, it suffers from the same problem mentioned earlier: New vulnerabilities have no known signature, hence no real protection from new unknown threats.
A clever approach for traditional and advanced signature-based anti-virus deployments is to use multiple products connected effectively in a series. This can reduce the maximum window of opportunity, as the potentially-infected code is inspected by each product, one after the other. If any vendor finds a signature match, the code is flagged as malicious and appropriate action is taken. This methodology reduces the risk and dependency on one vendor’s ability to handle any given threat.
Sandboxing-based anti-virus
Rather then relying upon signatures, sandboxing actually provides a mechanism for running the potentially malicious code in an isolated environment (in some form of a virtual machine). It is more effective then signature-based anti-virus but can still be fooled by a smart malicious code programmer, if they do a sufficient job of hiding the code’s malicious intent. For example, they might encrypt the malicious actions of the program within the data section of the code, to be “unveiled” and applied against the host later.
However, there is serious tradeoff in performance verses protection, as software for the sandbox methodology can consume significantly more processor cycles and use considerably more of a host’s physical memory than signature-based anti-virus.
Passive Heuristics-based anti-virus
Passive heuristic anti-virus methodology does little more than advanced signature-based anti-virus. The vendor establishes a library of code segments that are rated “highly probable” of being malicious. It then searches code for those segments. If found, the subject is treated as malicious and appropriate action is taken.
While faster than sandboxing and perhaps more effective than traditional signature-based anti-virus, passive heuristic-based anti-virus can still be easily tricked by knowledgeable programmers. They can use encryption, run time packagers, polymorphism, or a combination of methods. Also, when passive heuristics is used as the exclusive protective mechanism, it is known to sometimes produce high false positive rates that, in itself, can be a troublesome issue.
Advanced heuristics-based anti-virus
Advanced heuristics anti-virus methodologies can vary dramatically by vendor. However they share this in common: Typically they deploy a combination of methods—signature-based anti-virus, advanced signature-based anti-virus, and perhaps a modified version of traditional sandboxing. It employs “reasoning” based on past known events (in the form of signature scanning and by executing specific portions of potentially-malicious code in an isolated environment or virtual machine) and also affords what is referred to as “theoretical reasoning” based upon algorithmic code analysis.
This methodology is capable of providing good protection from known and unknown (day zero) code. It also offers a more acceptable false positive rate. And while slower than a pure signature-based approach, it provides better performance than a traditional sandbox approach. However, the advanced heuristic anti-virus methodology still requires regular updates in order to proactively defend against evolving threats.
Pre-scanning-based anti-virus
A novel approach has been used to combine methodologies. Called “Pre-scanning,” the idea builds upon that of “sandboxing” with a three-way approach that verifies digital signatures. In so doing, it blocks any untrusted program code; screens and blocks any suspicious code based on its potential behavior; and filters out potentially harmful code that tries to exploit any vulnerabilities on the client. It does this by:
- Examining any ActiveX controls and Java applets for digital signatures, and verifying that the signed data has not been altered since the signature was applied or whether an un-trusted authority signed them.
- Performing a heuristic analysis that looks for certain instructions or commands within a program that are not found in typical application programs. Potential function calls are iterated regardless of the actual program flow, and known functions are classified based on a given set of rules. Further, in a process akin to fingerprint analysis, digital signatures are linked to a library of previously-examined safe ActiveX controls for comparison.
- Scanning and filtering out any remaining “suspects” or scripts that try to exploit vulnerabilities on the client are scanned and filtered out. It may not be that the scripts themselves are malicious. But, they may be potential enablers in injecting or executing further malicious code. Detecting and filtering such scripts interrupts any malicious payload being distributed to the clients.
|
|
Which anti-virus is right for you?
The answer depends on your application. Most enterprise environments today are facing both internal and external threats, so anti-virus is being applied in a multi-layer architecture. External Internet threats are mitigated at the gateway (or a server near the gateway), while internal threats are thwarted at the desktop.
As in any multi-layer approach, best practices normally dictates using disparate technologies from different vendors in order to reduce the risk of a “single point of failure” on one layer being carried over to another. Others, however, argue that since you are really talking about addressing two independent sets of threats, then perhaps the best solution is to use the best available technology for the gateway and for the desktop.
Where’s the market going?
The arms race between malicious code writers in the black hat community and the teams working in anti-virus vendor labs will simply continue. Occasionally, vendors will catch up and the windows of exposure will be reduced. Things will be quiet for a period of time and then BAM! …the bad guys, thinking out-of-the-box, will find new methodologies that deploy their code faster and perhaps in more stealthy manners that allow them to do more damage to a wider user base in a shorter period of time. And anti-virus vendors will again scramble to catch up.
As this cycle continues, more and more anti-virus users will abandon signature-only solutions and eventually move to more current technologies such as advanced heuristics that at least somewhat limit their complete dependence on a given vendors’ ability to respond to new threats.
Organizations, however, need to take a lead from the bad guys and apply some out-of-the-box thinking of their anti-virus or malware defenses.
Using reputation technology to compliment existing security defenses breaks the arms race. It enables advanced blocking of IP addresses, URLs, domains, messages, images and other content based on real-time behavior. For example, if these web entities or messages are behaving differently or erratically, it would impact the reputation score, and a poor score would indicate possible exposure of the network to unnecessary risk.
Reputation-based technologies have already proven their worth by eliminating as much as 80 percent or more of spam entering a network, simply by looking at their reputation score. It is poised to offer measurable risk mitigation in the future, combating both email- and web-borne malware.
About the Author:
Paul A. Henry is Vice President of Technology Evangelism for Secure Computing Corp.
Go Back
|
