Antivirus industry struggles to keep up

A very interesting read by IHT/ NYT

www.nytimes.com/2013/01/01/technolo...ftware-to-catch-malware-more-effectively.html

"A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent. "

Mikko H. Hypponen, chief researcher at F-Secure, called Flame “a spectacular failure” for the antivirus industry. “We really should have been able to do better,” he wrote in an essay for Wired.com after Flame’s discovery. “But we didn’t. We were out of our league in our own game.”

and happy new year to all !

 

There is money to be made both attacking and defending. Also money to be saved, for ordinary users at least, with layered approach.

 

Flame was and is an entirely different game, to be fair to the industry. When nations create cyber weaponry to attack other nations, they're doing everything possible to avoid detection by more than just the Nortons of the world. These aren't Russian hackers sitting in WiFi cafes, these are well paid, top notch government employees with government budgets. To be detected by anything is an embarrassment of those governments, and to not be isn't necessarily a bad mark against the AV industry. As to keeping up in general, of course they can't. However, the silver lining is that most "new" malware is a rehash of old variants and techniques. There are only so many ways a system can be attacked.

 

The fact that only 5% was detected gives me pause regarding their methodology.

It seems like it's becoming trendy to perform an amateur test and write an article declaring AV software (on the whole) a failure.

 

Same old story and it shouldn't come as a surprise. See this:

80% of new malware does what to antivirus?

The author of that post is Kurt Wismer. The guy has written fairly good counter-arguments to the notion that "anti-virus is dead" or "antivirus is falling behind".

the anti-av revolt
bad really is in the minority
the myth of what anti-virus is

When it comes to the subject of AVs, apart from Kurt (who is a proponent of AV), I'd say that Marcus Ranum and Bruce Schneier have made interesting points (although they don't share the same views) on the topic...

Face-off: Is antivirus dead?

My thoughts on the subject:

AVs are just 1 part of the solution. I wouldn't go as far as calling them 'dead'. If I had to, I'd say it is 'dead' only if we're talking of it being a 1st-line defense (prevention). On the other hand, blacklisting technology remains useful for the purpose of detection and things like heuristics and behavior-blocking provides an extension to that. There will always be a need to differentiate between what's good and what's bad and AVs are a good candidate for the job.

Other technologies such as whitelisting, sandboxing, light virtualization and HIPS are nothing new and focus more on preventing persistence. As such, employing one of these is recommended. Take note though that each has it's own pros and cons too. There's no be-all and end-all solution.

 

But this is the role in which they tend to be emphasized (i.e. real-time protection).

I think the more serious issue here though is that there's no effective novice-friendly security solution, at least AFAIK. Reasonable computer security shouldn't require tons of arcane geek lore.

Of those, sandboxing is the only sensible one for end users (and not the way Sandboxie does it). Whitelisting and light virtualization are inconvenient, and at this point I would never ever recommend a HIPS to a novice - too easy to mess up, and it would just give him or her a false sense of security.

Also, too much security software can really bog a machine down...

 

To be fair, I said "if I had to"

Now, AVs can be said to be 'dead' when it comes to prevention. It's 1 of the reasons why I stopped using real-time AV. That said, I acknowledge that prevention (while ideal) isn't the only mean to protection. Detection has a role to play. I guess that somewhat differentiates me from the strictest of the "no-AV" crowd.

Technically, real-time AVs do provide real-time protection, considering that it doesn't just do signature blacklisting. Real-time AVs (or rather AMs) also uses AI (artificial intelligence) techniques.

Even with all these, it won't give you a 100% - that's an obvious limitation.
Needless to say, most will probably have 90++ % rate of detection - it sure may not be the most 'effective' but it has its merits.

I personally think that this is the closest thing you can get as far as "novice-friendly security solution" goes. Even with little knowledge, they can use the technology. Download, install and make sure the AV updates. Aside from a few possible config changes and upgrades, it's mostly a install-and-forget.

With all of that being said, I can argue the entire opposite and say why real-time AVs can be "useless".

I agree to some extent but it all boils down to user preference and comfort. Whatever rocks your boat...

 

There is a lot of value in preventing known malware from executing. A lot. Therefore, AV software is an important part of security. It's not sexy or cutting-edge to prevent the Conficker worm from executing, but there are zero legitimate reasons to NOT stop it with AV. It would just be stupid to let the blacklisted malware execute because you disabled AV.

The problem comes in with keeping ahead of the bad guys. Modern malware is written to defeat AVs, therefore the detection rates for new malware is just pathetic. IMO AV vendors need to build in far better heuristics- they need to be executing all sorts of iffy .exe files in hundreds of vms to identify new stuff ASAP. They need to move away from the blacklist approach because that has been proven to SUCK at keeping up with the bad guys. Or use the whitelists and then add a dynamic real-time program analyzer to detect malicious activity. For instance, there is no reason whatsoever for a Nessus scan to be launched from a remote address on your computer. An AV should be able to detect that and at least ask the user "hey, did you initiate a vulnerability scan on your computer? If not then we're going to shut down the process that called it because someone is trying to own you."

But I guess that HIDS and NIDS, isn't it? I guess I feel like if AV vendors are going to sell themselves as the be-all and end-all of security products for the average home user, then they need to step up their game and suck a lot less.

edit: blacklists, not whitelists. derp.

 

A better evaluation would be that blacklisting was not the proper method of preventing this attack.

There were two parts to the Flame attack.

1)

Analysis Reveals Flame Malware's Process Injection Tricks
http://threatpost.com/en_us/blogs/analysis-reveals-flame-malwares-process-injection-tricks-081312

The .ocx file is a portable executable, like .cpl, .exe, .dll, .sys, .scr, .drv.

As such, if the user's executables already installed are Whitelisted, then Flame's .ocx module cannot load. Here, I downloaded an .ocx file zipped, and then attempt to extract the file to disk, at which point it is blocked because not on my Whitelist:



2)

Flame Attackers Used Collision Attack to Forge Microsoft Certificate
https://threatpost.com/en_us/blogs/...ion-attack-forge-microsoft-certificate-060512

The reasons that this part of Flame was successful is that it targeted organizations whose security was not up to preventing the execution of the original infection vector.

I've discussed this with some system administrators, and the concensus is that preventative solutions are available, but not often convenient.

In many cases, the individual home user is better protected than some organizations!

----
rich

 

And they will be against malware like this because it isn't aimed at them. However, the problem will always lie in the fact that once malware reaches its target, it'll go where ever it gets transported to via user or network. Unlike Stuxnet, Flame didn't have a specific setup in mind, just a general area of the world.

@Brandi: I too agree that known malware is just as important, if not more important than focusing on 0-days. Nine times out of 10, every infection I've seen with a user has been something that has been around for a year or more, not some 0-day no one has heard of yet. Whitelisting? Yeah, it does suck. For one thing it can't always be counted on, for another, no regular user outside of hobbyists, the paranoid and system admins are going to want to bother with that approach.

Where I start to disagree is your example of a Nessus scan. For most users, if their AV were to pop up asking about it and whether to deny or allow, after the initial "WTF" look wears off and is replaced by an annoyed look (which, for your general user happens in less than 5 seconds), the likely result will be clicking "Allow" and moving on..and they're done for. I only wish AV and HIPS software presented the question as simply as you did. But no, here we are years later, and they're still speaking at you like you've got a network security degree. Killing the jargon would at least help users put these products to use more effectively since they might have some inkling what the hell their security is talking about.

 

True for that particular payload. But the attack vector was the same that is used every day against both organizations and individual users, consisting of two parts:

--> A vulnerability: the analysis identified MS10-061, but it could have been a Java, Flash, or PDF vulnerability -- anything just to trigger the downloading of...

--> ... the executable payload

A sans.edu diary noted last May:

Why Flame is Lame
http://isc.sans.edu/diary.html?storyid=13342

As many have pointed out, there are preventative measures available. That not everyone chooses to implement them doesn't negate the fact that there are solutions out there.


----
rich

 

Right, I'm not disagreeing on the methods of getting in. I do however think the more complex solutions could be made a little less complex (though that does mean automation, which presents its own problems). I've also come to believe that advising people to not use such and such plugin, or to not go to particular types of websites is wrong as well. If people aren't going to porn sites, hackers will infect and hijack news sites. If people drop Java and Flash, hackers will exploit whatever happens to get popular in use afterward.

 

Detection has value but it will always be behind, inherently so.

The issue with AV that I see is that there's a significant tradeoff.

On the one hand you can detect a lot of malware. On the other hand you have code running with very high privileges directly interacting with attacker controlled data, even going so far as to execute that code.

With attacks against a browser being so unlikely an attack point after recent advances (IE and Chrome make up the majority of the market by far, neither are easy to attack) and with AVs holding significant market share I am consistently surprised we don't see more attacks against them. I think diversity saves them.

Considering that AVs tend to inject themselves into so much of the system, hooking into the browser among other things, they provide many avenues of attack.

If I have an exploit for an AV all I have to do is get a user to download the file - no RCE code needed, the AV will scan it and I gain control. Beyond that, I gain privilege escalation and I bypass security in one attack.

So there's a benefit, but I don't think it's worth it. Sophail is just one example of an AV that makes the system far far far less secure, rather than more secure.

 

I don't think security software being the entry point for attacks is something that enough people think about. It sometimes makes me question the "layered approach". Are we really locking doors via the layering method, or are we pulling a VietCong maneuver and simply digging several holes and tunnels with each layer we add on? But what is the better method then? If security software can't access the deepest parts of the system, how can they protect it? Maybe we all turn to Sandboxie? How long do you think it would take for hackers to catch on to that? How much longer can Chrome hold out once attackers start getting desperate enough?

 

Referring to Flame (and the like), a very simple solution is to have a Group Policy on the network.

Last year there was an exploit involving a zero-day icon vulnerability that propagated via USB, and downloaded a trojan. I spoke with a local system administrator with a network of about 300 workstations, as to his concern about this exploit. (They have an enterprise AV at the gateway and for email, but not on the individual workstations.)

He responded that there was no concern, since the network had a set policy that no executables could run from USB media.

This type of simple implementation has been around for 11+ years:

Providing a Secure eXPerience
Windows XP Software Restriction Policies
http://msdn.microsoft.com/en-us/library/ms974604.aspx
October 8, 2001

Mark Russinovich had this admonition a few years later:

Circumventing Group Policy as a Limited User
http://blogs.technet.com/b/markruss...umventing-group-policy-as-a-limited-user.aspx

The problem as has been identified to me by some System Administrators, is that to lock down the individual workstations against these types of exploits makes for an unhappy work force, since only the System Administrator's Support section can install programs. (Translation: individual workers can't install their favorite games and use their work computer as their personal computer)


----
rich

 

It's not sexy because it's a limited, resource-intensive way of preventing unwanted stuff from running. IMO anyway.

(That said I'd love to be proven wrong, because the less mainstream security solutions for Windows are incredibly annoying when you have to compile stuff.)

 

When it comes to layered security it's a matter of cost/benefit. The cost will always be increased attack surface, potentially very dangerous attack surface, and the benefits are variable. In the case of an AV the benefits are there, they have been explained with third party testing for years, you know what you're getting and you know the limitations. I think the way AVs do this detection is dangerous - there's a lot of parsing, analysis, running code, etc. There's a lot of points of entry there.

This is contrary to something like a low integrity sandbox, which doesn't perform analysis, it's just a token structure. You don't really increase attack surface all that much - there's code involved, but not a lot, and hopefully not much that an attacker can interact with directly.

Running an AV in Sandboxie would be a poor choice, as you'd poke so many holes the sandbox would be useless.

I don't see AV going anywhere, the benefit of detection is to great, but it's in need of a serious re architecture in multiple ways.

 

@Rmus: Group policy works in such environments, but not necessarily in the home, where AV software is still "struggling to keep up". What do we do about them? Corporate environments are, to an extent, quite static. They know what should be running at all times and what shouldn't be. They have very specific jobs to perform and, often, very specific tools. But home use, for very few people is the experience ever truly static. For them, group policies and restrictions in general end up being looked at as worse than the possibility of infection.

@HungryMan: I see the AV going further so long as people don't want to/can't implement stronger security measures. And, unfortunately, it's those stronger methods that require the very things users are normally against, which is babysitting and too much trade-off. AE software, whitelisting, HIPS, heck even "simple" Sandboxie requires more than just "install and run" if you want any real amount of security from it, want to keep files and so on.

I do think if Windows had the equivalent of Linux repositories, something that was carefully vetted and had everything you needed, from regular programs down to codecs things would look brighter. Yes, Windows 8 has an "App store", but it's pathetic and we can look directly at Android to see how bad an app store can get. Hell, Google of all people, who made what has become the most secure browser available, doesn't even keep track of the crap they put in their store.

 

Yes, but the OP emphasized "Flame" which intitially targeted organizations/networks in order to set up the spoofed server, etc, etc, so I kept the discussion to that environment.

I'll just mention that when I did home consulting, I had no trouble setting up a secure environment. Every computing environment is different, with different levels of computer understanding. It requires users who will adhere to secure procedures and policies. If I sensed a reluctance to following such procedures and policies, I walked away. But it can be done with those who have the proper frame of mind.

I'm no longer involved in that, and have not kept up with the latest security products, so I can't contribute more.


----
rich

 

Any security software that requires user interaction or knowledge is going to result in a higher rate of infections than a decent AV.

All software provides additional attack vectors, but 1) it's going to provide greater security than liability, and 2) malware that exploits AV software won't result in as many compromised systems for the attacker. Targeting AV software (or other atypical entry points) is more likely in the event of a targeted attack (against an individual person or company), and in those cases the attacker will always find a way. Common (i.e., non-targeted) malware attacks are all about infecting as many machines as possible -- often to try and build the biggest bot-net possible so that access can be sold for more money. There are more machines that are unprotected than use any one solution, and those are far easier to infect than those with even the most vulnerable AV.

It's easy to think that AV scanning as "yesterday's technology" because scanning still looks the same from the user's point of view. However, the AV technology of today is almost indistinguishable from that of 10 years ago. That's good, because it provides significantly more security without adding any complexity, and there's constant innovation going on behind the scenes. With that said, scanning is only part of AV companies' strategies, and the overall product does more, such as behavioral detection and protection, cloud functionality, exploit detection and prevention, and so on.

It already has multiple times in the past 10 years -- even in the past 5! AV software is much more capable; the changes are just all behind the scenes.

That's a gross exaggeration. Yes, it had a number of vulnerabilities, but all software does and Sophos is far from the first antivirus to have those kinds of known vulnerabilities. ALL software has bugs. Spend some time reading up on the vulnerability reports and you would probably be surprised -- and those only show you the known vulnerabilities. Overall Sophos did and does provide a greater level of security than risk.

Just remember that there's no such thing as 100% security; it's all about balancing protection vs risk, and how much you can mitigate the risk. If the AV is decent and kept up-to-date, then it's going to do far more GOOD than harm, and doesn't present any more liability than other software (usually less). Sandboxes and such are great for those that know what they're doing, but they don't scale nearly as well as AVs do; they are also not invulnerable, and there have been plenty of vulnerabilities and exploits to break out. There just aren't enough Sandboxie users to make it worth the malware writers' time and effort.

Lastly, no matter what, the attackers are going to find a way around any security measures that a significant number of users employ, and security in general will trade with the attackers in getting ahead and lagging behind.

 

Yeah, I didn't intend to wander too far from the topic, but AV "failure" relates to the home environment as well. Users really are the biggest problem, the second being not so simple solutions requiring work on their part. Even after everything, the warnings about data privacy, not clicking random things and such, I still daily see a lack of concern from many. No solution can fix that, and it isn't the fault of the AV industry. Anyway, I've little left to add myself since I'm not in the AV industry

 

What policies, exactly, will prevent a typical user from encountering malware during normal, common-sense surfing? What would prevent them from landing on a perfectly harmless website about ham recipes when that website hosts malicious ads unbeknownst to the webadmin? And one of the many innocent and harmless sites that have been owned by malware authors, what policy will protect the user then? When their good friend gets their email pwned and spams all their contacts, what is going to protect our user when he views that email from his trusted friend and clicks on the link because his trusted friend said "check this out, it is too funny!"?

Are you suggesting that secue procedures and policies include inspection and analysis of every url ever visited & every email attachment received? I'm one seriously paranoid chick, and even I don't do that. No one does. No one would.

A set of secure procedures and policies would obviously include not clicking on untrusted links, not installing untrusted software, blah blah. IMO security tools should make it extremely difficult for users to get owned by making bad decisions. The internet is a tool that the majority of the population uses to get work done. People don't have time to worry about the technical side of things, they're busy with their lives & jobs. They're not stupid or lazy, they just have 1000 other things to worry about. Therefore security tools must be designed for people that don't care about security.

 

I hear that a lot, heck I say it a lot. But, like what? A run of the mill AV minus HIPS is about as simple and out of the user's way as it gets..yet it's considered "useless". The industry could go full-auto, but then you'd have tons of false positives and, those same people that hate making decisions, will start thinking the opposite: "Why does this stupid program think I'm stupid?" You only have to look at the free version of BitDefender and user concerns to see what that's going to be like. Either users make all the decisions, or they make none. One leads to users shooting themselves in the foot, the other leads to complaints of "This stupid program messed up my system!".