Kaspersky Lab's Secret Sauce Uses 'Woodpeckers'

Discussion in 'other anti-virus software' started by ronjor, Dec 20, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,730
    Location:
    Texas
    Article
     
  2. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Really good article. Thanks for posting it.

    Cheers

    Jlo
     
  3. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    intersting read,
    nothing we didnt know already though,

    but to me, the article sounded as though kaspersky are worried, maybe they know something we dont.
     
  4. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    Thanks for the article :)
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    they are at the limit of their capacity. Tons of malware repacked and tweaked sent to the net each minute.
     
  6. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    true true, but its the same with every other company, so why sound sooo worried, yes its a hard job, but it is for everyone else.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    it´s harder for the small companies. Symantec, for example, can make 100,000 signatures each day.
     
  8. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    They are certainly not nearer to the limit than any other vendor.
     
  9. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    I agree totally here. They know that the signature based detection is reaching it's limits. The only hope is to get 'heuristics' up high enough to ease the congestion and pressure. And even the very best 'Heuristics', aren't even in the ballpark yet to achieve this. And while i can't say for certain, i could of sworn 4000 or so of my av's sigs were deleted not long ago to make room for new ones i guess.
     
  10. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I think it's quite common for AV's to delete old single sigs and tidy-up/replace them with a smaller number of generic signatures, you would still have the same detection if this is what's happened.
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    That's where good heuristic detection can be an aid to smaller companies without mentioning any names. ;)
     
  12. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    It's far from merely a load of extra signatures - it's the fact the bad guys are well organized and paid by now, creating perfect new sorts of malware. For that reason Jevgeny Kaspersky is more then worried all AV/AT's will useless within a short period time, meaning a few years from now.

    Perfect rootkits are being developed, in use and more to come. No AV/AT (Kaspersky, NOD32, Symantec, you name them) can proactively handle those.

    The future is preventive antirootkits - at least as a needed addition. Helios and GMER as well as RKU come to mind here.
     
  13. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    if they do it properly, the highest amount is probably 100 times smaller than the amount you posted.
     
  14. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    Nice to know somebody's speaking on our behalf. Or did I fail to detect the pluralis majestatis?

    People seem to age rather quickly in the AV industry. Here are some intriguing before/after pictures:

    http://www.avast.com/eng/interesting_pictures.html
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I´ve extracted that info from here
    Of course. This was discussed in the AV-Comparatives thread. Stefan Kurtzhals said that heuristics helps to make better signatures(fewer FP, more detection, etc) without leaving you unprotected.
     
  16. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    I extracted the info from conversations with Symantec last summer when I did the test about signatures and release rates :p.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Surely you´re more close to the truth than me. I can´t imagine the quality of 100,000 signatures released each day.
     
  18. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    I can......:D
     
  19. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    but I guess we really don't want to go down that road... :)

    Blue
     
  20. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    If the outlook is as bad as some posters in this thread seem to think,don't you think its time we scrapped PC's and went back to the abacus:-that'd give the malware writers a real headache,think they would be pretty immune from attack(except by hammer!)
     
  21. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    No, not at all.:)
     
  22. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    If it really was bad as some doomsday worshippers say, then already now would we all be infected with an undetectable rootkit and running an anti-virus which was knocked out by stealth malware capable of doing that................etc etc yada yada yada, every year it's the same.

    Signatures will be around for quite some time yet & and contrary to what some think heuristics will not save us, it is just one layer in our defenses. All AV's will merge into much more "All-in-one" type programs and i do not mean just AV/FW/AS, but "all" will have to develop other proactive defenses, the approach will be different, but if you do not move forward you die................of course i could be wrong and i'm certainly not saying next year will be easier. ;) :)
     
    Last edited: Dec 21, 2006
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Those are hilarious! Especially the one of Vesselin Bontchev with his head on the guillotine. And that of Eugene Kaspersky with his yellow and red umbrella "hat" contraption...:D

    I wish the pics were labeled better as I was looking for a particular person but not knowing what he looks like...well...even when a pic said "Eset fellows" because there were several I didn't who was who.
     
  24. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Agreed and this trend has already been taking place for the past 3-4 years. The discussion about "end of signatures" is even older than that. Even "end of heuristics" (particular to AV) is probably fairly old (I'm not up to date on that).

    To add fuel to the flame:

    If security is not a product, then what kind of security is an "add-on after the fact patch"?

    As we well know, many a security software are PATCHING issues deep down in the operating system itself.

    It's like a theory which is being "fixed" on-the-fly ad hoc style.

    The real issues lie deeper down:

    Basic design and implementation flaws.

    Errors in fundamental software engineering and testing practices.

    And this is something that is very hard (or excruciatingly slow) to fix through patching. MS is acutely aware of this.

    This is why I don't believe will see any magical solutions with integration of AV/malware/FW/sandbox/whatever combos, as long as they are deployed on top of WindowsXP/2003/Vista. At least as long as we are talking about combos, that are still usable on an average machine (resources) and with the skills of an average user.

    Once we start deploying security engineered OSes that has been designed and engineered from ground up to be secure, we may fare much better. At least for some time.

    So I for one am seriously considering moving over to Mac OS X. Not because it's necessarily any more secure inherently, but because the absolute amount it's being targeted for security breaches is so much smaller than on Win32 platforms...

    I'm just too old (and busy) to spend hours / week in forums/bulletin sites trying to keep my main working machine fairly tight and secure. The process has just become too time consuming on Windows (for me).

    No amount of woodpeckers or Kasperskys (as much as I commend them for their efforts) is going to bring a quick fix to this situation.
     
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    There's a lot of food for though in the article and discussion.

    In days gone past, there were far more good programs than bad and the appearance rate of the bad was low as well. In that situation, the use of signatures to identify the bad is sensible. The circumstance has been somewhat turned on its head these days, and that should drive a reassessment of the approaches pursued. Based on typical user expertise, some style of signature based approach seems all but assured. However, whether it is a blacklist, whitelist, or combined approach is less clear.
    Security is not a product for the security aware, however, it is largely a product in the mass market. That product could be a security add-on or and alternate OS (which addresses only a part of the issue). Security products are not the end goal, but they do provide a working framework backed by expert advice which assist a user in implementing the process.

    For some reason, metaphors are lambasted in discussions of computer security, but metaphors are useful. Fitness isn't a product either, and you don't need to purchase any products to achieve fitness. Yet, a simple reality is that many folks profitably purchase products to assist themselves in achieving their goal of physical fitness for a variety of reasons. That is the path that works for them, but like the dusty running shoes sitting in the closet, the same approach does not work for all and all approaches seem to fail for some since they don't embrace the product/approach/framework that they've selected. The product is not entirely the end goal, but it does provide a structured framework through which the necessary process (fitness or security) can be realized. However, as long as some style of signature recognition is a part of a security product, that very aspect of it is, in fact, "security" as a product.
    This is not always a bad thing. New information, new insights, a recast theory. Patching can be due to either the fixing of newly uncovered problems or adjusting to a new operational reality.
    While these points are true, let's not forget that many security holes are the unintended consequence of functionality and convenience being built into the OS. Many of the design steps taken to render a richer and more fluid user experience have unintended consequences and open a Pandora's box of possibilities if the programmer's intentions are malicious.
    Quite true, these solutions will not be a panacea, but for many they are the best first step to take.
    Personally, I believe that will simply move the target of opportunity. Computers are now tools widely used for mass commerce. Wherever there is source of cash or other assets, there will be people figuring out ways to grab it. The online world is no different than the physical world in this regard.
    It is in this context that it is useful to consider security as a product, or perhaps more correctly, a process significantly assisted by a product. Like many things in life, we contract with experts to perform certain services. I really don't see why computer security should be viewed as fundamentally any different. Find an expert you can trust, rely on the expertise that they have, and make a periodic check that their credentials are current and performance remains acceptable to you, and embrace the framework they provide. I realize this is only a part of the solution, but it is a very big part of it in the current climate and it really doesn't require a constant level of attention.

    Blue
     
Loading...
Thread Status:
Not open for further replies.