The trouble with anti-virus

Sobig and Blaster epidemics expose scanner problems

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Analysis Traditional techniques aimed at stemming the flood of viruses and worms are failing to keep pace with the rise in malicious code.

Users have known this for years - at least intuitively. Even vendors admit - at least privately - that there's an issue. Now, for the first time, there's research to back up this gut instinct.

The research, carried out at Hewlett-Packard's research labs in Bristol, analysed the effectiveness of the signature update approach to virus detection and elimination against a computer model designed to mimic viral spread. The model showed that the signature update approach is fundamentally flawed, simply because worms can spread faster than anti-virus signature updates can be distributed.

Even if AV vendors produce an antidote to a virus as soon as it appears, the model breaks down because of the time it takes deliver a fix to desktops. Within this "window of vulnerability" a worm can take hold, HP researcher Matthew Williamson concludes.

Williamson's research (explained in more detail in this week's New Scientist) is due to be presented at AV industry's annual showpiece conference, Virus Bulletin, in Toronto later this month.

Immunity is illusory

For real-life validation of HP's research we need look further than the rapid spread of the Sobig-F and Blaster worms last month - to say nothing of the prolific Slammer worm earlier this year.

The value in HP's research lies in showing that people can get infected with fast-spreading viruses even when they regularly update signature-based anti-virus detection tools.

In fairness to AV vendors, they do say their software is only one part of a comprehensive security policy which (these days) should include filtering email at the enterprise gateway and keeping patches up to date.

But that's only part of the answer because such an approach still leaves home users exposed to fast-spreading worms. If a substantial minority of them get infected, the Internet gets swamped with useless traffic or flooded with viral email. And this viral email is a nuisance even for people using systems (Linux, Apple, OS/2 and Unix) immune to the original viral infection.

Who cares about improving product - when the share price is soaring?
So there's a problem - but one that the mainstream AV industry has no financial incentive to solve. Quite the opposite, in fact. The worse things become the rosier the financial future looks for AV vendors, at least in the short term.

A survey by market analysts IDC out this week predicts that anti-virus software market will grow from $2.2 billion last year to $4.4 billion in 2007.

IDC believes "increasing consumer knowledge regarding attacks" (read publicity regarding the Blaster, Nachi and Sobig worms) and the rise in monthly subscription renewals for virus protection are driving growth in the market.

AV gravy train heading for derailment?
But buried in IDC's report there's a sting in the tail for AV vendors.

The analyst notes that many organisations are adopting a "layered security" approach that combines technologies such as desktop anti-virus, server and gateway anti-virus, content filtering, and proactive techniques such as behaviour analysis and heuristics to combat viruses.

"IDC believes traditional signature-based anti-virus technologies and behaviour-based analysis technologies will increasingly be used together, allowing for a greater degree of accuracy in detecting known and unknown threats," it reports.

Change control

AV vendors are very good at bashing behaviour-blocking technologies, saying they generate false positives or are hard to implement, but they should be concerned. Behaviour-blocking technologies are being repositioned as intrusion prevention systems and have been backed by major players like Cisco and a raft of smaller start-ups.

Intrusion prevention vendors have learnt the lesson from user criticism about false positives from intrusion detection systems. And, unlike AV tools, intrusion prevention technology has the potential of blocking zero-day exploits.

The AV industry is profoundly conservative, which has suited it well in the past. But if major players don't alter their posture they could find their products relegated to disinfection tools with intrusion prevention technologies and managed services that scan email for infectious content occupying the front line against malicious code.

Firms, like Avecho, looking to develop alternatives to traditional scanning technology, are highly critical of traditional AV vendors.

Nick Scales, chief executive of Avecho, says: "Current AV does not protect against new items or worm/Trojans such as SQL Slammer or Blaster. They fundamentally are not designed to do this."

The company, which also runs the managed email services Avecho.com, has developed a technology called GlassWall that protects against malicious code without the need for signatures updates, essentially by parsing traffic through a system that removes viruses from Internet traffic.

Avecho GlassWall is available for license but traditional AV providers are not prepared to talk to Avecho, which Scales presents as evidence that they are deliberately failing to grasp to nettle and look for a better solution to the viral problem. He contrasts this stance with the more favourable response he has received from networking suppliers about the possibility of embedding Avecho's technology in silicon.

Revolution or evolution?
Firms like Avecho, MessageLabs and Cisco (which bought behaviour blocking firm Okena earlier this year) are calling for a fundamentally different approach to how we fight malicious code. However, there are those who believe evolution rather than revolution is the best way forward.

Peter Tippett, CTO at the ICSA Labs research division of TruSecure, which validates AV products at part of its security testing programme, argues that simple steps can make existing infrastructures far more secure.

"If companies apply file filtering to block infectious attachments and change Outlook so that it points at the restricted zone we reckon the risks of getting infected can be reduced by a factor of 20. We've advised this for years," he told The Register.

According to Tippett, the Sobig virus caused less disruption to businesses then the Lovebug, and Blaster was roughly equivalent to Code Red. However, overall, virus and worm infections have grown 11 per cent a year, according to TruSecure.

Some Reg readers had urged a change in the way email works as a comprehensive means of dealing with the viral scourge. Tippett, pointing out that the IETF moves at a glacial pace, is dismissive of this idea. He is also far more cautious than others we've spoken to about the potential of behaviour-blocking technologies. However, he readily concedes our point that AV products are as useful as a chocolate teapot in dealing with fast-spreading worms.

Tippett said: "You'll never catch zero-day exploits with AV and intrusion detection products by using more rapid updates. AV products don't deal with and never will deal with first day viruses."

"Ringing the bell after the torpedo hits doesn't make you more secure," he added. ®

Related stories

Why Sobig is bad for privacy and AV vendors
AV bigwigs weigh in on Sobig debate
Blaster rewrites Windows worm rules
US warns nuke plants of worm threat
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'
Is it a worm, a virus, or a trojan?
US Reps question anti-virus companies' integrity

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.