Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - To AV or not to AV, is that the question? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

To AV or not to AV, is that the question?

Published: 2007-09-02
Last Updated: 2007-09-02 14:20:59 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Over the last few years we have seen malware go from the “Oh look at me” attempts at “fame” to “how much can I make” approaches.   It has now become a business.  To succeed in this kind of business you need malware that is delivered and remains undetected.   But you also have to keep costs low.   Often this results in variations, the same malware over and over again, but wearing different coats, a funny hat or a false moustache.  To protect against malware we use our trusty antivirus product, because it will find all those nasties,  right?

Wrong.  For example earlier in the week we received a file, delivered through what seems to be a targeted SPAM attack.   Running the file through Virus Total showed that the file was detected by two products.  After identifying the site it pulled the next file from, it was also downloaded and submitted to Virus Total.  This time only one product flagged it as something that should be looked at.   A little digging showed that the files were a variant of a particular bot.  This variant created the same named files as the original and had essentially exactly the same behaviour pattern.  It waddled like a duck, quacked like one, two wings and two feet,  it just had blue feathers instead of brown ones.  So why the virtually nil detection rate? 

To answer that we’ll go back to the blacklist diary from a few days ago.  The main component of most AV products is the signature or pattern recognition component.  Essentially a blacklist, I see something I don’t like and I’ll block it.  This makes the product only as strong as the capabilities of the people that write the signatures as well as the processes the vendor has in place to produce signatures.   And whilst some vendors are quick off the mark there are some who, for example, three days after submitting a file still have not produced a signature (detection of the two files mentioned above is now at a staggering 40% of the AV vendors at virus total). 

The main issue with this approach is that the blacklist method only detects those pieces of malware that are already in the wild, plenty of opportunity for a blue or red duck to waddle past the defences.    If the pattern doesn't match it is passed, hence the low detect rate.  Does this mean that we at the stage where pattern based AV products are a thing of the past?   

Possibly not, after all a pattern check is nice and fast, so it probably has a place in the new order.  But we will need to do something else.  The various AV vendors are looking at solutions and many are bringing out new products this year.  There are also a number of behavioural based systems that have a reasonable track record without too many false positives.   Or is something more drastic needed such as the approach taken by the one laptop per child project with Bitfrost  Where every process essentially runs in its own virtual machine?  

One thing is for certain the malware business model works (storm seems to be doing well) and until we change the approach to managing malware it will continue to.  As  many of us have learned the hard way, you can't put all your eggs in one basket.  By relying on AV alone you may be exposing your machine or your network.


Cheers


Mark H - Shearwater

Keywords:
0 comment(s)
Diary Archives