Malware

Traditional antivirus software is useless against military malware

Antivirus programs are obsolete. In that case, what are we supposed to do? Learn what the security community has to say.

Do not go on the Internet unprotected. If you do, you'll regret it. Advice like that is common everyday fare. What follows is not:

"What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general."

That's from "Why antivirus companies like mine failed to catch Flame and Stuxnet," a recent post by Mikko Hypponen, Founder and Chief Research Officer of F-Secure -- a significant player when it comes to protecting digital equipment.

Statements like that aren't normal for Mikko (his TED talk); the well-regarded computer-security guru is typically upbeat about things digital. I contacted Mikko asking if he had any further thoughts:

"Regular antivirus works fine for the regular malware out there. It doesn't work well against government-funded super-malware. How likely is it you may be targeted by super-malware? I guess it depends on what you're doing.

Bullet-proof vests and helmets work fine against a street robber who is out to get anyone he can find. They don't work well against a government assassin who is out to get you and only you. How likely is it that are you may be targeted by a government assassin? I guess that also depends on what you're doing."

Mikko is referring to the new family of stealthy malware (military malware and super-malware are names I've found) that include Stuxnet, DuQu, and Flame. In gathering facts for this article, I found this was not the first time people questioned traditional antivirus programs.

I'd like to introduce Paul Schmehl, Senior Information Security Analyst at the University of Texas-Dallas. Paul, a fine writer, penned "Past its Prime: Is Antivirus Scanning Obsolete?" for SecurityFocus. The lead paragraph:

"The title and topic of this article is clearly controversial. It is guaranteed to get a strong reaction from the antivirus industry, which is firmly convinced it sees clear sailing ahead. So, is antivirus scanning obsolete? In a word, yes, but don't throw out your scanner."

It seems Mikko is not alone and not the first. Paul wrote that 10 years ago.

The final person I'd like to introduce is Bruce Schneier. Bruce is highly regarded when it comes to any kind of security. To see what I mean, check out Bruce's new book, Liars and Outliers. In 2009, Information Security Magazine carried "Is Antivirus Dead?", a point/counterpoint discussion between Bruce and Marcus Ranum. Bruce had this to say:

"Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won't protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea."

To be fair, all three feel antivirus applications have their place, but the methodology signature-based antivirus programs subscribe to appears less than adequate.

Playing catch-up

During our phone conversation, Paul likened the problem facing traditional antivirus programs to the "Whac-A-Mole" game, where a pretend mole pops up and the contestant tries to smack the poor critter before it disappears. Paul explains the similarity:

"Anti-virus scanning is based on Newton's law; for every action there is an equal and opposite reaction. Each time a new virus, or a new viral approach is discovered, anti-virus scanners must be updated."

Paul continues:

"It isn't hard to see there is a point of diminishing returns, where updating is no longer feasible because testing takes too long. At that point, customers begin to look for other solutions to overcome malicious threats."

Any hope?

Bruce and Paul have ideas as to what can be done to improve the situation. I'll start with Paul. Back in 2002, he was excited about something called Behavioral Blocking. I'll let him explain:

"The solution is to run unproven programs in a protected, virtual environment. This will allow the program to perform all functions it normally would, both during installation and after it is running normally. Each action the program takes can be compared against a set of rules, and rated as to its likelihood of being malicious or not.

Programs that rate above a certain number or perform certain actions would be automatically deleted. Those in a lower range would be quarantined so that security administrators could examine them more closely. The rest would simply be passed back to the network intact."

Paul feels this approach has some merit. Unfortunately, behavioral blocking has not gathered momentum with other security experts, but a process called Whitelisting has. According to Bruce:

"Security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection -- and I personally recommend Malwarebytes' Anti-Malware."

Even with their optimism, both caution that whitelisting has issues:

  • It is not user-friendly.
  • Administrative overhead from change requests and software additions.
  • No way to handle malware that attaches to data files.
  • It is not difficult to rename files.

Besides behavioral blocking and whitelisting, there are startup companies chipping away at the problem -- CrowdStrike and Shape Security for example. Both make interesting claims, have received significant funding, but neither company will release information about their technology.

Update: I just received an email from Mikko, he felt it important to clarify the following: "One point about Whitelisting: Practically every Windows whitelisting app allows executing unknown executables if they are signed by Microsoft (otherwise Windows patching would fail). That's fine -- except Flame was signed by Microsoft."

Final thoughts

Unless I missed something, I do not see any effective technical solutions at this time. I asked Paul and he agreed. Paul added that working for a teaching institution, it was only natural for his department to focus on educating students and faculty about computer security. I asked Paul if they noticed any improvements. Paul enthusiastically replied, "Better than they had hoped."

As I hung up the phone, I remembered an article by TechRepublic writer, Chad Perrin, "Teach a man to fish."

About

Information is my field...Writing is my passion...Coupling the two is my mission.

83 comments
a1computers.ie
a1computers.ie

Great article Michael...but yet if we could get more people to keep their computers secure with update good quality antivirus software that would be a very good start to making it harder for cybercrime to be profitable.

tonypmartin
tonypmartin

Whilst MAC may not be currently built into most OSs, it surely does offer the possibility of a greater level of control over what rogue software can be allowed to do, and indication of rogue software at work. What about SELinux? (when correctly configured)

dgoodale
dgoodale

I was just reminded of when I used to install software on Terminal Servers. I had to install the software using "Install Mode". Maybe they could use a similar approach to make our computers more secure. When you wanted to install software, they could write the OS so you had to literally reboot, run a separate software installation OS, and then reboot and go back into protected mode. Or how about physical write protection? SD cards have write protection switches. Put the OS on a physically write protected hard drive.

Wunderbarb
Wunderbarb

Twenty years ago, IBM introduced a three level classification of attackers: Level 1 are moderately skilled people with no specialized tools (script kiddies) Level 2 are skilled experts with access to specialized tools (garage hackers) Level 3 are funded attackers which can hire the best experts, create their own dedicated tools.. (government, mafia...) Each time you design a security solution, you must define against whom you defend. Clearly, Anti virus are against level 1 and partly level 2. Level 3 is totally out of their scope. Now to be honest, I do not believe there are a lot of commercial solutions that would resist to level 3. Perhaps a few in hardware, but probably not in software. But your discussion was more about the cat & mouse game of AV, rather than about military malware. And here also, the signature based AV are by construction purely reactive. they can only act once the virus has been known, analyzed and fingerprint. The race is inherent to its construction. The behavioral approach is more interesting but with a huge risk with false positives. If the rate of false positive is too high, then the people will not use it, or disable it. In any case, remember law 1: Attackers will always find their way. The IBM paper is D.G. Abraham, G.M. Dolan, G.P. Double, and J.V. Stevens, “Transaction security system,” IBM Syst. J., vol. 30, 1991, pp. 206–229 available at http://portal.acm.org/citation.cfm?id=103494.103495.

Greenknight_z
Greenknight_z

Antivirus isn't obsolete, but it's inadequate - and it has been for years. As I said [i]years ago [/i]in another forum, where security is critical you should run a live CD (or DVD or thumb drive) or a virtual machine with frequent backup images. For online gaming and casual browsing in Windows, a traditional antivirus/antispyware/antimalware combo is needed. I run such an array of security apps in Windows, and browse in Firefox with NoScript, and I haven't had a malware infection in years. However, for online banking I use a Puppy Linux live CD. Other linux distros would work, too, but Puppy is small and handy - and it can save your sessions to the CD, DVD, or Flash drive, with encryption if desired.

skp14
skp14

Surf in non-administrator--limited user account and you're safe as a bee in its hive!

langstonha
langstonha

In today's IT environment I think we will always have viruses that will not be detected. It's just the nature of the beast. I've started thinking about sand boxing as a way to head off the next virus I get.

Alex Gerulaitis
Alex Gerulaitis

Is there a reason thin computing is not mentioned as a panacea against military-grade viruses? If your apps reside on a server (local or cloud) and your "modify" permissions only apply to data sets (but never executables), what are the chances of a contagious infection? Sure, "pro" grade video editing and similar apps still need to be locally installed (although that is already changing) - yet what is the percentage of devices out there that [b]need[/b] locally installed apps?

cjame0966
cjame0966

I would like to reply to Michael Kassner's assertion that Malwarebytes is an effective program to find malware on a computer. I had Malwarebytes and Microsoft Security Essentials installed, but that DID NOT prevent a whole slew of malware and viruses from infecting my computer and creating havoc. I discovered the extent of the infection when I downloaded and installed Advanced System Care with Antivirus 2013 and ran a full scan. There were 9,798 pieces of malware on my computer! I feel this program saved my computer from the trash heap, because I was considering buying another one because mine was so messed up. I had tried to fix it numerous times, without success. I will NEVER use Malwarebytes again.

AnsuGisalas
AnsuGisalas

because the military stuff isn't randomly distributed. If *those* bad guys want to take down a system, they wont show their hand by plinking away at vast loads of unrelated systems. So just because a defense could work, it doesn't mean it will work, and if it doesn't, you only find out when it's too late.

JCitizen
JCitizen

I was studying. Horizons Data Systems used to use PCI cards to backup the drive protection; but they claim that is obsolete, and they have a solution that is supposed to beat Faronics Deep Freeze, and Steady State, only using a software solution. If you read their specs, they explain why. I bought one license for a client, but they were so shaken by the last attack, I can't get them to even go online again.

Michael Kassner
Michael Kassner

I think that question always comes up when write-protected is discussed.

Michael Kassner
Michael Kassner

You have a good grasp of what is required. Everyone I interviewed made sure I knew about Law 1. I am an ACM member, so I will definitely read the paper. Thanks for mentioning it.

tech
tech

Unfortunately, it is not true. Wait maybe it is true, the bee in the hive gets smoked and honey taken on a regular basis.

Michael Kassner
Michael Kassner

It is my understanding that there is a group of malware that does not require admin rights to execute.

Michael Kassner
Michael Kassner

I tried sandboxing for a long time. That was until I realized it had holes due to needing to print or move data around and that's all it took.

JCitizen
JCitizen

but how about the server(cloud)? You can go high assurance, but it costs a pretty penny!

AnsuGisalas
AnsuGisalas

Because otherwise MBAM is just an on-demand scanner. Also, no program is going to defend you from your own behavior, nor will any program help you if it is not updated. And of course, detecting oodles of malware is usually the mark of a fake AV scam.

JCitizen
JCitizen

Ahem! They(iObit) are in court for stealing source code from MalwareBytes!! You gonna trust that Chinese company with your intellectual property? Good luck! You can't have a proper defense without a blended one - no one solution is going to save you, and against the threats featured in this article, probably none will save you. Only new or different hardware, or a very severe drive lock program like Drive Vaccine will even come close.

HAL 9000
HAL 9000

And them not using the Net is such a bad thing how? Sure if they are a Domestic User who only do a bit of Word Processing collecting E Mail and Browsing the Web it makes life hard but if they where a Business who had to protect their Data I don't necessarily see that as such a bad thing. I still remember one client who insisted that they where Secure till his Wife logged in and saw their bank Account and Account Details. He now has no Net Connection because the last time cost him way too much by his own admission and that wasn't even an attack as such. It was much worse his wife got to see how much money the Doctors Surgery had and what it's Routine Expenditure and Income was. He's constantly complaining that he's sorry he didn't listen to me when I suggested locking it down even a little more [i]"which wouldn't have stooped the wife anyway"[/i] but as he says he's lost so much money on a ongoing unlimited term that it's not funny. He's constantly hoping that his wife looses her Cards again as till they are replaced whoever got them spends less than his wife which is an old joke but very true in that particular case. :D He goes overseas every couple of months to work in the Solomon Island's with Peace Keeping Troops and every time he returns he finds his home redecorated. That's not chump change either I should add. He even finds it unbelievable that his wife insists that he go buy new bath tubs to use on the farm as Water Troughs for the cattle as he shouldn't be seen buying second hand items. So instead of paying $15.00 for paint damaged tubs his wife insists that he pay over $300.00 for something for the cattle that people pay him to have on his property to drink from. It's perfectly OK to destroy the tubs by welding them closed but there is no way he's allowed to buy anything second hand to do the same job. Before his wife got in it wasn't a problem and he used to go to the local dump and buy paint damaged items for the outside of the farm but now that's stopped, and his wife was only looking for where he was supposed to be on a certain day and stumbled into the Accounts by accident. ;) Col

HAL 9000
HAL 9000

There are no Guarantees that the Server is secure and uninfected. The issue is that these Military/Government Malware are designed not to be detected and if they get onto the Server they affect more than just the one terminal. Of course it also means that you are on a Hit List by whoever which the majority of people are not so it's simply not an issue for them. ;) Col

pgit
pgit

Steve Wozniak has more common sense in his left thumbnail than I'll ever wring from my entire being. He'd make a great "president of the internet."

Alex Gerulaitis
Alex Gerulaitis

Seems like we are talking about different issues. Regardless of Woz' opinions and incidental hacks, what are real world security assessments of thin computing vs. a system with locally installed apps that have admin privileges? I think that's the real question. If there are any (security) benefits to thin computing, then thin computing is a viable alternative to local anti-virus protection, and should be presented as such. Sure, the cloud is not bulletproof. I never said it was. Still, do you keep your money stashed under the mattress (i.e. local admin access), or put it in the bank ($cloud)?

AnsuGisalas
AnsuGisalas

if you've just handed them your entire house.

JCitizen
JCitizen

Just having the unpaid version already installed goes a long way. One severly hobbled machine I worked on, had all kinds of functions blocked by infections. Once I booted to safemode an ran MBAM a root kit and all kinds of malware came out of the woodwork. SAS flushed out even more and really set off a backdoor, that blocked any startup attempt. It took a further nuking the drive from space with Avast, and Kaspersky rescue 10 to flush the rest out. Of course you really have to wipe and re install after such episodes, but I like learning how to fight the bugs! After a wipe/reiinstall, an Avast scan nuked what was left of the malware in the backup folder. He's been running fine since.

pgit
pgit

I advised against ASC from it's inception, due to the utter lack of transparency at the company. I have no idea if they were honest and sincere in their endeavors, and that's the point. When someone is totally reshuffling the operating system I do not give them the benefit of the doubt. That they were based in China was the factor that made me comfortable with the decision to not use ASC and to recommend against it. I didn't know they were sued by malwarebytes. The latter is a great bunch of folks who make an excellent, and to my eyes trustworthy product.

info
info

I'm pretty sure CJames' post was /Sarcasm Mode: ON. ;) I was impressed by this one program. It said that 7 people were trying to hack my computer, in REAL TIME! And I wasn't even plugged into a network! *Laugh*

Michael Kassner
Michael Kassner

I have the ultimate respect for anyone that went through the effort to obtain a PhD. I had intentions at one time, but circumstances did not allow. That's an excuse though, and why I have that amount of respect.

HAL 9000
HAL 9000

I'm what I suppose people would call a person with several PhDs. Granted I only have 3 and one of those is sort of related to IT it's Electronic type rubbish, though I suppose the one on Physics is sort of involved with computers if you want to stretch a point. :^0 It's probably why the Doctor in questions statement of Trust me I'm a doctor doesn't work with me because I'm a Doctor too. I do point out that I have had to get far more training so that i can be called Doctor than he had to get so I'm more qualified. OK on a more serious note I do understand how computers work though I do have times when I find it difficult to understand how Windows works. Some of the things that they do seem to defy their programing and drive me crazy. About all that those 3 pieces of paper allow me to do is to make up good analogies that the customers can understand. I find it easier to give instances on what they do as to why the computers are doing what they are. Though I might have some issues with the High Sciences types as they get very specialized in what they do. ;) Col

Michael Kassner
Michael Kassner

During our talks, Paul mentioned several times how academics with multiple PhDs were distraught at not being able to understand computers. Paul would reply that he doesn't get what the Higgs Boson is, so they are even.

Michael Kassner
Michael Kassner

Was stated by all the experts as the most important deterrent.

HAL 9000
HAL 9000

[b]"Trust me I'm a Doctor."[/b] Doesn't work with me but he finds it hard to understand why so many people treat him as a God. If I was to even speak to him as I do at his Home in a Hospital the Nursing Staff would jump on me from great heights because he's a [b]"Doctor"[/b] and as such knows all that there is to know. I'm in no way implying that he's anything but very good and knows all he needs to know about his chosen profession but it's a perfect example of how someone who is highly intelligent knows [b]Bugger All[/b] once they step outside their chosen field. He also finds it hard to understand how I can tell him step by step instructions off the top of my head about a problem he's having but at the same time don't know half the names of the bones in a Human Body. He's constantly asking me how I know so much and my best reply so far is I don't know how do you know so much? Besides [b]"Common Sense"[/b] is subjective after all just how sensible is it to click on Start to shut down a Windows Computer? :^0 I do however tend to agree that there are way too many people who are otherwise sensible sane people who turn into [b]"Massive Problems"[/b] when they get between a Keyboard and a chair. ;) Col

bboyd
bboyd

weak will and convenience... evil and incompetence, same pair. In physics all particles seem to have an antiparticle to match. In the observable universe most anti-particles are very rare. I'm starting to think good sense and effort are antiparticles.

Michael Kassner
Michael Kassner

I realized the connection after I posted it. I then decided to see if anyone would call me out. Good job.

AnsuGisalas
AnsuGisalas

I am pretty sure you've known him for at least a byte, now. :^0

Michael Kassner
Michael Kassner

I've known you for a bit now (digitally) and you have a lot of sense. So there.

AnsuGisalas
AnsuGisalas

That's no defense at all, because gaining control over the cloud account will gain immediate control over the entire pay dirt

AnsuGisalas
AnsuGisalas

That had absolutely nothing to do with anything. What would be appropriate is to compare an armored vehicle for transporting Marines that's EITHER big enough for a squad OR big enough for a company. That last one is going to be harder to defend.

Alex Gerulaitis
Alex Gerulaitis

SAAS, cloud, thin, they all share it: gaining admin privileges to the local device does not necessarily compromise the remote device as a whole. It's a great defense against military grade malware! It's been proven in fact when Google caught hackers that broke into some Gmail accounts (of Chinese dissidents, emigrants, etc.) and restored the security of those accounts. Could not have happened with your average Outlook user. Hey if thin computing is not your cup of tea - no problem, don't drink it. Acknowledging at least [i]some[/i] security benefits of thin computing against military grade malware goes a long way in a productive discussion - even if not fully related to article's topic (anti-malware useless against it). Cheers.

Alex Gerulaitis
Alex Gerulaitis

"Large targets are always harder to defend" Oh sure, which is why the marines are asked to spread out and sleep outside the FOB rather than inside of it.

AnsuGisalas
AnsuGisalas

Large targets are always harder to defend, and easier to take out... because, if you had read the article, you'd know that there is no defense against a military onslaught; only damage control. A cloud provider must have many entry points... that's what their business is about after all. They also can't very well limit what apps their clients run, since that is also what their business is about. On your local network, the machines only have the means of linking up that you provide them with... even military malware cannot create network capability where there is none. That's the final line of defense, pull the router, and with a cloud solution you don't have that. And on a cloud solution, someone can actually take over your data with out even moving it off site.

Michael Kassner
Michael Kassner

Well Alex, you must be a younger professional. Cloud computing is nothing new. Historically it appears that we are on yet another cycle like neck-tie size. Single point of failure was given as the reason to switch to the PC originally.

Michael Kassner
Michael Kassner

That was not the reason for this article. The title says what I was pointing out. And thin client computing is quite different than SaaS, you need to decide which you are referring to.

Alex Gerulaitis
Alex Gerulaitis

> but the point about the size of the target is true Of course it is. Yet consolidation is [b]always[/b] a resource-saver: consolidated targets are always easier to protect unless they are disposable. (Yet where data is concerned, nothing is disposable.) Distributed data centers - do they consist of a gazillion easy-to-breach small sites, or of a smaller number of larger and harder-to-breach ones? Why do you think is that? Of course personal computing is not fully ready for thin computing - I just really don't get this resistance: "20 years ago thin computing was bullcrap" "Woz said that security-wise, cloud computing is bullcrap" "I personally think cloud computing is bullcrap" "Apple iCloud just got hacked!" Nice! Clearly a host of scientific evidence points to a pile of bullcrap... :)

Michael Kassner
Michael Kassner

To the issues I was referring to. The bad guys would prefer thin-client computing, in the same way they prefer cloud computing -- one-stop shopping.

AnsuGisalas
AnsuGisalas

What's thin? The whole thing, or just the apps? Where is the data? Are we only concerned with local execution, or do we also have to consider the security of transmissions? I mean, if local execution is all we're concerned about, then obviously thin computing is GREAT... but the point about the size of the target is true. There is no guarantee that the widespread deployment of thin computing won't simply shift the malicious efforts to focus on the servers instead. And then the harm caused by a single failure will be so much greater that it might even out the increased rarity of failures.

Michael Kassner
Michael Kassner

Thin computing is something to consider, but as one with clients who used it when it was popular, I remember it having a whole different set of issues that were far worse than where we are today.

Alex Gerulaitis
Alex Gerulaitis

This is a very substantial approach, HAL 9000, and totally unbiased. :) You may see what you want, however only after we gather significant statistics for security breaches vs. usage, with major cloud SAAS providers and all local access, then perhaps we can talk security. Until then it's all smoke and mirrors and personal biases. My point remains: is thin computing a [b]possibility[/b] as a security mechanism? If so, why wasn't it mentioned or assessed in the article about security?

HAL 9000
HAL 9000

Is you have no idea who else is using that Cloud Provider and it only needs one person who is being tracked by a Government Department to use that Cloud Service to cause it to be attacked and suffer. It would incidentally mean that everyone who uses that Cloud Provider is also being scanned. While in theory the Cloud is more secure as it has a single point of attack and doesn't require thousands or millions of Local AV Products with Live Protection only the one it also means that when it is Infected it affects the Thousands or Millions and as such is a Juicer Target for the Bad Guys to attack. Personally i see the Cloud as a Security Problem that makes things worse not better. ;) Col

Editor's Picks