Security

Traditional antivirus software is useless against military malware

Antivirus programs are obsolete. In that case, what are we supposed to do? Learn what the security community has to say.

Do not go on the Internet unprotected. If you do, you'll regret it. Advice like that is common everyday fare. What follows is not:

"What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general."

That's from "Why antivirus companies like mine failed to catch Flame and Stuxnet," a recent post by Mikko Hypponen, Founder and Chief Research Officer of F-Secure -- a significant player when it comes to protecting digital equipment.

Statements like that aren't normal for Mikko (his TED talk); the well-regarded computer-security guru is typically upbeat about things digital. I contacted Mikko asking if he had any further thoughts:

"Regular antivirus works fine for the regular malware out there. It doesn't work well against government-funded super-malware. How likely is it you may be targeted by super-malware? I guess it depends on what you're doing.

Bullet-proof vests and helmets work fine against a street robber who is out to get anyone he can find. They don't work well against a government assassin who is out to get you and only you. How likely is it that are you may be targeted by a government assassin? I guess that also depends on what you're doing."

Mikko is referring to the new family of stealthy malware (military malware and super-malware are names I've found) that include Stuxnet, DuQu, and Flame. In gathering facts for this article, I found this was not the first time people questioned traditional antivirus programs.

I'd like to introduce Paul Schmehl, Senior Information Security Analyst at the University of Texas-Dallas. Paul, a fine writer, penned "Past its Prime: Is Antivirus Scanning Obsolete?" for SecurityFocus. The lead paragraph:

"The title and topic of this article is clearly controversial. It is guaranteed to get a strong reaction from the antivirus industry, which is firmly convinced it sees clear sailing ahead. So, is antivirus scanning obsolete? In a word, yes, but don't throw out your scanner."

It seems Mikko is not alone and not the first. Paul wrote that 10 years ago.

The final person I'd like to introduce is Bruce Schneier. Bruce is highly regarded when it comes to any kind of security. To see what I mean, check out Bruce's new book, Liars and Outliers. In 2009, Information Security Magazine carried "Is Antivirus Dead?", a point/counterpoint discussion between Bruce and Marcus Ranum. Bruce had this to say:

"Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won't protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea."

To be fair, all three feel antivirus applications have their place, but the methodology signature-based antivirus programs subscribe to appears less than adequate.

Playing catch-up

During our phone conversation, Paul likened the problem facing traditional antivirus programs to the "Whac-A-Mole" game, where a pretend mole pops up and the contestant tries to smack the poor critter before it disappears. Paul explains the similarity:

"Anti-virus scanning is based on Newton's law; for every action there is an equal and opposite reaction. Each time a new virus, or a new viral approach is discovered, anti-virus scanners must be updated."

Paul continues:

"It isn't hard to see there is a point of diminishing returns, where updating is no longer feasible because testing takes too long. At that point, customers begin to look for other solutions to overcome malicious threats."

Any hope?

Bruce and Paul have ideas as to what can be done to improve the situation. I'll start with Paul. Back in 2002, he was excited about something called Behavioral Blocking. I'll let him explain:

"The solution is to run unproven programs in a protected, virtual environment. This will allow the program to perform all functions it normally would, both during installation and after it is running normally. Each action the program takes can be compared against a set of rules, and rated as to its likelihood of being malicious or not.

Programs that rate above a certain number or perform certain actions would be automatically deleted. Those in a lower range would be quarantined so that security administrators could examine them more closely. The rest would simply be passed back to the network intact."

Paul feels this approach has some merit. Unfortunately, behavioral blocking has not gathered momentum with other security experts, but a process called Whitelisting has. According to Bruce:

"Security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection -- and I personally recommend Malwarebytes' Anti-Malware."

Even with their optimism, both caution that whitelisting has issues:

  • It is not user-friendly.
  • Administrative overhead from change requests and software additions.
  • No way to handle malware that attaches to data files.
  • It is not difficult to rename files.

Besides behavioral blocking and whitelisting, there are startup companies chipping away at the problem -- CrowdStrike and Shape Security for example. Both make interesting claims, have received significant funding, but neither company will release information about their technology.

Update: I just received an email from Mikko, he felt it important to clarify the following: "One point about Whitelisting: Practically every Windows whitelisting app allows executing unknown executables if they are signed by Microsoft (otherwise Windows patching would fail). That's fine -- except Flame was signed by Microsoft."

Final thoughts

Unless I missed something, I do not see any effective technical solutions at this time. I asked Paul and he agreed. Paul added that working for a teaching institution, it was only natural for his department to focus on educating students and faculty about computer security. I asked Paul if they noticed any improvements. Paul enthusiastically replied, "Better than they had hoped."

As I hung up the phone, I remembered an article by TechRepublic writer, Chad Perrin, "Teach a man to fish."

About

Information is my field...Writing is my passion...Coupling the two is my mission.

84 comments
a1computers.ie
a1computers.ie

Great article Michael...but yet if we could get more people to keep their computers secure with update good quality antivirus software that would be a very good start to making it harder for cybercrime to be profitable.

tonypmartin
tonypmartin

Whilst MAC may not be currently built into most OSs, it surely does offer the possibility of a greater level of control over what rogue software can be allowed to do, and indication of rogue software at work. What about SELinux? (when correctly configured)

dgoodale
dgoodale

I was just reminded of when I used to install software on Terminal Servers. I had to install the software using "Install Mode". Maybe they could use a similar approach to make our computers more secure. When you wanted to install software, they could write the OS so you had to literally reboot, run a separate software installation OS, and then reboot and go back into protected mode. Or how about physical write protection? SD cards have write protection switches. Put the OS on a physically write protected hard drive.

Wunderbarb
Wunderbarb

Twenty years ago, IBM introduced a three level classification of attackers: Level 1 are moderately skilled people with no specialized tools (script kiddies) Level 2 are skilled experts with access to specialized tools (garage hackers) Level 3 are funded attackers which can hire the best experts, create their own dedicated tools.. (government, mafia...) Each time you design a security solution, you must define against whom you defend. Clearly, Anti virus are against level 1 and partly level 2. Level 3 is totally out of their scope. Now to be honest, I do not believe there are a lot of commercial solutions that would resist to level 3. Perhaps a few in hardware, but probably not in software. But your discussion was more about the cat & mouse game of AV, rather than about military malware. And here also, the signature based AV are by construction purely reactive. they can only act once the virus has been known, analyzed and fingerprint. The race is inherent to its construction. The behavioral approach is more interesting but with a huge risk with false positives. If the rate of false positive is too high, then the people will not use it, or disable it. In any case, remember law 1: Attackers will always find their way. The IBM paper is D.G. Abraham, G.M. Dolan, G.P. Double, and J.V. Stevens, “Transaction security system,” IBM Syst. J., vol. 30, 1991, pp. 206–229 available at http://portal.acm.org/citation.cfm?id=103494.103495.

Greenknight_z
Greenknight_z

Antivirus isn't obsolete, but it's inadequate - and it has been for years. As I said [i]years ago [/i]in another forum, where security is critical you should run a live CD (or DVD or thumb drive) or a virtual machine with frequent backup images. For online gaming and casual browsing in Windows, a traditional antivirus/antispyware/antimalware combo is needed. I run such an array of security apps in Windows, and browse in Firefox with NoScript, and I haven't had a malware infection in years. However, for online banking I use a Puppy Linux live CD. Other linux distros would work, too, but Puppy is small and handy - and it can save your sessions to the CD, DVD, or Flash drive, with encryption if desired.

skp14
skp14

Surf in non-administrator--limited user account and you're safe as a bee in its hive!

langstonha
langstonha

In today's IT environment I think we will always have viruses that will not be detected. It's just the nature of the beast. I've started thinking about sand boxing as a way to head off the next virus I get.

Alex Gerulaitis
Alex Gerulaitis

Is there a reason thin computing is not mentioned as a panacea against military-grade viruses? If your apps reside on a server (local or cloud) and your "modify" permissions only apply to data sets (but never executables), what are the chances of a contagious infection? Sure, "pro" grade video editing and similar apps still need to be locally installed (although that is already changing) - yet what is the percentage of devices out there that [b]need[/b] locally installed apps?

cjame0966
cjame0966

I would like to reply to Michael Kassner's assertion that Malwarebytes is an effective program to find malware on a computer. I had Malwarebytes and Microsoft Security Essentials installed, but that DID NOT prevent a whole slew of malware and viruses from infecting my computer and creating havoc. I discovered the extent of the infection when I downloaded and installed Advanced System Care with Antivirus 2013 and ran a full scan. There were 9,798 pieces of malware on my computer! I feel this program saved my computer from the trash heap, because I was considering buying another one because mine was so messed up. I had tried to fix it numerous times, without success. I will NEVER use Malwarebytes again.

kevlar700
kevlar700

Yet Linux has whitelisting for all packages almost anyone would likely want by default with strong cryptographic protections. You can take a risk with the latest unsanctioned packages if you wish though but you'll need to do a little more than download and click. It's not just military, it has been well known for years and years that anyone can recompile an existing virus to avoid Antivirus scanners which is what heuristics attempt to combat. Linux/Unix has had tripwire type systems which notify you of any baseline changes for years. Useful on more static secure systems like OpenBSD but does nothing for changes in memory until a reboot. Linux raises the bar for memory invading exploits by offering fast system wide updates too. An easy to look after version of Linux may be far from infallible but it's right to raise the security bar above **** poor.

GSG
GSG

Nope, just about as far from it as you can get, so there may already be soemthing out there like what I'm going to describe and I just don't know it. At a corporate level, is there something that would take a baseline of a system, and periodically compare that baseline to the current state? Then if you added an approved software, or installed an approved update, a new baseline is taken? Of course, that wouldn't necessarily help with Flame, since it had a Microsoft certificate, it probably came through approved channels.

TNT
TNT

Michael, great article as always. I recommend (in addition to definitions-based anti-virus) ThreatFire. Its a free behavioral analysis tool that watches what is going on with your PC. For example, if it sees the email port is in use but the email application is closed, it investigates and finds the app that is using it. I also recommend Comodo Anti-virus as it has its own sandbox you can run new programs in to test if they are infected or not. I've been a fan of F-Secure products since 2005 as well.

AnsuGisalas
AnsuGisalas

Whitelisting is all well and good for corporates (or rather, it's hard enough to make work for a corporate environment), but for private people it's a no go. It defeats the very purpose of owning a computer: exploring, sampling new things. Behavioral blocking of course has the downside of being so complex that one has to simply blindly trust that it performs as required (whereas a whitelist is dirt simple). In the end, the only solution to government malware is to ban the government.

pgit
pgit

Well, I abandoned the corporate aviation business at the pinnacle of it's golden age, looks like the personal computer biz has reached that turning point now that the big bucks are being thrown at the dark side of the equation. Maybe I'll give pet-sitting a try. The critters seem to like me...

Craig_B
Craig_B

A few thoughts: If the originator of the software/hardware is working with an entity, such as a government (especially if the software is closed source) then we don't have any real security, only a trust with the originator of the software/hardware. Assuming we can trust the originator and the process of delivering the software unchanged to the end user, it seems we need a better engineered OS so that we have layers of protection with the kernel being invulnerable to basic application malware. That is, application malware could get on a system but not take it over the core system. It can be frustrating; for everything of beauty that mankind creates, mankind also creates the destruction of it.

Editor's Picks