BYOD Passwords Hacking Cloud Compliance Reviews Privacy

Current Filter: >>>>>>

PREVIOUS

   Current Article ID:4636

NEXT



Anti-Virus, the Cloudmark way

Editorial Type: Opinion     Date: 09-2014    Views: 3335   










Is there any way to defend against malware that is undetectable once it reaches your computer? The answer is 'yes', says Andrew Conway - lead software engineer at Cloudmark, who explains exactly how.

As a computer security researcher for Cloudmark, I regularly have to investigate files that may contain malware. My first step is usually to upload the file to a website called Virustotal. This tests the file using all the common anti-virus packages (more than fifty of them) and indicates if any of them flag the file as malicious.

However, when they do, often only one or two of the fifty will detect a threat and rarely will more than half of them agree that there is malware present. This means that, even if you have an up-to-date anti-virus package installed on your PC, the chances of it detecting any given virus are less than half.

This was confirmed earlier this year by an interview that Brian Dye, Symantec's senior vice president for information security, gave to the Wall Street Journal. "Anti-virus is dead," he said... pointing out that hackers increasingly use novel bugs. He estimates anti-virus now catches just 45% of cyberattacks."

LACK OF FAITH
In a somewhat more flamboyant fashion, last year John McAfee, founder of the McAfee Anti-virus Software Company, indicated a lack of faith in the current product of the company he left 15 years ago by publishing a (somewhat NSFW - 'Not Safe For Work') YouTube video, giving instructions on how to uninstall the product.

Though the earliest computer virus was written for the Apple II in 1982, malware did not become a serious problem until the nVir virus started to spread on Macintosh computers in 1987. At the time, the MS-DOS operating system was not sophisticated enough to allow any scope for malware. However, when Windows began to dominate the market, malware authors switched their attention to that platform. This was before widespread Internet use and most malware was spread by infected floppy disks.

Symantec published the first commercial anti-virus software, with a product for the Mac in 1989, and one for the PC in 1991. Last year, Symantec had $6.9 billion in revenues and is one of the largest companies in the computer security field. So, why is a company with vast resources and decades of experience in anti-virus software admitting that one of its flagship products is failing? And is there any way left to protect the end user against virus attacks?

Security blogger Brian Krebs explains how cyber criminals are coming up with 'novel bugs' that are undetectable by anti-virus software: "Put simply, a crypting service takes a bad guy's piece of malware and scans it against all of the available anti-virus tools on the market today - to see how many of them detect the code as malicious.

The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the anti-virus tools on the market."

ANTI-VIRUS IN ACTION
A traditional anti-virus service relies on a process of several steps to block malware. First, the anti-virus company must obtain a copy of a new threat and preferably several copies, as some viruses are polymorphic - that is, each copy is generated by a program that introduces slight variations that do not change the functionality, but make it difficult to fingerprint. The anti-virus company will examine the new specimens in the lab and see if they can come up with a signature that is common to all the versions without generating false positives when run against other executables or binary files.

The signature gets added to the company's database and is made available for automatic download by client anti-virus applications. This can happen days or sometimes weeks after the malware sample was originally discovered. No wonder anti-virus software has a hard time keeping up with malware that is trivially mutated by its authors on a much more regular basis.



Page   1  2

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top


PREVIOUS

                    


NEXT