Traditional antivirus technology becoming increasingly
by Alan Zisman (c) 2010 First
published in Business in Vancouver October 12-18, 2010 issue #1094 High
Tech Office column
If you’re running a Windows PC, you’re protected by antivirus software,
aren’t you? In many cases, you’re running Symantec’s Norton Antivirus,
either on its own or in one of its corporate or security suite
Greg Leah, malware analyst with Symantec’s Hosted Services (formerly
MessageLabs), was recently in Vancouver speaking to the Virus Bulletin
conference. His message? Your antivirus solution – even Norton
Antivirus – is increasingly ineffective against today’s threats.
Traditional desktop and network antivirus products work by scanning
suspicious files for “signatures,” patterns of suspicious programming
code listed in frequently updated “virus definition” databases.
Here’s what needs to happen: users receive an email with a suspicious
attachment that isn’t flagged by their antivirus software. They forward
the attachment to their antivirus vendor who tests it, and if it’s
found malevolent, add its signature to the antivirus software
definitions. Lag time: anywhere from six hours to a couple of days,
with still more time lost before users download the updated definition
file. Eventually, their antivirus software will block the virus.
Other users then opened the attachment – after all, it wasn’t flagged
by their antivirus software. Their computers were infected and, as part
of the infection, send email attachments with copies of the virus to
other users. Antivirus software was always a bit behind the viruses
that were out there, but most of the time, it kind of worked.
Leah suggests that this is no longer the case. Part of the problem:
modern viruses are often “polymorphic,” able to change their code so
that they look different to the antivirus software, even though their
underlying nasty functions remain the same.
Each new version of the virus requires addition of a new signature to
the virus definition database. The Bredolab worm accounted for more
than 20% of the malware identified by Symantec in June 2009; mutated
versions of Bredolab were still causing more than 15% of identified
infestations the following May.
One result: a rapid growth in the number of signatures contained in the
Symantec added nearly 1.7 million new virus signatures in 2008. In
2009, some 2.9 million more were created – a 71% increase.
To make matters worse, mass attacks now happen faster and may only last
for a few minutes.
By the time a virus’ signature has been identified and added to the
database, the attack is long over.
In an example studied by MessageLabs, one variant of Bredolab was
distributed for only 28 minutes; it took antivirus vendors an average
of 11 hours to add it to their signature files, too late to be
Another worrisome trend, according to Leah: targeted attacks – emails
with malicious attachments sent to only a few carefully chosen targets.
An example was the January 2010 Aurora attacks, aimed at employees of
Google, Adobe and 32 other companies. Among the targets: financial
institutions and (U.S.) defence contractors.
One solution to both sorts of attacks – what antivirus vendors refer to
as “heuristics”: identifying viruses by what they do rather than what
their code looks like. Most standard antivirus products now include
these capabilities. Leah suggests, though, that even with added
heuristic capabilities, traditional products continue to have problems
due to the lag between creating updates and getting them out to users.
MessageLabs’ solution: move the antivirus scanning online “to the
cloud.” When its scanner is updated, the new version goes into effect
immediately for all clients.
In examining server data, MessageLabs suggested that its online
heuristic scanner was identifying and blocking an Adobe PDF
vulnerability nearly a month before the vulnerability was announced –
and nearly two months before Adobe released a patch for it.
Leah’s conclusion: even as traditional signature-based antivirus
software becomes increasingly ineffective against modern mass email and
targeted attacks, software using heuristic techniques can fill the gap,
while moving antivirus services online can ensure that users always
have access to up-to-date protection.