Accordion Al - image by Ivy, age 10

Business in Vancouver

Traditional antivirus technology becoming increasingly ineffective

by  Alan Zisman (c) 2010 First published in Business in Vancouver October 12-18, 2010 issue #1094 High Tech Office column

If you’re running a Windows PC, you’re protected by antivirus software, aren’t you? In many cases, you’re running Symantec’s Norton Antivirus, either on its own or in one of its corporate or security suite incarnations.

Greg Leah, malware analyst with Symantec’s Hosted Services (formerly MessageLabs), was recently in Vancouver speaking to the Virus Bulletin conference. His message? Your antivirus solution – even Norton Antivirus – is increasingly ineffective against today’s threats.
Traditional desktop and network antivirus products work by scanning suspicious files for “signatures,” patterns of suspicious programming code listed in frequently updated “virus definition” databases.

Here’s what needs to happen: users receive an email with a suspicious attachment that isn’t flagged by their antivirus software. They forward the attachment to their antivirus vendor who tests it, and if it’s found malevolent, add its signature to the antivirus software definitions. Lag time: anywhere from six hours to a couple of days, with still more time lost before users download the updated definition file. Eventually, their antivirus software will block the virus.

Other users then opened the attachment – after all, it wasn’t flagged by their antivirus software. Their computers were infected and, as part of the infection, send email attachments with copies of the virus to other users. Antivirus software was always a bit behind the viruses that were out there, but most of the time, it kind of worked.

Leah suggests that this is no longer the case. Part of the problem: modern viruses are often “polymorphic,” able to change their code so that they look different to the antivirus software, even though their underlying nasty functions remain the same.

Each new version of the virus requires addition of a new signature to the virus definition database. The Bredolab worm accounted for more than 20% of the malware identified by Symantec in June 2009; mutated versions of Bredolab were still causing more than 15% of identified infestations the following May.

One result: a rapid growth in the number of signatures contained in the antivirus databases.

Symantec added nearly 1.7 million new virus signatures in 2008. In 2009, some 2.9 million more were created – a 71% increase.
To make matters worse, mass attacks now happen faster and may only last for a few minutes.

By the time a virus’ signature has been identified and added to the database, the attack is long over.

In an example studied by MessageLabs, one variant of Bredolab was distributed for only 28 minutes; it took antivirus vendors an average of 11 hours to add it to their signature files, too late to be effective.

Another worrisome trend, according to Leah: targeted attacks – emails with malicious attachments sent to only a few carefully chosen targets. An example was the January 2010 Aurora attacks, aimed at employees of Google, Adobe and 32 other companies. Among the targets: financial institutions and (U.S.) defence contractors.

One solution to both sorts of attacks – what antivirus vendors refer to as “heuristics”: identifying viruses by what they do rather than what their code looks like. Most standard antivirus products now include these capabilities. Leah suggests, though, that even with added heuristic capabilities, traditional products continue to have problems due to the lag between creating updates and getting them out to users. MessageLabs’ solution: move the antivirus scanning online “to the cloud.” When its scanner is updated, the new version goes into effect immediately for all clients.

In examining server data, MessageLabs suggested that its online heuristic scanner was identifying and blocking an Adobe PDF vulnerability nearly a month before the vulnerability was announced – and nearly two months before Adobe released a patch for it.

Leah’s conclusion: even as traditional signature-based antivirus software becomes increasingly ineffective against modern mass email and targeted attacks, software using heuristic techniques can fill the gap, while moving antivirus services online can ensure that users always have access to up-to-date protection.

Powered by NetNation- www.netnation.com

Canadian Freelance Union- CEP
Search WWW Search www.zisman.ca