Anti-virus: a technology update

Kevin Townsend examines the heartbeat of the anti-virus industry
Kevin Townsend examines the heartbeat of the anti-virus industry
Are Stuxnet and Zeus proof that anti-virus software is not protecting your computer well enough?
Are Stuxnet and Zeus proof that anti-virus software is not protecting your computer well enough?

Anti-virus was the first, the most ubiquitous, and is certainly the best known defence against the bad guys. Hugely damaging successful malware attacks, however, beg the question: Are the bag guys winning the arms race?

“The key thing to recognise”, says James Lyne, senior technologist at Sophos, “is that these things are now so inextricably linked that this aged distinction between things like viruses, worms, trojans and spam actually doesn’t make a lot of sense at all – it’s all just ‘bad stuff’”.

"The AV marketing bods need to be more like the AV technical bods; who are far more likely to tell you how it really is"

Bots on compromised PCs, for example, are used to deliver spam that contains social engineering scams designed to trick users into visiting malicious websites. This website will then infect the user with a trojan that opens a back door to allow in a root kit containing a keylogger and spyware. Anti-virus software doesn’t just seek to protect you from viruses, then, it seeks to protect you from all of this bad stuff. For the sake of this article, we’ll just call it all ‘malware’.

What are the attackers doing?

Modern malware has evolved from a demonstration of personal prowess into a serious, organised criminal business, driven by the same motive as any legitimate business – a desire to maximise return on investment (ROI).

Wherever there is a large concentration of users, there will also be malware. This explains the malware campaigns on Facebook and Twitter. But it also tells us what is likely to happen next – increasing malware for the Mac (a new Mac version of KoobFace was recently discovered by Intego, a Mac security specialist).

Criminals follow the people, and as the Mac and other Apple products increase in popularity, so do the criminals who attack them.

Mobilisation is one of the biggest computing movements today. As mobile computing and smart phone markets grow, they attract malware. Similarly, market growth in virtual machines will lead to attacks on the hypervisor. The AV industry is aware that there are proof-of-concept attacks on virtual machines, but nothing has yet been found in the wild. It will eventually happen; and anti-virus companies are waiting.

It is only with a degree of tongue in cheek that Luis Corrons, technical director of PandaLabs, introduces the idea of anti-virus for fridges. “Everything is connected to everything else, and it’s all connected to the internet”, he says. “I don’t know that we’re going to install anti-virus for the fridge, but who knows.” If there are enough fridges connected to the internet, fridge malware will no doubt follow suit.

Technical sophistication

Lyne describes one example of the increasing sophistication in malware. “Polymorphism”, he says, “has been around for about 20 years. It’s where the malware continually changes itself to avoid detection – but it has been easy for the AV vendors to defeat it. But today, the bad guys are using server side polymorphism where the engine is not in the malware but on legitimate business websites. Every time it is refreshed, what is downloaded is different in content to the previous download, and after a couple of hundred downloads, they kill that site and move on to another. That way, none of us vendors can get hold of the engine to write any form of generic protection.”

"Thanks to the cloud, [reputation] is instantly available to all of our other customers"
Rik Ferguson, Trend Micro

Unfortunately, there doesn’t appear to be a major advance in AV technology on the near horizon. “Right now”, says David Harley, ESET research fellow and director of malware intelligence, “it’s more a case of multiple/hybrid technologies (found in nearly any modern AV) advancing by improving individual components. Obviously, some products stress certain components more than others.”

Christopher Boyd, GFI senior threat researcher, suggests “virtual sandboxing, which allows threats to be intercepted and executed inside a virtual machine running a Windows-like pseudo environment, allowing for more accurate detection and safer quarantine and disposal”.

Your reputation precedes you

Possibly the biggest single development in the AV world has been the evolution of product-based reputation feedback (not to be confused with community-based reputation systems such as the web of trust). Rik Ferguson, Trend Micro’s senior security advisor, explains his own company’s reputation system, born out of the marriage in the cloud of three separate databases: bad emails, bad URLs and bad files.

“Let’s take a hypothetical worst-case scenario”, he says. “You get an email from a bot that has only just been infected, and the email is well-crafted so it looks OK. We can’t see anything wrong with it, so we allow it. In this case, email reputation has failed. The email contains a link to a malicious website that has only just been registered. We don’t yet know that it’s bad so we allow you to click the link, and again the reputation system has failed”, he explains. “You click the link and visit the website which uses a zero-day exploit to infect you with a new trojan that the bad guys have already tested against all the AV products. We haven’t seen this trojan, so we allow you to download it and you become infected. Email, URL and file reputation systems have all failed.”

"So for years, the deal with free AV has been a trade-off: fewer bells and whistles and often less detection/disinfection, and restricted support"
David Harley, ESET

But, he stresses, continuing on to a happy ending, “the first thing that the trojan will seek to do is phone home, either to tell its owner that it has landed, or to download additional components. At this point we will almost certainly recognise this as suspicious behaviour and block it. We will also relay the URL source of the suspect file to TrendLabs who will download the page content and analyse it.” Instantly, the URL database and file database are updated with the new reputations. “If, then, a new email comes in pointing to that URL, we can recognise the email as suspicious and add details to our email reputation system. Thanks to the cloud, [this reputation] is instantly available to all of our other customers.”

Let’s get radical

So, we have a choice. We can carry on as we are, trying to improve our anti-malware defences in a perpetual leapfrogging process with the bad guys, or we can think out of the box and be radical.

Trusteer’s Rapport product shows signs of radical thinking. Its purpose is not primarily to find and eliminate viruses, but to specifically protect online bank transactions from malware (such as Zeus). Yes, it’s an anti-malware product, but not as we know it. Its primary purpose is to protect the browser and define a browser behavioural policy.

“It’s like behavioural detection”, explains Amit Klein, Trusteer’s chief technology officer, “but it’s not behavioural in the sense that we monitor all the behaviour of a suspicious binary. Rather, we wait for the malware to come to us and try to attack the browser, and that’s where we stop it cold.”

A more radical approach could be the Internet Health Certificate (See ‘Collective Defense - Applying Global Health Models to the Internet’) proposal put forward by Microsoft’s Scott Charney. The idea is that we should take a lead from the World Health Organisation – users may need a health certificate for their computers before they are allowed access to the internet.

The AV industry is not wholly impressed with the idea. Who says a computer is healthy? Who defines computer health? “I’d be pretty unhappy if it turned out that the health of my system was being certified by someone whose knowledge of security wasn’t much higher than average”, comments ESET’s Harley. “Or even the system admin responsible for the Microsoft servers that are used to relay spam.”

The technical problem is certainly not trivial. “The technical issue is the volume of edge cases”, continues Harley. “I don’t think a ‘just about good enough’ heuristic approach combines well with a utilitarian ‘greatest good for the greatest number’ approach, in this case.”

Trend Micro’s Ferguson raises a practical issue. “What happens”, he asks, “in the case of false positives? If users are incorrectly quarantined, will they be able to claim something back in lost productivity, lost purchases on eBay, or whatever it may be?”

Trusteer’s Klein, on the other hand, declares it an “interesting idea. But with the current infection rates where your machine can be clean one day and infected the next, I’m worried about the implications for an ISP handling millions of customers, some of whom keep getting re-infected.”

With seemingly so little going for this idea, you have to wonder how it got air time. The answer might be in Scott Charney’s title: vice president of trustworthy computing. The Trustworthy Computing Group has developed specifications for how to control what can and cannot run on a computer, which can be achieved via Intel chips (Intel is another member of the TCG) installed on the majority of the world’s PCs. So if a third party (your company? Microsoft? Intel? your ISP? the Government?) defines what can run on your PC, you automatically have to have a health certificate because nothing else, neither malware, nor pirated software, nor illegal music, nor porn, nor any new software not sanctioned by the controlling organisation, is capable of running. The problem is solved. Some might say at the cost of personal freedom.


The biggest single development in consumer anti-virus offerings is the growth of the free product. Many companies now provide free online scanners – Trend Micro’s HouseCall and Symantec’s Security Check are good examples. There are also a growing number of free products you can download and install on your computer: AVG and Avira are well-known. More recently, Panda has launched a new free version.

Petter Lautin, Panda Security’s MD for UK and Ireland, explains the rationale: “A Morgan Stanley survey in America has shown that 46% of consumers rely on free security software, and that’s expected to increase to nearer 60%. I’d be surprised if things in Europe are very different; so that’s a fact of life we can’t ignore. Secondly, believe it or not, there are many people out there who are still not using any anti-virus product at all. For them, this is a perfect way to start because it gives you the basic anti-malware protection that everyone needs to have. From there we can start to talk about what you should have rather than must have: a firewall, ID theft protection and all sorts of things on top of that.”

ESET’s David Harley has a pragmatic view. “The economics of the marketplace, though, are that the consumer market isn’t really profitable. It costs more than some companies can afford to support those customers, measured against the profit margin. That’s why some companies make single-user licences so expensive compared to their corporate deals. So for years, the deal with free AV has been a trade-off: fewer bells and whistles and often less detection/disinfection, and restricted support (forums, but not telephone support).”

There is still a dearth of AV software for the Mac. “There is a limited number of anti-virus tools for Mac”, explains Laurent Marteau, CEO of Intego, one of the relatively few Mac AV vendors. “With Mac anti-virus software, none of the companies offering free tools have the infrastructure to find Mac malware and update their software in a timely manner.”

This is about to change, however, as Sophos has recently released the industry’s first free AV package for the Mac.


No silver bullet

Some of the marketing hype around anti-virus products seems to imply that AV software is all you need to be safe. It isn’t. In fact, you need layers of different security. In fairness, none of the anti-virus technologists suggest that AV is enough. They advise that it should be complemented with data loss prevention technologies, ID theft prevention, firewalls, URL filters and more.

So how will the market develop from here? “Slowly and painfully”, suggests Harley. “Customers who expect 100% success will continue to be disappointed. Pure AV will become rarer: the technology will continue to be further integrated with other defensive technologies.”

New technologies such as Rapport can help in niche areas; ideas such as trusted computing could solve the problem but at the cost of personal liberty. The way in which the anti-virus industry markets itself may be sensational and inaccurate, but this much is certain: we cannot, and must not try to, do without it. The anti-virus industry is not merely relevant; it is still essential.



We’ve all seen the adverts and claims: ‘Our product detects 99% (or even 100%) of viruses’. Yet we still get infected, and we still hear of new viruses being missed by almost all of the AV products when tested against VirusTotal. Something is clearly wrong.

When you look at the small print, you see that what appears to be ‘100% of viruses in the wild’ is actually ‘100% of viruses that are included in the WildList’. In the wild and in the WildList are two completely different things. I don’t believe it was designed to be misleading; but it is misleading and I believe that AV companies know that it is misleading.

This might have worked ten years ago, when users were more technically naive. But today’s user can see the anomaly, and the result is a loss of trust in the AV companies that will only increase until they start to be more honest in their claims. The AV marketing bods need to be more like the AV technical bods; who are far more likely to tell you how it really is.


What’s hot on Infosecurity Magazine?