AV is alive and well

2007-09-01

David Emm

Kaspersky Lab, UK
Editor: Helen Martin

Abstract

'Both the disease and the cure now differ significantly from their original forms.' David Emm, Kaspersky Lab.


I recently saw an article announcing the slow death of AV technology. It set me thinking about how 'anti-virus' solutions have evolved to deal with the changing nature of malicious code.

Threats are more complex and numerous than ever before. Much of today's malicious code is designed specifically to hijack computers and make money illegally. Today's attacks are rapid and they can be as wide-reaching or selective as cyber criminals desire. Malicious code can be embedded in email, injected into fake software packs, or placed on 'grey-zone' web pages for download by a trojan installed on an infected machine.

In any field of human activity, each generation learns from its predecessors, continues to implement proven methods, and also tries to break new ground. This is also true of virus writers; successive waves of malicious code have redefined the threat landscape. Security solutions have evolved to match new generation threats and both the disease and the cure now differ significantly from their original forms.

Initially, viruses were relatively slow-spreading. Although a significant number of outbreaks were caused by file infectors, boot sector viruses and multipartite viruses were the main threat up to 1995. The use of stealth techniques to hide infection and encrypted code to hinder analysis and detection also evolved during this period.

To start with, anti-virus programs were on-demand only. Due to the slow spread of viruses and the slow increase in the number of new viruses, scanners were used to detect and remove infected code. In many cases, companies wouldn't install anti-virus programs on individual machines (although attitudes tended to change once a company got hit by a virus). In addition to regular scanning, a stand-alone machine was often used to screen incoming floppy disks. It was only once the virus count reached 300 (which seemed a lot at the time) that real-time protection was developed and implemented. Anti-virus programs were updated just quarterly, or monthly by the 'paranoid', with updates delivered on floppy disks.

Anti-virus programs were mainly signature-based. Some employed behavioural analysis; however the nature and scale of the malware threat did not justify mainstream deployment of these technologies.

Increased use of the Internet and of email changed things significantly. First there were macro viruses, which spread more quickly than preceding viruses by 'piggybacking' data files (primarily documents) on email. Then came email worms: they hijacked email to distribute their code proactively, further speeding up the infection process. The problem of spam also emerged.

In an effort to stem infections before they reached employees, the anti-virus function was shifted from desktops to email servers and Internet gateways. New threats spreading at 'Internet speed', a growing number of global epidemics and an increasing number of threats exploiting application vulnerabilities also forced AV vendors to respond more rapidly to new threats. Weekly and then daily (or even hourly) updates became the norm.

Growing concerns about the potential time lapse between the appearance of a new exploit and the means to block it fuelled the development of proactive technologies and their integration into Internet security solutions that exceeded the scope of traditional anti-virus programs. The use of proactive technologies (e.g. heuristic and generic detection) dates from the early to mid-1990s. However, the scope of anti-virus programs has been further extended by integration of personal firewall, intrusion prevention and behavioural analysis technologies. AV today is much more than just AV.

In the early days of viruses, no one anticipated the quantity or variety of malicious programs that exist today. Each wave of malware development brought new challenges that required a change to existing solutions, the development of new solutions or the integration of non-AV technologies. The threat landscape is radically different to that of 20 years ago, and so are today's security solutions. Early AV solutions look one-dimensional compared with the holistic solutions offered by today's security software providers. Signature scanning remains, but in the context of a wider strategy. There's no question that AV is alive and well.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.