2007-09-01
Abstract
'Both the disease and the cure now differ significantly from their original forms.' David Emm, Kaspersky Lab.
Copyright © 2007 Virus Bulletin
I recently saw an article announcing the slow death of AV technology. It set me thinking about how 'anti-virus' solutions have evolved to deal with the changing nature of malicious code.
Threats are more complex and numerous than ever before. Much of today's malicious code is designed specifically to hijack computers and make money illegally. Today's attacks are rapid and they can be as wide-reaching or selective as cyber criminals desire. Malicious code can be embedded in email, injected into fake software packs, or placed on 'grey-zone' web pages for download by a trojan installed on an infected machine.
In any field of human activity, each generation learns from its predecessors, continues to implement proven methods, and also tries to break new ground. This is also true of virus writers; successive waves of malicious code have redefined the threat landscape. Security solutions have evolved to match new generation threats and both the disease and the cure now differ significantly from their original forms.
Initially, viruses were relatively slow-spreading. Although a significant number of outbreaks were caused by file infectors, boot sector viruses and multipartite viruses were the main threat up to 1995. The use of stealth techniques to hide infection and encrypted code to hinder analysis and detection also evolved during this period.
To start with, anti-virus programs were on-demand only. Due to the slow spread of viruses and the slow increase in the number of new viruses, scanners were used to detect and remove infected code. In many cases, companies wouldn't install anti-virus programs on individual machines (although attitudes tended to change once a company got hit by a virus). In addition to regular scanning, a stand-alone machine was often used to screen incoming floppy disks. It was only once the virus count reached 300 (which seemed a lot at the time) that real-time protection was developed and implemented. Anti-virus programs were updated just quarterly, or monthly by the 'paranoid', with updates delivered on floppy disks.
Anti-virus programs were mainly signature-based. Some employed behavioural analysis; however the nature and scale of the malware threat did not justify mainstream deployment of these technologies.
Increased use of the Internet and of email changed things significantly. First there were macro viruses, which spread more quickly than preceding viruses by 'piggybacking' data files (primarily documents) on email. Then came email worms: they hijacked email to distribute their code proactively, further speeding up the infection process. The problem of spam also emerged.
In an effort to stem infections before they reached employees, the anti-virus function was shifted from desktops to email servers and Internet gateways. New threats spreading at 'Internet speed', a growing number of global epidemics and an increasing number of threats exploiting application vulnerabilities also forced AV vendors to respond more rapidly to new threats. Weekly and then daily (or even hourly) updates became the norm.
Growing concerns about the potential time lapse between the appearance of a new exploit and the means to block it fuelled the development of proactive technologies and their integration into Internet security solutions that exceeded the scope of traditional anti-virus programs. The use of proactive technologies (e.g. heuristic and generic detection) dates from the early to mid-1990s. However, the scope of anti-virus programs has been further extended by integration of personal firewall, intrusion prevention and behavioural analysis technologies. AV today is much more than just AV.
In the early days of viruses, no one anticipated the quantity or variety of malicious programs that exist today. Each wave of malware development brought new challenges that required a change to existing solutions, the development of new solutions or the integration of non-AV technologies. The threat landscape is radically different to that of 20 years ago, and so are today's security solutions. Early AV solutions look one-dimensional compared with the holistic solutions offered by today's security software providers. Signature scanning remains, but in the context of a wider strategy. There's no question that AV is alive and well.