Wednesday, November 20, 2013

AV shouldn’t just be something on your hard drive – it should be part of a global immune system

When I first started working for an antivirus company in 1992, you’d get your software updates on floppy disks. They were sent out every three months. If you were really paranoid, you went for the monthly updates. Viruses took months to spread around the world – via floppy disk. There were 200 new viruses a month – and we thought that was pretty bad.

There was actual serious discussion over what was going to happen to antivirus programs when there were 10,000 viruses. People predicted disaster. People worried that the AV programs would be too big, they’d take up too much memory and be too slow. Now, of course, we see 100,000 new variants of malware a day. As soon as money became involved, it became industrialized – and I have to say, some of the fun went out of being a virus researcher.

Back in the old days viruses weren’t made to make money – they were just graffiti. They could cost you money – but the “point” would be the letters falling down your screen, or a graphic of an ambulance driving across. There was an artistry there – something I blogged about a while ago.

Many viruses were also unique – even if they were destructive. I remember a polymorphic infection from the early days – it completely changed its spots every time – but it stood out because the writer was so keen to make a British piece of malware. The SMEG Pathogen virus, named after a swearword used in the British TV comedy show Red Dwarf, was written by this English chap Christopher Pile. It stood for Simulated Metamorphic Encryption Generation. When it wiped your hard drive, it said, “Smoke me a kipper, I’ll be back for breakfast… but your data won’t.”

The media had been guilty of presenting malware as largely Eastern European in origin, and Pile wanted to prove them wrong.  He worked hard, on his own, to make his virus hard to detect.
With the commercialization of malware, that’s all gone. They don’t care about the quality – just the money. I saw it first with attacks targeting AOL users. They were stealthy – just stole password details and credit cards.

There wasn’t any attempt to be clever. There were enough people who didn’t update Windows that it would spread anyway. Now, it’s more than that. It’s “Let’s write computer programs to write more malware for us.” Counting malware has always been like counting butterflies – is that particular strain really new? Is it just an old one? There’s a lot of long arguments over that – and there always have been.

But now, most of what we see is not entirely new and unique, it’s based on malware we’ve seen before. Each new variant has been written by a computer – and is usually spotted by a computer.

Even if you have 100 researchers, you can’t keep up with the volume of detections. Expert systems do the detection – customers want protection very, very quickly, and you don’t want to flag up “false positives”. That just annoys people – and makes them turn off the software that’s protecting them. Humans can’t provide that level of protection. Expert systems can.

An expert system can, for instance, look inside a piece of code, and make a guess about whether it’s a banking Trojan very quickly. They’ll scan for banking URLs – or related ones. They’ll look for other markers – is there any Portuguese?  A lot of today’s banking Trojans come from Brazil – and the code’s compiled with Delphi.

So the system will look for a Delphi copyright message – but of course, the cybercriminal knows it will, so he’ll write that it was done in Microsoft C. A clever expert system will look at that, and know that here we have a piece of code that’s in Portuguese, is pretending to have been compiled in C – hiding its origin – and has banking URLs in it. Even if you’ve never seen it before, you’ve already got a good idea it’s bad.

That’s a very simplified take, of course – but this proactive defense is the future. Not in labs, but in home PCs. You have to look at the behavior of malware in real time, and when you think, “This is suspicious,” either turn it off, alert the user, or report back to base. You need to be careful about alerting the user – they don’t like too many alerts – so for everything to work, it’s all about that report back to base. Your PC has to be part of a bigger system.

Antivirus software isn’t a program in your hard drive – it’s a communication system. Done right, it works like an immune system, but a global one. Sending information isn’t always something we like to do. Those windows asking you to share information, often without any measurable benefit to you, are something we’ve seen for decades – I suppose it’s a thorny issue, and some people don’t like to feel their privacy is invaded – but it’s needed now more than ever.

Those proactive programs help to provide information that allow AV companies to react faster – feeding back data turns every PC user into part of the team, the immune system. The box which says, “Enable feedback” on AV products – but also on Windows, say, is a pretty important box to tick.

We’re all on the internet – we’re all related. It’s a family – the odd black sheep, the odd dodgy uncle – but we should look after it. If it is computer fighting computer, with us somewhere in the middle, you should at least let your computer fight. I think most of us would like to look after the community. Feedback is your way of giving something back. It’s your way of being proactive. That, I suppose, and preventing people in your real family running Windows XP when the plug gets pulled next year, and the patches stop. Buy them a Mac – it’s nearly Christmas, after all.

Graham Cluley


Graham Cluley has worked in the AV industry for two decades. He currently works as an independent analyst, and offers news and views on AV issues at his blog. This is the first in a series of guest blog posts by experts, analysts and researchers at We Live Security.

Share

Twitter Delicious Facebook Linkedin Stumbleupon Favorites More