Postcards from the anti-virus world

Postcards from the anti-virus world

Summary: Some of the recent reports of anti-virus bypass tricks are interesting but I am inclined to think they do not constitute a security flaw.

SHARE:
TOPICS: Security
10

Guest editorial by Michal Zalewski

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender." - The Register

Sounds familiar? For the past three years or so, such headlines have appeared in the press on a fairly regular basis. This makes one wonder: is there something rotten in the anti-virus world? After all, of all things, we ought to be able to get the security tools right.

Well, the picture is more complicated than it may seem. We intuitively draw parallels between these findings and the vulnerabilities commonly found in other types of software - but the issue here is very different: all consumer-grade anti-virus software simply must be designed to be bypassable, even if only transiently so. To understand this, we need to realize that there is nothing fundamentally different between a botnet client and a legitimate chat application: they both use roughly the same OS facilities in a very similar manner, and while differences are often observed in practice, they are not essential in any way. The intent of the actions performed by these two programs is the only distinguishing factor. Yet, this property can't be algorithmically assessed - not only because the task is notoriously hard to formalize, but also because automated reasoning about the behavior of computer programs is, in many cases, provably impossible.follow Ryan Naraine on twitter

Because of this, the anti-virus model is nothing like that of "proper" security tools. Instead of eliminating essential mechanisms depended on by the rogue code, AV software tries to stop specific, previously recorded attack patterns: known bad binaries, known suspicious sequences of system calls, and so forth. Some heuristics are employed, but in the end, it always comes down to blacklisting - a canonical bad practice in the field of information security. Surprisingly, in this particular context, it actually works:

  1. Most users are not running up-to-date antivirus software - therefore, there is relatively little incentive for attackers to spend too much time on evading the checks. As a result, most of the malicious code you can run into will trip existing signatures or simple behavioral heuristics. The users of antivirus products remain at a distinct advantage.
  2. Although a percentage of new malware is created specifically to avoid detection, the two possible outcomes are just as favorable to the users of antivirus products:

    • When malware authors aim for rapid, nondiscriminate propagation, the new variant is quickly captured in the wild, and the tools are updated with new signatures or scan algorithms. In this case, a majority of users are protected before they come into contact with the new payload.
    • When malware authors want to stay under the radar, and only go after select targets, the majority of users are not interesting enough to end up in the crosshairs - and therefore, the problem is highly self-limiting.

As should be evident, this model works reasonably well to protect casual users. It also tends to fall apart for any entity interesting enough to attract specific attention of determined (but not necessarily skilled!) attackers; for these targets, anti-virus software perhaps reduces operational costs by reducing the likelihood of nuisance infections, but does relatively little to prevent more serious trouble.

Some of the recent reports of antivirus bypass tricks are interesting (this particular research rehashes a problem that all ptrace()-based debuggers and sandboxing tools have to deal with) - but in light of the above, I am inclined to think they do not constitute a security flaw. The attention they nevertheless receive demonstrates that we have only a vague idea of the limitations of AV applications; sadly, with poor understanding, come unrealistic expectations - a major foe of any and all security work.

PS. It is frustrating that contemporary computers are so confusing and vulnerable, that we need such a wonderfully imperfect mechanism to protect the casual user to begin with. That, however, is a wholly different tale.

* Michal Zalewski is a security researcher at Google. He has written and released many security tools, including ratproxy, skipfish and the browser security handbook.  He can be found at the lcamtuf's blog and on Twitter.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • @Larry Dignan: Hire this Man!

    Nicely written. Regretfully though, the article stops short of providing a solution or work-around (for the reader's sake) to the current reported A-V conundrum.
    Dietrich T. Schmitz,Your Linux Advocate
    • RE: Postcards from the anti-virus world

      @Dietrich T. Schmitz,Your Linux Advocate

      This guy does write good article... but I wonder how well his current employer (*cough* google *cough*) followed his advice since google had some major breach by malwares not long ago.
      Samic
      • RE: Postcards from the anti-virus world

        @Samic

        Bad cough there.
        Dietrich T. Schmitz,Your Linux Advocate
      • Ya seriously. Google obviously don't care about security, they used IE..

        ..and Windows. It is there fault they got hacked, since they trusted Microsoft products to be secure.
        AzuMao
  • RE: RE: Postcards from the anti-virus world

    Just an observation...<br>In regards to point 1, "Most users are not running up-to-date antivirus software", no argument there. However, <br>you can't then make the following in point 2, "When malware authors aim for rapid, nondiscriminate propagation, the new variant is quickly captured in the wild, and the tools are updated with new signatures or scan algorithms. In this case, a majority of users are protected before they come into contact with the new payload." Point 2 then becomes null and invalid. <br>You can't have "most users" running outdated antivirus <br>AND at the same time have a "majority of users" being<br>protected via updated signatures and algorithms.<br>Point 2 should be that users need to be taught to maintain their antivirus and system updates.
    wizard57m-cnet
  • Cloud Anti Virus can Fight!

    Yes I completely agree with Michal on his viewpoint. And as I read an article on http://www.simplify.co.in about the power of cloud anti virus system, made me think that yes it can be daringly strong answer to these intrusions, especially when we will have enough bandwidth.
    simplify-solutions
  • RE: Postcards from the anti-virus world

    this is a repost of one above reported as spam...darn, it's
    getting bad when the spammers on these Talkbacks report
    all the other posts as spam then plug their bogus web sites.

    Just an observation...<br>In regards to point 1, "Most users are not running up-to-date antivirus software", no argument there. However, <br>you can't then make the following in point 2, "When malware authors aim for rapid, nondiscriminate propagation, the new variant is quickly captured in the wild, and the tools are updated with new signatures or scan algorithms. In this case, a majority of users are protected before they come into contact with the new payload." Point 2 then becomes null and invalid. <br>You can't have "most users" running outdated antivirus <br>AND at the same time have a "majority of users" being<br>protected via updated signatures and algorithms.<br>Point 2 should be that users need to be taught to maintain their antivirus and system updates.
    wizard57m-cnet
    • Fixing the symptom, not the problem

      Maintaining antivirus updates is okay, but there are inherent flaws in the basic architecture. Anti-virus as an installable, configurable application is ALWAYS going to be vulnerable to attack. There are many malware attacks that INSTRUCT the user to disable their own protection before proceeding! And users do it! Why? Because they are told to do it on a regular basis by "legitimate" software applications. Therefore it becomes easy to use social engineering to convince a user to do the same for other purposes.
      terry flores
  • As long as anti-virus is a bolt-on afterthought ...

    Windows was originally designed with some security features, but nowhere near what was needed in a multi-user open-networked world. Microsoft has never been able to recover this situation, partly their fault and partly ours. They deliberately left "back-doors" open for their own control, and users have always preferred convenience and flexibility over security.

    When I got started in this business, my company did code reviews of commercial software before it was installed in our data centers, checking for security gaps and backdoors. Now it seems that every software vendor out there considers it their right to "phone home", do unsolicited downloads, and install hidden software without so much as a casual mention to the user. In my view, every commercial software vendor acts like a thief and a spy, and most website operators as well.

    What's going to change this? If more layers of anti-virus and firewalling doesn't solve the problem, then the days of stand-alone computing are going to return. The balance will tilt away from convenience back to more stable situations, like burning the core OS and security into hardware. And users will finally learn not to tolerate empty "privacy statements" and shrink-wrapped disclaimers.
    terry flores
  • RE: Postcards from the anti-virus world

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane