Antivirus firms battle 'unique malware'

Latest viruses are aimed at specific businesses or individuals
Written by Munir Kotadia, Contributor

As malware is increasingly written with a specific target in mind, antivirus firms are deploying more intelligent detection tools and creating unique signatures for individual clients.

Over the past few years, malware attacks have evolved from a sawn-off shotgun approach, where a virus is released into the wild with the objective of infecting as many computers as possible, to a sniper approach, where Trojans are specifically crafted to spy on a particular company or even an individual.

Eric Ouellet, a research vice president in Gartner's security, risk and privacy group, said that targeted attacks are among the most difficult to defend against.

Speaking at the Gartner Symposium in Sydney last week, Ouellet said: "They are not indiscriminately firing a bullet and hoping it will hit somebody. They are aiming it at a computer or person.

"They will attack a large bank and create a virus or hack that is specific to them. People like Symantec or McAfee will not produce a signature for that — why would they produce it for just that one company?" he told ZDNet Australia.

Rob Forsyth, Asia-Pacific managing director of AV firm Sophos, claimed that the company's "genotype" technology is able to find unknown malicious code, which makes signature files less critical.

"If we think it looks like a bad thing and smells like a bad thing we have seen before, we don't have to taste it to know it is bad. If it has the general attributes we normally associate with malware we will protect against it," he said.

Forsyth countered Ouellet's claim about individual signatures by admitting that Sophos already has at least one customer for which it has created unique signature files.

"We have a governmental, law enforcement-type agency that have a specific requirement that file types of a nominated variety never go through their gateway. We built a specific set of signatures for them," said Forsyth.

While it doesn't use custom signatures, MessageLabs also deploys intelligent tools to deal with unknown codes, according to Tom Chan, enterprise and partner services manager in Asia-Pacific.

Chan said that MessageLabs sifts through more than a billion e-mails every week and uses signatures to quickly weed out known threats. Unknown codes are fed into a 20GB database that was built to analyse the behaviour of an application to determine its risk profile.

"We scan 1.4 billion e-mails a week and gather a very good understanding of what is good and what is bad... When we see some code for the first time we throw it against the database which will tell us if we are seeing a virus for the first time," said Chan.

Editorial standards