As Threats Evolve, Defenses Must Adapt

Swamped by a flood of malicious software and under pressure from customers who want protection from a widening spectrum of threats, anti-virus experts are scrambling for new ways to sniff out the new breed of malicious programs.

Its Monday: time to pay your monthly credit card bill. A tech-savvy consumer, you log on, open your Web browser and surf to MBNA. com, a site run by the bank that issued your card. Once there, you enter your user name and password, access your account, check your last statement, transfer funds, and pay your bill.

Little do you know that a program on your computer that you agreed to install—perhaps without knowing exactly what it did—is silently monitoring your actions, taking snapshots of the pages you visit and forwarding that information to a company that sells market "intelligence" to advertisers. Thats if youre lucky. Worse yet, the program may be an hours-old online banking Trojan that captures your e-banking sessions and sends the information to a compromised server in Brazil or South Korea. And, then ... who knows?

The details of the attacks vary, but one thing is certain: current anti-virus technology provides only sparse protection against the kinds of threats that Internet users face today. For more than a decade, anti-virus software has been a pillar of enterprise security programs. But times are changing.

Swamped by a flood of malicious software and under pressure from customers who want protection from a widening spectrum of threats, anti-virus experts are scrambling for new ways to sniff out the new breed of malicious programs. The explosion of current online threats could unseat traditional anti-virus technology and the companies that sell it from the front lines of computer defenses as users turn to more proactive technologies, experts say.

Researchers gathered at the recent Virus Bulletin International Conference here have seen malicious-code trends come and go: from the early boot sector viruses passed along on corrupted floppy disks, through early macro viruses that hid in Microsoft Office files, to the advent of sophisticated, self-replicating Internet viruses and worms such as Melissa, Code Red, Blaster and Slammer. But even virus industry veterans admit that the pace of change has quickened. The last two years have brought profound changes to the industry and the work of anti-virus researchers.

"In the old days, you were up against a teenager without a girlfriend, working alone in his bedroom," said Nick FitzGerald, an independent anti-virus researcher based in Christchurch, New Zealand, who has attended the Virus Bulletin conference for the last eight years.

Today, professional criminals have moved in and targeted a critical weakness in many anti-virus programs: their reliance on malicious-code signatures to spot threats. "Even really obsessed [teenagers] only put out new viruses once or twice a week—and they took holidays, too, and had tests to study for," FitzGerald said. "Now you have 18 or 20 new Bagle [worm] variants in 24 hours. Twenty-four or 30 bot [remote control software] variants a day."

Many anti-virus vendors have added heuristic detection to supplement anti-virus signatures, but criminals have responded, using packaging programs to spew dozens of files with different signatures but identical contents. The result is that anti-virus companies cant keep ahead of the tide, FitzGerald said.

According to research by Greg Day, a security analyst at McAfee Inc., based in Santa Clara, Calif., the percentage of medium- and high-risk attacks for which signatures were already in place compared with those attacks for which a signature update was needed has slid dramatically in recent years. Last year, approximately 90 percent of attacks occurred before there was a signature to stop them, compared with fewer than 50 percent in 2002.

Researchers at Kaspersky Lab, a Moscow-based anti-virus company, now receive 5,000 samples of malicious code each month, double what they received one year ago, said Eugene Kaspersky, head of anti-virus research. Kaspersky Labs database of malicious code has grown by 50 percent in the last year, to more than 150,000 records, he said.

More shocking, some 80 percent of the malicious-code samples the company receives are written by online criminals to make money through identity theft or hacking. Just 5 percent are written by immature hackers or "script kiddies," Kaspersky said.

The commercialization and criminalization of the malicious-code-writing community is only one problem facing mainstream anti-virus vendors such as Symantec Corp., McAfee, Trend Micro Inc. and Sophos plc. that are accustomed to battling viruses and worms. Stealth techniques, changing distribution methods, and the blurring lines between malicious programs, spyware and adware are all putting pressure on the anti-virus old guard.

/zimages/1/28571.gifCareless users challenge mobile security. Click here to read more.

Spurred by advancements in techniques for hiding programs, especially on Windows-based machines, an increasing number of malicious programs contain features borrowed from rootkit programs that allow them to evade detection by anti-virus scanning programs.

Kaspersky Lab charted a steady rise in such stealthy programs in the last two years. This year, for instance, 31 examples of stealth malicious software were discovered in April, compared with just eight in January.

By intercepting operating system calls or communications with an operating system kernel, such stealth software hides many of the telltale signs that anti-virus scanners look for, such as executable file names, operating system registry entries and memory processes, according to Kimmo Kasslin, an anti-virus researcher at F-Secure Corp., of Helsinki, Finland, who spoke at the Virus Bulletin conference.

Next Page: Threats come from different sources.