Its Monday: time to pay your monthly credit card bill. A tech-savvy consumer, you log on, open your Web browser and surf to MBNA. com, a site run by the bank that issued your card. Once there, you enter your user name and password, access your account, check your last statement, transfer funds, and pay your bill.
Little do you know that a program on your computer that you agreed to install—perhaps without knowing exactly what it did—is silently monitoring your actions, taking snapshots of the pages you visit and forwarding that information to a company that sells market “intelligence” to advertisers. Thats if youre lucky. Worse yet, the program may be an hours-old online banking Trojan that captures your e-banking sessions and sends the information to a compromised server in Brazil or South Korea. And, then … who knows?
The details of the attacks vary, but one thing is certain: current anti-virus technology provides only sparse protection against the kinds of threats that Internet users face today. For more than a decade, anti-virus software has been a pillar of enterprise security programs. But times are changing.
Swamped by a flood of malicious software and under pressure from customers who want protection from a widening spectrum of threats, anti-virus experts are scrambling for new ways to sniff out the new breed of malicious programs. The explosion of current online threats could unseat traditional anti-virus technology and the companies that sell it from the front lines of computer defenses as users turn to more proactive technologies, experts say.
Researchers gathered at the recent Virus Bulletin International Conference here have seen malicious-code trends come and go: from the early boot sector viruses passed along on corrupted floppy disks, through early macro viruses that hid in Microsoft Office files, to the advent of sophisticated, self-replicating Internet viruses and worms such as Melissa, Code Red, Blaster and Slammer. But even virus industry veterans admit that the pace of change has quickened. The last two years have brought profound changes to the industry and the work of anti-virus researchers.
“In the old days, you were up against a teenager without a girlfriend, working alone in his bedroom,” said Nick FitzGerald, an independent anti-virus researcher based in Christchurch, New Zealand, who has attended the Virus Bulletin conference for the last eight years.
Today, professional criminals have moved in and targeted a critical weakness in many anti-virus programs: their reliance on malicious-code signatures to spot threats. “Even really obsessed [teenagers] only put out new viruses once or twice a week—and they took holidays, too, and had tests to study for,” FitzGerald said. “Now you have 18 or 20 new Bagle [worm] variants in 24 hours. Twenty-four or 30 bot [remote control software] variants a day.”
Many anti-virus vendors have added heuristic detection to supplement anti-virus signatures, but criminals have responded, using packaging programs to spew dozens of files with different signatures but identical contents. The result is that anti-virus companies cant keep ahead of the tide, FitzGerald said.
According to research by Greg Day, a security analyst at McAfee Inc., based in Santa Clara, Calif., the percentage of medium- and high-risk attacks for which signatures were already in place compared with those attacks for which a signature update was needed has slid dramatically in recent years. Last year, approximately 90 percent of attacks occurred before there was a signature to stop them, compared with fewer than 50 percent in 2002.
Researchers at Kaspersky Lab, a Moscow-based anti-virus company, now receive 5,000 samples of malicious code each month, double what they received one year ago, said Eugene Kaspersky, head of anti-virus research. Kaspersky Labs database of malicious code has grown by 50 percent in the last year, to more than 150,000 records, he said.
More shocking, some 80 percent of the malicious-code samples the company receives are written by online criminals to make money through identity theft or hacking. Just 5 percent are written by immature hackers or “script kiddies,” Kaspersky said.
The commercialization and criminalization of the malicious-code-writing community is only one problem facing mainstream anti-virus vendors such as Symantec Corp., McAfee, Trend Micro Inc. and Sophos plc. that are accustomed to battling viruses and worms. Stealth techniques, changing distribution methods, and the blurring lines between malicious programs, spyware and adware are all putting pressure on the anti-virus old guard.
Spurred by advancements in techniques for hiding programs, especially on Windows-based machines, an increasing number of malicious programs contain features borrowed from rootkit programs that allow them to evade detection by anti-virus scanning programs.
Kaspersky Lab charted a steady rise in such stealthy programs in the last two years. This year, for instance, 31 examples of stealth malicious software were discovered in April, compared with just eight in January.
By intercepting operating system calls or communications with an operating system kernel, such stealth software hides many of the telltale signs that anti-virus scanners look for, such as executable file names, operating system registry entries and memory processes, according to Kimmo Kasslin, an anti-virus researcher at F-Secure Corp., of Helsinki, Finland, who spoke at the Virus Bulletin conference.
Threats come from different
Eric Chien, a researcher at Symantec, of Cupertino, Calif., said rootkit features are even creeping into legal and quasi-legal advertising software, which is often flagged by anti-virus scanners.
In a presentation titled “Techniques of Adware and Spyware,” Chien cited examples of rootkit features in advertising software such as Elitebar and CommonName.
While there is nothing illegal about the techniques used to hide these programs, the behavior is suspicious when used in combination with other controversial behaviors, such as user monitoring, Chien said.
Major global virus and worm outbreaks such as Code Red, Slammer and Sasser revealed the extent to which computer users, companies and even governments are interconnected in the shared ecosystem of the Internet. However, changes in the way malicious code is distributed have made Internet attacks and malicious-code outbreaks a local rather than global affair, said Kevin Hogan, a senior manager at Symantec.
“In the past, people would write worms and release them,” Hogan said. “Now youve got bots and Trojans that are spammed out to particular companies or IP address ranges.”
“We might have a virus thats rated Category 2, but weve got a customer who says that its a Category 3 or 4 for them,” he said.
Anti-virus companies have historically shared malicious-code samples with one another to protect the broad Internet population. With focused attacks and the explosion in threats, anti-virus companies are being pulled in different directions to protect their customers. Increasingly, companies are prioritizing the viruses and malicious software their customers report and paying less attention to viruses submitted by competitors, FitzGerald said.
Over time, the specialization of attacks could create a balkanized anti-virus community in which different tools become specialized for a certain customer population but cannot detect viruses and malicious code from other parts of the Internet, FitzGerald said.
Even more worrisome for anti-virus vendors are changes in malicious-code distribution methods that circumvent anti-virus scanning engines on e-mail servers, network gateways or users desktops.
The DNS (Domain Name System) cache poisoning attacks in March and the growing popularity of index hijacking—in which Google search results are tainted with URLs for Web pages that download malicious programs—are evidence that online criminals no longer need to push their creations out to victims but can lure them to sites where the victims unwittingly pull down viruses, Trojans, keyloggers and other programs, according to a presentation by Igor Muttik, senior architect at McAfee AVERT (Anti-Virus Emergency Response Team).
The malicious content often passes as harmless Web traffic, evading detection by gateway and desktop scanning engines, Muttik said.
Anti-virus companies also must contend with countless examples of quasi-legitimate advertising programs that purport to provide “value” to computer users in exchange for access to their desktop computers and their Web surfing and shopping habits.
The programs are created and distributed by companies such as 180Solutions Inc. and Direct Revenue LLC and are often bundled with free, “advertising-supported” software, such as Kazaa peer-to-peer clients, which users agree to install.
Advertising software frequently modifies host systems in a number of areas and creates dependencies with other software on the system, which makes it more difficult to remove from computers than viruses, Symantecs Chien said.
Bundling relationships make it difficult to determine whether the user wants—or instead is legally bound to have—adware and opens anti-virus companies to the possibility of lawsuits from adware vendors, said Chien.
Moreover, software from advertisers often gets installed in ways that are clearly illegal, anti-virus experts agree. Chien said he observed software from 180Solutions bundled with pirated content, such as movies and cracked software.
Even when the software is distributed and installed legitimately, it can be almost impossible to untangle the thicket of interconnected Web sites, distribution servers and shell Web properties that are used to distribute advertising software, said Joe Telafici, director of operations at McAfee AVERT. Telafici is one of two McAfee researchers who spent a month analyzing “the Transponder Gang,” a web of sites that distribute adware from Direct Revenue.
Telaficis team dug into a network of unique but structurally identical Web sites. The sites, such as pynix.com, mx-targeting.com and offeroptimizer.com, were linked to Direct Revenue adware. The investigative work revealed a complex infrastructure for distributing browser helper objects, plug-ins that collect information on the computer owners behavior in exchange for “services” such as Internet searching.
McAfee researchers found that the shell Web sites, which were little more than empty fronts, provided a patina of respectability to the adware, while also providing brand coverage for Direct Revenue, Telafici said.
IT has trouble keeping
It is no news to enterprise IT managers that anti-virus technologies are having trouble keeping up with the flood of new threats.
“The way I look at it, anti-virus is mainly a scanning and removal tool,” said Praneeth Machettira, online technology director at the Office of Technology Management at Suffolk University Business School, in Boston.
Suffolk uses Symantecs corporate anti-virus products, but that didnt stop a recent variant of the Sobig worm from infecting about 50 machines on the schools network after an unpatched Windows server with access to the Internet was infected.
The machines were not patched because Suffolk was doing maintenance on them and Symantecs anti-virus product didnt stop the worm, even though Suffolk had a signature that could detect the worm within 5 hours of its appearance, Machettira said. “You could blame it on bad timing, but thats life,” he said.
The new threats dont make anti-virus technology irrelevant, but they do change its role within enterprises, said Hogan of Symantec.
If anti-virus software isnt a reliable frontline defense against malicious code, it still has value, said John Pescatore, an analyst at Gartner Inc., of Stamford, Conn. “Signatures are always the most efficient way to block [threats] with the least false alarms and number of compute cycles required,” Pescatore said.
Signature-based detection is still valuable for protecting e-mail and for detection at the network perimeter, but its value on the desktop is primarily for cleanup, said Pescatore. “Its a technology thats necessary but not sufficient,” he said.
The accuracy that signature-based detection offers is also important for companies to be able to show compliance with data privacy regulations. However, anti-virus scanning technology will need to be joined with other data culled from vulnerability scans and threat analysis, said Ken Dunham, director of malicious code at iDefense Inc., of Reston, Va.
Many anti-virus companies have added or are planning to add technology to their core anti-virus software to boost detection capabilities.
Most major anti-virus vendors have long since added anti-spam detection capabilities to their products.
Anti-virus giants McAfee and Symantec have both added, or are adding, behavioral-based detection to their offerings. In August 2004, McAfee added components from its Entercept IPS (intrusion prevention system) technology that can spot buffer overflow attacks to VirusScan Enterprise Version 8.0.
Symantec recently acquired WholeSecurity Inc. and plans to use the companys behavioral detection technology to update both its Norton Internet Security desktop products and its enterprise product line, said Mark Obrecht, vice president of research at WholeSecurity, based in Austin, Texas.
Kaspersky Lab will have about 15 or 20 detection technologies bundled with the next version of its security suite early next year, Kaspersky said.
Those features include a script checker to detect malicious code running on Web pages; a behavior blocker; and integrated firewall, anti-phishing and anti-rootkit technologies.
The upgrade will be about 50 percent more complicated than the current product, Kaspersky said.
Sophos doesnt plan to add behavioral technology, which it feels is too prone to falsely detecting legitimate activity as malicious, said Graham Cluley, a senior technology consultant. However, the Abingdon, England, company is adding a client firewall to its standard desktop client within the next year to provide better defenses against malicious code that can otherwise sneak onto the desktops of mobile employees, said Cluley.
The blossoming of new features may be a sign that the desktop protection market is finally maturing, said Gartners Pescatore. “Instead of anti-virus for this, personal firewall for that, and waiting for desktop protection, you have one product that can block all the threats using different methods,” he said.
At Suffolk, IT administrators are deploying behavioral-based detection technology from Sana Security Inc. to supplement Symantecs anti-virus technology and other security systems, Machettira said.
In the end, though, even layered detection technologies cant stop users who are bound and determined to open malicious e-mail attachments, visit nefarious Web sites or click on suspicious URLs, he said.