The Zero-Day Dilemma

Anti-virus companies such as Kaspersky Labs are working around the clock to keep zero-day attacks at bay.

The recent surge in malware attacks against zero-day flaws in some of the most widely used software packages is confirmation of an IT administrators worst nightmare: Stand-alone, signature-based anti-virus software offers no protection from sophisticated online criminals.

During 2006, there was a wave of zero-day attacks against Microsoft Office applications—through vulnerabilities known only to the attackers—that bypassed all anti-virus protection at the network and desktop level. Because traditional anti-virus technology depends on the ability to quickly capture malware samples, reverse the code for the specific characteristics, and then write and release detection signatures, the zero-day attack presents a major dilemma.

"Signatures have been dead for a long time now," said Roger Thompson, an anti-virus pioneer who now runs the Atlanta-based Exploit Prevention Labs, in an interview with eWEEK. "[Attackers] use new packers or tweak their code so that its different enough to bypass signatures for a short while. By the time you get a signature out, its too late. Theyve already hit enough targets."

The death of stand-alone, signature-driven anti-virus software has forced incumbent security software vendors to reshape their product lineups. Industry heavyweights such as Symantec, McAfee and Trend Micro are all rolling out converged suites, offering multiple capabilities including anti-spyware, personal firewall and endpoint policy enforcement, with intrusion prevention as the foundation.

In Moscow, the state of security is not lost on Eugene Kaspersky, founder and chief technologist at Kaspersky Lab, a privately held, 700-employee outfit.

"Were already there," Kaspersky declared, when confronted with the anti-virus eulogies. "There are no stand-alone anti-virus products anymore. Its now anti-everything. You have to do things like behavior blocking and heuristic detections and add anti-spam, anti-spyware, anti-rootkit capabilities to your software," Kaspersky said in an interview with eWEEK.

Kaspersky, a former military officer who founded the company in 1997 and oversaw its expansion into the United States, Europe and Asia, said he still believes theres value in the ability to respond to malware outbreaks in real time.

"Were losing this game with computer criminals. There are just too many criminals active on the Internet underground, in China, in Latin America, right here in Russia. We have to work all day and all night just to keep up," Kaspersky said.


In a room full of flat-screen monitors, Kaspersky shows off his "woodpeckers," a youthful crew of virus hunters responsible for tracking computer threats in real time and working around the clock to write and ship signatures to millions of computer users.

This is the companys secret sauce: its highly touted ability to ship anti-virus signatures every hour on the hour, seven days a week, 365 days a year.

"We just cant depend on signatures," Kaspersky said. "You need information backup, you need parental controls, you need anti-phishing. Its a different world today. Ten years ago, we were fighting against smart kids who hacked as a hobby. Now, were dealing with criminal gangs that control your computer to make money. Different world, different protections."

/zimages/6/28571.gifZero-day world to put bulls-eye on Vista in 2007. Click here to read more.

The new protection suites must also feature data leak prevention and patch and configuration management; be bundled in a single console; and, more important, be sold at heavily reduced prices.

"This has been a great party while it lasted," said Jon Oltsik, an analyst with Enterprise Strategy Group. "These guys have been making money hand over fist, but things are changing. Customers are demanding more, and the [security companies] are now living in a competitive, lower-market world."

Vista Security

Oltsik said he believes the security improvements in Windows Vista and Microsofts aggressive approach to selling its enterprise and consumer security offerings—directly and via the channel—will definitely affect smaller players such as Kaspersky Lab, but, in a discussion with eWEEK, he stressed that the bigger incumbents will feel it even more.

"I dont think anyone should be underestimating Microsoft," Oltsik said, pointing out that the company has pushed into the markets through acquisitions of Sybari for enterprise-grade anti-virus and Giant Company Software for anti-spyware and real-time malware protection.

Sybari has undergone a major makeover and is being rebranded as Microsoft Forefront; Giants technology is now powering Microsofts Windows Defender software.

Next Page: Strategy for growth.