Symantec is now admitting that traditional anti-virus solutions are losing the war against computer malware, according to a recent article in the Wall Street Journal.
“Antivirus is dead,” says Brian Dye, Symantec’s senior vice president for information security.
. . . hackers increasingly use novel bugs. Mr. Dye estimates antivirus now catches just 45% of cyberattacks.
Brian Krebs explains how cyber criminals are coming up with ‘novel bugs’ in more detail:
Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today – to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.
A traditional anti-virus service relies on a process of several steps to block malware. First the anti-virus company must obtain a copy of a new threat, and preferably several copies in case it is polymorphic. They examine it in the lab, and see if they can come up with a signature that is common to all the versions but will not generate false positives when run against other executables or binary files. The signature gets added to the company’s database and is made available for automatic download by client anti-virus applications. This can happen days or sometimes weeks after the malware sample was originally discovered. No wonder anti-virus software has a hard time keeping up with malware which is trivially mutated by its authors on a much more regular basis.
While there are some watering hole attacks, where a computer can be infected just by visiting a popular web site that has been compromised, a large percentage of malware is spread via email and mobile message spam, either with directly attached malware executables, or via messages containing clever social engineering calls to action that entice a user to download the malware from a web site. For both of these propagation methods, Cloudmark has methods of filtering which are far more successful than traditional host-based anti-virus.
Firstly, Cloudmark has visibility into the method of delivery as well as the malware sample or the call to action URL. It’s actually harder and more expensive for the attacker to mutate the method of delivery than it is to mutate the malware itself. While the wording of the message can change the IP address sending it, or other attributes of the message, are often invariant. Cloudmark can use these, as well as the malware content, to generate new anti-virus signatures automatically. This happens in the first seconds of distribution of a new malware variant. For malware messages that employ social engineering techniques where the malware is accessible on a web site linked from the message, we are able to quickly create signatures based on other aspects of that message.
Secondly, not only does Cloudmark generate signatures automatically, the decision that messages contain malicious content is based on feedback from the world’s largest network of trustworthy users, as well as honeypots and other spam traps. The process of new attack reception, detection, and interception happens in seconds rather than days. After a new outbreak is seen, Cloudmark’s global threat network is automatically updated, our deployed client applications download new signatures, and end users are protected against the threat.
While no solution is perfect, Cloudmark’s blocks better than 99% of inbound malware distributed via messaging, compared with the 45% that Symantec manages. Of course, technology is only one part of the equation and user education and awareness is also important. That is why we also constantly work to help educate users and provide details of the latest threats.