At 5:07 p.m. on Dec. 21, 2004—almost a year ago to the day—the Santy worm surfaced in Moscow. It arrived at Kaspersky Lab in an E-mail message and was immediately assessed, categorized, and routed to a virus analyst.
At 5:14 p.m., after dissecting the worm with a software disassembler and various propriety code-analysis tools, the virus analyst understood enough to generate the binary signature that Kaspersky's antivirus software would use to block the malware.
At 5:18 p.m., the signature was complete. It was submitted to a bank of some 30 computers to be tested on various operating systems and checked against a database of software and security fixes for compatibility, to make sure the cure wasn't as damaging as the disease.
A warning about the new worm appeared on the Kaspersky Web site at 5:33 p.m. At 5:40 p.m., the signature update was issued, and by 5:55 p.m., a more detailed description of how the worm worked had been posted on Kaspersky's viruslist.com site.
A year ago, having gotten all that done in less than an hour was an accomplishment for an antivirus company. Now, even that short time span may be too long. Malware—software created to cause damage or commit crimes—has proliferated in recent months as spam did before it. And the window of time between the appearance of malware and the point at which its impact becomes significant, combined with the overall increase in the amount of damaging code in circulation, has become such a challenge that anti-virus companies are having a hard time keeping up.
According to Eugene Kaspersky, head of virus research and co-founder of Kaspersky Lab, few antivirus companies are capable of maintaining a break-neck pace. The result is that customers may get protection only after their systems are infected.
"We had time before to figure out what they where doing," says Patrick Hinojosa, CTO of Panda Software USA. "Now we're up against very fast moving attacks that don't give us time to come up with a vaccine to adequately protect our client base."
"The game has definitely changed over the past few years, even in the past twelve months, about what is an acceptable speed of response to a new virus," says Richard Wang, manager of Sophos Labs U.S.
Kaspersky Virus Lab in Moscow says it receives between 200 and 300 new malware samples a day. U.K.-based Sophos reports that in 2005, the number of new threats rose by "a staggering 48%." Panda Software USA warns that more than 10,000 new bots—automated worms or Trojans that secretly infest PCs and turn them into zombies under a hacker's control—have appeared in 2005.
There's a concurrent trend that complicates matters: This year both the U.S. Computer Emergency Readiness Team and the U.S. Department of Energy Computer Incident Advisory Capability warned about a rise in targeted attacks. So while there's more malware in circulation, much of it affects fewer users because the attacks are targeted at specific groups such as customers or employees of a certain company—a strategy that generally produces better results for malware authors. This poses a particular challenge to the traditional antivirus companies, which have to see a threat to craft a defensive signature to block it.
Mastercard International in June disclosed a security breach that exposed some 40 million credit cards at CardSystems Solutions Inc., a processor of payment card data. According to Hinosoja, criminal hackers used custom code to exploit vulnerable software at the company in order to install a rogue program to help steal data. Targeted attacks of this sort are beyond the scope what current antivirus software can protect against.
Apocalyptic news of rampant malware and abundant vulnerabilities is to be expected from an industry that profits from insecurity. But in a post of uncommon candor to his company's viruslist.com Web site in November, Eugene Kaspersky observed that the antivirus industry itself is vulnerable. He wrote, "Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection. The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today."
Kaspersky also cited the rising volume of malware, the speed at which it propagates, the increasingly criminal intent of malware authors, the trade-off between malware scan speed and effectiveness, and the general incompatibility of antivirus programs from different vendors, as issues facing the industry.
Further clouding the antivirus industry, the SANS Institute's recent report on the 20 most critical vulnerabilities of 2005 noted that holes in antivirus software itself had become a focus of attack, raising the possibility that the very software meant to protect companies might make them more vulnerable.
What's more, the industry as a whole suffered a black eye recently when security expert Bruce Schneier questioned why antivirus software from companies like McAfee and Symantec offered no protection against the vulnerabilities created by the XCP digital rights management software Sony BMG recently used to protect its music CDs.
Despite these problems, neither Kaspersky nor his company's competitors are willing to concede defeat. "[An] experienced attacker can develop such a malware which will be undetected by most (all) antivirus programs," he writes in an E-mail. "[An] experienced antivirus lab with [the] right knowledge and technologies is able to stand up against the attacks and develop the protection in time."
And that's as it should be—no one will pay a security vendor that doubts its defenses.
Yet there are clearly reasons for antivirus vendors to be insecure. As Kaspersky, Hinojosa, and others in the industry observe, current attack trends demand the development of proactive defenses because there's no longer enough time to muster broadly effective reactive defenses. "There're going to be those AV producers who make the switch from reactive to proactive, and there're going to be those who don't and who are no longer with us in 36 months," says Hinojosa.
The antivirus industry is working frantically to adapt. "Because viruses and Trojans use a greater variety of techniques, and a greater variety of means of delivery now, there's certainly a broadening in the capabilities of antivirus products," says Wang. That includes automated measures such as looking for suspicious behavior from software or users and blocking it and improved heuristic analysis to better recognize malware.
As a result, virus research, which used to be an intellectual contest between security researcher and malware author, has become more automated, more rote. Mainly, that's because most malware authors today focus on releasing code quickly, as soon as an exploit becomes known, rather than trying to craft innovative attacks.
While Shane Coursen, Kaspersky Lab's senior technical consultant in the United States, maintains the work is still engaging, there's a hint of melancholy in the way he characterizes his job. "If you're a virus analyst that has been, say, doing this since the early '90s, it may not be as exciting as it used to be, but there's definitely an art in disassembling viruses," he says.
"We've had to switch to automating analysis and building tools into the software that can analyze an attack and new code before the researchers have a chance to see it," explains Hinojosa. That's necessary, he says, "because we often don't see something in the lab until it's halfway across the planet."
In effect, virus analysts face the task of training the computers that are replacing them. But don't mourn for them prematurely. Instead of making vaccines to inoculate computers after an outbreak, they're increasingly being asked to fortify the network immune system before the contagion spreads.
"A lot of the people including our guys and people like Eugene are now switching that deep knowledge of code into coming up with proactive defenses," explains Hinojosa. "It's still extremely challenging, it's just a matter of applying that knowledge in a slightly different direction. One chapter is closing, but a new one is opening."