Virus Fighters Can't Keep Up - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
05:10 PM
Connect Directly

Virus Fighters Can't Keep Up

Fast-moving malware has the antivirus industry looking for a new strategy that focuses on proactive, automated tools

At 5:07 p.m. on Dec. 21 a year ago this week, the Santy worm arrived at Kaspersky Lab in Moscow via an E-mail message. It was immediately assessed, categorized, and routed to a virus analyst. By 6 p.m., the analyst had dissected the worm and generated a binary signature that the lab's antivirus software could use to block it.

But such a quick response to malware is becoming difficult, and in some cases even an hour may be too long. Fast-propagating malware has been on the increase in recent months, and companies that develop and sell software to stop new forms of damaging code admit they're having difficulty keeping up.

In a post of uncommon candor to his lab's Web site in November, Eugene Kaspersky described the scope of the problem. "Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection," he wrote. "The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today."

An analyst at Kaspersky Lab points out damaging computer code.

Photo by Mashkov Yuri/Itar Tass
Kaspersky cited the rising volume of malware, the speed at which it propagates, the increasingly criminal intent of malware authors, the trade-off between malware scan speed and effectiveness, and the general incompatibility of antivirus programs from different vendors as issues facing the industry.

Panda Software USA is one of the antivirus vendors trying to cope with more-sophisticated hackers. "We had time before to figure out what they where doing," says Patrick Hinojosa, Panda Software's chief technology officer. "Now we're up against very fast-moving attacks that don't give us time to come up with a vaccine to adequately protect our client base."

Kaspersky Lab receives 200 to 300 new malware samples a day. Sophos plc, a U.K. research lab, reports that the number of new threats rose by 48% this year. Panda Software warns that more than 10,000 new bots--automated worms or Trojans that infest PCs and turn them into zombies under a hacker's control--have appeared in 2005. "The game has definitely changed over the past few years, even in the past 12 months, about what is an acceptable speed of response to a new virus," says Richard Wang, manager of Sophos labs.

The trend toward attacks aimed at a group, such as a bank's credit-card customers, also creates challenges. Antivirus companies have to see a threat to craft a defensive signature to block it--a difficult task when malware isn't widespread.

Proactive defenses are needed because there's no longer enough time for broadly effective reactive defenses. "There are going to be those [antivirus] producers who make the switch from reactive to proactive, and there are going to be those who don't and who are no longer with us in 36 months," Hinojosa says.

Adapt Or Die?

new bots in 2005 were capable of turning PCs into zombies under a hacker's control.
Antivirus companies are working frantically to adapt. Since viruses and Trojans are using a broader range of techniques and a greater variety delivery methods, products need to broaden the capabilities they offer to fight back, Sophos' Wang says. That includes automated measures such as looking for suspicious behavior from software or users and blocking it, and improved heuristic analysis to better recognize malware.

Most malware authors are focused on releasing code quickly, as soon as an exploit becomes known, rather than trying to craft innovative attacks. As a result, virus research, which used to be an intellectual contest between security researcher and malware author, has become more automated. "We've had to switch to automating analysis and building tools into the software that can analyze an attack and new code before the researchers have a chance to see it," explains Hinojosa. That's necessary, he says, "because we often don't see something in the lab until it's halfway across the planet."

Such changes are necessary if antivirus vendors stand a chance of keeping up with the bad guys. "It's still extremely challenging; it's just a matter of applying that knowledge in a slightly different direction," Hinojosa says. "One chapter is closing, but a new one is opening."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll