Friday, July 31, 2009

Anti-Malware-Virus-Badware FAIL

In case I haven't said yet enough yet ... "Anti-Virus" is a dead technology. Period.

Whether you're calling it "Anti-Malware", or the traditional "Anti-Virus" name, it doesn't matter, the concept was OK back when humans could keep up with virus writers, at least reasonably, but now that time is over... by about 5 years.

Have you noticed how many new pieces of malware come out in a day? There have been a plethora of reports lately (like this one from Trend Micro) which are conclusive proof that current anti-malware solutions are miserably failing... but who's listening? Let's look at some of Trend Micro's metrics...

Between October 2008 and June 2009, Trend Micro performed over 100 assessments on enterprises worldwide and discovered that:

  • 100 percent of them were infected with active malware
  • 50 percent had at least one data-stealing malware hidden in their networks
  • 45 percent had multiple data-stealing malware infections
  • 72 percent had at least 1 IRC bot
  • 50 percent had 4 or more IRC bots
  • 83 percent had at least 1 malware Web download
  • 60 percent had more than 20 malware Web downloads
  • 35 percent had at least 1 network worm
Wow. Just WOW.

How do we justify what we spend on anti-malware defenses when we are still getting compromised, having our data stolen, and rooted over, and over, and over...???

I'll tell you how - the Kool-Aid that our management is drinking has gone to their heads. The sales and marketing campaigns that anti-malware companies have put behind these failed products is absolutely epic. The amounts of money spent on marketing failed products like "anti-virus", I'm willing to bet, is more than most companies spend on IT budgets in a single year! What does that all add up to? The current state of ignorant vulnerability. We as IT professionals buy into this technology because... why? Because there isn't anything better? Because it's what we've always done? Why aren't there better solutions?

While doing some research into malware recently I snagged a few pieces of code that were graciously given to me by "anonymous" (yes, the same person who posts comments here) ... which were hitting 0% detection rate -days, and some weeks after being deployed in the wild and racking up hundreds to thousands of infections. Sites such as VirusTotal and some of the other ones out there were (at best) detecting at ~5%... across all the major scan engines in existence.

Stop and think about this for a minute. The PCI-DSS requires that you have set up, and maintain a "vulnerability management program"... which effectively (by the document's current v1.2 standards) breaks down to "Requirement 5: Use and regularly update anti-virus software or programs". With metrics like near-zero detection rates, and Trend Micro's analysis of 100% of companies being compromised in some way... how do we justify this as even raising the bar? It's NOT raising any bars ladies and gentlemen, not at all.

The industry best-practices, and guidelines are where the rubber meets the road for IT Security... and that point happens to be failing miserably right now.

So let's put out some suggestions then, right? For the average enterprise... this should be a no-brainer checklist...
  1. Take away administrative rights from everyone except administrators*
  2. *Administrators should only log in using admin accounts to perform specific duties
  3. Always make sure you're patched... make that a #1 priority
  4. Limit your user's access to non-filtered content (I highly recommend a white-list approach)
  5. When-ever possible use a read-only virtual machine where an infection would not persist
As far as vendors and innovation go - we've got to be able to do better than signature-matching... I just don't believe there isn't a better way. I recall back in the day Okena's StormWatch product (I think that was the name) had the right idea of essentially performing behavioral analysis on a machine to detect anomalies... but then Cisco bought them and... then came CSA. Hrmm...

What needs to be done is some vendor has to work directly with the OS manufacturer to effectively baseline processes, services, binaries and expecte behaviors. I realize this is a monumental undertaking but Microsoft and Apple (since we have to include them both here... both are equally vulnerable to user-ended attacks) have a duty to their customers to work to build a secure operating environment.

The most difficult part of this, of course, is all the add-ons that will inevitably happen along... messaging clients, gadgets and widgets, games end-user utilities and other toys that users simply can't help themselves but download and install. But there has to be an alternative to signatures.

Of course... every once in a while you read about something like this... and it just takes every security counter-measure from the OS level and up and throws it in the trash. C'est la vie.

If you'd like to read more on the topic... or simply want to read about the apathy that exists out there from these atrocious numbers, read George V. Hulme's (@GeorgeVHulme on Twitter) article "Uncomfortably Numb: Malware Counts".


ekse said...

While I agree with most of what you said, I would strongly advise against "4 Limit your user's access to non-filtered content (I highly recommend a white-list approach)", except maybe for people working in finance or dealing with confidential data, law enforcement or health services for example. I personally use the web all the time while at work and find it far more efficient to do a search on google when I have a programming-related question than to look in a book. Being limited to a white-listed set of websites would be really limiting. Also, this solution is not applicable for home users and it is as important to find a way to fix this malware problem for these users too.

Another thing that we learnt from nature is that diversification helps to mitigate infestations. While it may be tougher to manage, having an uniform environment (all Windows XP desktops for instance) is calling for a disaster, because it only take one piece of malware to get through for the whole environment to be infected. And like you mentioned there are viruses that get to pass under the radar of all the major anti-virus today.

dookie2000ca said...

I fully agree that AV "Solutions" are doing a terribly ineffective job at detecting brand-spanking-new malware out in the wild but that, in my opinion, doesn't make them completely useless. I don't think anybody really believes that signature-based matching is the way to solve the malware epidemic but we are still seeing antiques such as SillyFDC being picked up on USB devices, etc.
Assuming you're doing proper incident handling and management, you would be compiling a database of things that being picked up by AV and using that data to push for the excellent mitigations outlined in your post.

j.prost said...

Sana Security had a solution that attempted to provide a more heuristic approach to system protection. It did baseline system usage (cpu, memory, processes, etc). The problem is that then as I'm sure is the case now, the theory is far better than the actual practice.

I personally believe, as you seem to, that the solution is not to protect by cataloging the bad, but by doing a better job of knowing normal and good. I doubt that a 3rd party will be able to maintain a product that effectively tracks with an OS's evolution, therefore the OS developers have to push it into their own code. With non-Microsoft OS's leaving just as much to be desired, I'm not left with any comfort that it will be done.

Perhaps the laws of economics have simply overtake the issue. There is an AV/AM market, and in such software and OS developers either have a responsibility to it, or elect to not concern themselves with secure code. I know that my job would suffer greatly if network and data security were to phase away over the next 12 months.