It’s time for a change


James Wolfe

Independent researcher, USA
Editor: Helen Martin


James Wolfe calls for more scientific research, innovation and a change in the methodologies used in the fight against malware.

When I first became a hobbyist in anti-virus almost two decades ago, boot sector infectors were all the rage. Lately, comparisons have been drawn between the current USB-propagated infectors and boot sector infectors (see p.2) – but while there are some similarities they are mostly only superficial.

What is much more serious is the potential for system infection and data exfiltration. A big concern is the potential for data exfiltration to be perpetrated by an insider rather than via an external smash-and-grab. As an example of how easy it can be to exfiltrate a very large amount of data, it is now common to find USB sticks that can hold a full gigabyte of data, but which measure only 34mm x 12mm x 2mm – extremely easy to hide from standard physical security screening procedures. We need innovation from within the industry so that we can provide sensible protection for our customers’ data.

A few years ago I began to research the terrorism threat. I was halfway through writing a graduate-level course on the subject for a local university when it became necessary to dust off my virus research chapeau. The threat profile had changed. Whereas previously we had been up against the lone wolf, or bored troll just goofing around, we now hear reports that professional criminals working in organized groups, and even nation states are behind the scenes trying to compromise and/or steal data. How can we battle against that? Well, we certainly can’t depend on our current models of protection.

For years we had it easy in this industry. A new sample would be detected on a couple of systems somewhere in the world, it would be submitted to the anti-virus labs where a new signature would be produced within a week. The outbreak would blow up into a worldwide event and we would ride to the rescue with the new signature. Today, with the advanced persistent threats and targeted malware, a single new sample on a single computer can cause a customer irrevocable damage. There is no longer any consideration for the number of samples seen prior to releasing an update. Once again, we must look for the sensible way to protect the data.

What’s the problem?

What can we do to combat these new threats? Are the new threats even the real problem? Certainly, there are lots of possible solutions but I think we should address some deep-seated issues within the industry first.

Many of us in this industry pride ourselves on being researchers, so why aren’t we actually researching? Why aren’t we using our massive collective intelligence to out-think the criminals? In my mind, research implies advanced modelling and a forward-looking mentality. Remember the scientific model from your school days? Within that model was a problem statement and a hypothesis. Those are the first two steps in research – I haven’t seen a lot of that lately in this industry and it should be the most important part.

Why is it that, in much of the industry, R&D (research and development) has given way to M&D (marketing and development)? I understand the need to advertise, but why are we allowing the marketing departments to have input into what is produced? The industry started with some incredibly brilliant individuals who wrote programs to prevent the viruses of the day from interrupting a computer’s operation. Those innovators took their programs to market but kept firm control over how they were maintained. These days it almost seems as if the business model is for the non-technical departments to tell the technical developers how the program should work – and as a result a lot of unnecessary garbage is included.

I think it is time to admit that the anti-virus programs that we use today are dead. We cannot use the technology and methodologies of the 1990s and continue to be effective. It doesn’t work for the customer and (with thousands of samples being seen every day) it doesn’t work for the industry. No matter how many people are hired we can’t keep up – and who would want 100 megabyte (or more) daily signature updates anyway? The situation will only get worse unless we move back to the mainframe/terminal model. If the core players in the industry don’t do it, then someone outside the industry will come up with an innovation that will change the players in the industry cataclysmically.


Today, the threat environment largely drives how we respond to new security issues. This is a poor operational model. If we are going to continue to tout ourselves as research scientists then we need to use the scientific model, and nowhere within that model will you find marketing. Change is coming, and living in the past by using outdated tools and methodologies is not only doing our customers a disservice, but is a one-way ticket to extinction.

Where does this leave the anti-virus industry as a whole? Well that’s for us to decide. Certainly any new approach we adopt needs to focus on innovation, research, and real proactive protection. It doesn’t mean the end of our industry, just a new way to do business. For years our adversaries have changed their methodologies to avoid us, have we ever really thought about changing ours? I think that now is the time for that change.



Latest articles:

Throwback Thursday: The malware battle: reflections and forecasts

At the start of 2004, Jamz Yaneza reflected on the year just ended and pondered what 2004 would have in store for the AV industry.

VB2016 paper: Open source malware lab

The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This…

VB2015 paper: Labeless - No More

Consider the following situation: at the beginning of our research we have an empty IDA database and binary code without labels and comments in Olly. After some dynamic analysis we will name a few functions. If, for some reason, an analysis is…

Spreading techniques used by malware

The impact of a malware infection can be increased by applying ‘lateral movement’: spreading the infection from the original infected device to other devices within the same network. This paper shares the technical details of some of the most common…

Throwback Thursday: Adjust Your Attitude!

"Most of you reading this article have the technical skill but do you have the people skills?" In 2000, James Wolfe urged security experts to sell themselves and their services.