It’s time for a change

2009-02-01

James Wolfe

Independent researcher, USA
Editor: Helen Martin

Abstract

James Wolfe calls for more scientific research, innovation and a change in the methodologies used in the fight against malware.


When I first became a hobbyist in anti-virus almost two decades ago, boot sector infectors were all the rage. Lately, comparisons have been drawn between the current USB-propagated infectors and boot sector infectors (see p.2) – but while there are some similarities they are mostly only superficial.

What is much more serious is the potential for system infection and data exfiltration. A big concern is the potential for data exfiltration to be perpetrated by an insider rather than via an external smash-and-grab. As an example of how easy it can be to exfiltrate a very large amount of data, it is now common to find USB sticks that can hold a full gigabyte of data, but which measure only 34mm x 12mm x 2mm – extremely easy to hide from standard physical security screening procedures. We need innovation from within the industry so that we can provide sensible protection for our customers’ data.

A few years ago I began to research the terrorism threat. I was halfway through writing a graduate-level course on the subject for a local university when it became necessary to dust off my virus research chapeau. The threat profile had changed. Whereas previously we had been up against the lone wolf, or bored troll just goofing around, we now hear reports that professional criminals working in organized groups, and even nation states are behind the scenes trying to compromise and/or steal data. How can we battle against that? Well, we certainly can’t depend on our current models of protection.

For years we had it easy in this industry. A new sample would be detected on a couple of systems somewhere in the world, it would be submitted to the anti-virus labs where a new signature would be produced within a week. The outbreak would blow up into a worldwide event and we would ride to the rescue with the new signature. Today, with the advanced persistent threats and targeted malware, a single new sample on a single computer can cause a customer irrevocable damage. There is no longer any consideration for the number of samples seen prior to releasing an update. Once again, we must look for the sensible way to protect the data.

What’s the problem?

What can we do to combat these new threats? Are the new threats even the real problem? Certainly, there are lots of possible solutions but I think we should address some deep-seated issues within the industry first.

Many of us in this industry pride ourselves on being researchers, so why aren’t we actually researching? Why aren’t we using our massive collective intelligence to out-think the criminals? In my mind, research implies advanced modelling and a forward-looking mentality. Remember the scientific model from your school days? Within that model was a problem statement and a hypothesis. Those are the first two steps in research – I haven’t seen a lot of that lately in this industry and it should be the most important part.

Why is it that, in much of the industry, R&D (research and development) has given way to M&D (marketing and development)? I understand the need to advertise, but why are we allowing the marketing departments to have input into what is produced? The industry started with some incredibly brilliant individuals who wrote programs to prevent the viruses of the day from interrupting a computer’s operation. Those innovators took their programs to market but kept firm control over how they were maintained. These days it almost seems as if the business model is for the non-technical departments to tell the technical developers how the program should work – and as a result a lot of unnecessary garbage is included.

I think it is time to admit that the anti-virus programs that we use today are dead. We cannot use the technology and methodologies of the 1990s and continue to be effective. It doesn’t work for the customer and (with thousands of samples being seen every day) it doesn’t work for the industry. No matter how many people are hired we can’t keep up – and who would want 100 megabyte (or more) daily signature updates anyway? The situation will only get worse unless we move back to the mainframe/terminal model. If the core players in the industry don’t do it, then someone outside the industry will come up with an innovation that will change the players in the industry cataclysmically.

Conclusion

Today, the threat environment largely drives how we respond to new security issues. This is a poor operational model. If we are going to continue to tout ourselves as research scientists then we need to use the scientific model, and nowhere within that model will you find marketing. Change is coming, and living in the past by using outdated tools and methodologies is not only doing our customers a disservice, but is a one-way ticket to extinction.

Where does this leave the anti-virus industry as a whole? Well that’s for us to decide. Certainly any new approach we adopt needs to focus on innovation, research, and real proactive protection. It doesn’t mean the end of our industry, just a new way to do business. For years our adversaries have changed their methodologies to avoid us, have we ever really thought about changing ours? I think that now is the time for that change.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.