Experts at the RSA in San Francisco show have raised doubts about the ability of today’s signature-based security software to fend off new viruses and worms.
Signature-based technologies are now "crumbling under the pressure of the number of attacks from cybercriminals," said Art Coviello, president of RSA, the security division of EMC. This year alone, about 200,000 virus variants were expected to be released, he said. At the same time, antivirus companies were, on average, at least two months behind in tracking malware, while "static" intrusion-detection systems could intercept only about 70 percent of new threats.
"Today, static security products are just security table stakes," Coviello said. "Tomorrow, they'll be a complete waste of money. Static solutions are not enough for dynamic threats."
What's needed instead are multilayered defenses - and a more information-centric security model, Coviello said. "[Antivirus products] may soon be a waste of money, not because viruses and worms will go away," but because behaviour-blocking and "collective intelligence" technologies will be the best way to effectively combat viruses, he said.
Unlike the low-variant, high-volume threats of the past, next-generation malware is designed explicitly to beat signature-based defences by coming in low-volume, high-variant waves, said Amir Lev, president of Commtouch Software, an Israeli vendor whose virus-detection engines are widely used in several third-party products.
Until last year, most significant e-mail threats aimed for wide distribution of the same malicious code, Lev said. The goal in writing such code was to infect as many systems as possible before antivirus vendors could propagate a signature. Once a signature became available, such viruses were relatively easy to block.
New server-side polymorphic viruses threats like the recent Storm worm, however, contained a staggering number of distinct, low-volume and short-lived variants and are impossible to stop with a single signature, Lev said. Typically, such viruses were distributed in successive waves of attacks in which each variant tries to infect as many systems as possible and stops spreading before anti-virus vendors have a chance to write a signature for it.
Storm had more than 40,000 distinct variants and was distributed in short, rapid-fire bursts of activity in an effort to overwhelm signature- and behaviour-based antivirus engines, Lev said.
By the time a signature is released for one variant, it has often already stopped circulating and has been replaced by several other variants, he said.
Hackers have begun employing the same techniques with self-mutating Trojan programs, said Eugene Kaspersky, founder of security vendor Kaspersky Lab. Such Trojans are planted on malicious Web sites and can mutate with every download, making them very hard to detect. The result: Each user who visits a Web site infected with such a Trojan can be infected with a different version of the same program.
"We have to develop a special utility to extract this junk out of the malicious code, but it takes time" because each Trojan is a distinct variant, he said. So far, efforts to develop an automated tool for fighting such Trojans have proved "challenging," Kaspersky said.
An early example of a mutating Trojan was Swizzor, a Trojan download program discovered early last year that used a "packer" tool to encrypt the code and evade detection by signature-based tools. Swizzor repacked itself once per minute and recompiled itself once every hour to get past virus defenses.
The use of polymorphic code to mutate malware - combined with encryption to evade detection - were only a couple of the techniques being used by malicious hackers to evade signature-based tools.