The latest Defcon-hosted Race to Zero malware contest turned out to be a headline-grabbing exercise that told us little we didn’t already know about the limitations of anti-malware scanners.
Perhaps that’s being harsh, but does the hardened security-watcher need reminding that signature-based anti-malware scanning has its problems?
The concept is provocative and slightly unfair. Take a number of virus samples (Netsky, Bagel, Sasser, Zlob, Welchia, and Virut, and the archaeological DOS virus Stoned), and modify them as quickly as possible, one at a time, to circumvent five leading AV engines, minus Symantec for some unknown reason. Three well-known Windows exploits were also thrown into the mix for good measure.
One team reportedly managed the feat in only five hours, from managing to alter the signature of the malware to actually sneaking it past the AVs. The point is well made: even old malware can get on a contemporary PC is if it has not been profiled.
Full details of the AV scanners used is a matter of conjecture, but most AV respectable programmes have behavioural elements to their makeup, so it’s not clear whether, having sneaked on to a PC, these show malware samples could then do much. But we do know that a real zero day and a bit of rootkit thrown in would give a malware writer a clear run. Point made.
That anti-malware scanning is fraught with limitations is only part of the problem. End users could also point out the considerable performance hit their PCs take from regular programme updates, security fixes and signature and rule overhauls. And that’s before factoring in the time wasted scanning system and trying to understand the confusing barrage of messages thrown up by security programs when they encounter something that might be malicious. And for all of this, they get a surprisingly large bill at the end of each month on their plastic.
Whitelisting anyone? Now try using a browser with that model. The world is as ingenious, sometimes nastily, as it is imperfect, and that’s how it will always be.