Anti-virus software

Posted on June 30, 2011 by jackie li

Entire classes of software with literally hundreds (ok, maybe not hundreds but a lot) of companies producing products have sprung up over the last few years, and is now beginning to consolidate into several large companies providing complete product lines to cover everything you could want, and dozens of medium to small sized companies with sometimes just one main product. Of this the anti-virus software vendors were one of the original groups of vendors to start writing add-on software to enhance the security (which was non-existent on Microsoft platforms at the time) available for ensuring software that you used was not malicious. This has lead to an “arm’s race” (apologies for using this but it is a decent analogy) between virus software writers, and anti-virus vendors. Most anti-virus software packages started out as simple programs that checked the files against a known list of “bad” ones (i.e. via checksum and so forth), which lead to polymorphic viruses (that is the software would modify itself a little bit each time, thus defeating this detection technique). The anti-virus vendors then started scanning the actual binary code for the various pieces of code present in viruses, and heuristic packages that supposedly figure out what the software will do, and based on that can block it if it is considered malicious (if this worked properly though we wouldn’t be needing anymore virus signature updates now would we?). Additionally things have gotten more complicated, with the integration of anti-virus software with such services as email, www and ftp. A small list of “new” problems with anti-virus software that have come out in the last few months:

  • compression of the virus with a little used compression algorithm successfully fooled most anti-virus packages (this was fixed in most of them)
  • compression of the virus with some XOR’ing of the data, successfully fooled most anti-virus packages
  • storing the virus in directories not scanned by the anti-virus software, such as “Recycle bin” in windows (user can configure the software to scan that directory usually)
  • exploitation of various buffer overflows in software packages like Outlook so that the virus is run without the user actually being asked if they want to save or run the attachment (fixed)
  • usage of system calls and software in Windows, such as having Outlook email everyone in your address book a copy of the virus
  • addition of some characters to the attached file successfully fooled email anti-virus packages

That’s all I could find from the last month or two of Bugtraq. Obviously the anti-virus vendors have a ways to go before their products can even be called remotely reliable. The last dozen or so viruses that spread via email have all left the anti-virus vendor community flat footed, the Melissa virus (which was relatively harmless) resulted in several large sites (Microsoft, Intel, etc.) shutting down the mail servers (and in some cases it overwhelmed mail servers causing them to be effectively shut down).

It is obvious that anti-virus vendors will always be playing catch-up with the virus writers, which wouldn’t be such a problem if anti-virus software updates were released quickly and people installed them. This is however impossible. The life cycle of a virus looks something like:

  1. virus is written, tested, possibly deployed on a test network (computers are cheap now) and otherwise honed
  2. virus is released, possibly on a selected target (university campus, corporate network, etc.)
  3. virus (if “successful” in a biological sense) spreads like wildfire, possibly causing severe damage (such as wiping motherboard BIOS chips)
  4. someone notices the strange activity, takes whatever data is left over, and sends it to an anti-virus vendor – this is the first point at which people start taking corrective steps, the virus has already had time to spread
  5. the virus is analyzed, decompiled, and otherwise ripped apart, a signature is created
  6. typically the anti-virus vendor will share data with other competitors, they may or may not do this promptly
  7. the anti-virus vendors issue bulletins, make the update (if one exists yet) available
  8. some customers with support contracts and so on will be notified, some will have automated distribution systems for the update, resulting in a rapid deployment of the fix, most will not
  9. network and system administrators, home users, and so on possibly read the advisory or hear about the virus on CNN, they get the update (which can be near impossible during peak times) and install it

During steps 2, 3, 4, 5, and up till 6 the virus will spread unchecked. Once an update is created and distributed the virus will only spread to systems without protection (a good sized percentage). The amount of effort it takes to install software on millions of computers is horrendous, even when heavily automated, compared to the amount of effort a virus author spends, the ROI (return on investment) can be significant.

This entry was posted in Antivirus Article and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>