The anti-virus age is over.

As far as I’m concerned, anti-virus systems are as good as dead. Or, if they aren’t just yet, they’re certainly headed that way.

Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.

We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.

The next problem is memory-resident malware. It’s very difficult (i.e. computationally expensive) for AV software to monitor the contents of program memory, let alone provide accurate detection of in-memory exploits on a live system. If malware never touches the disk, most AV software will never catch it. In his  “HTML5 – A Whole New Attack Vector” talk at BSidesLondon, Robert McArdle talked about botnets and other malware, written in HTML5, that reside within a browser tab. Now, assuming the browser doesn’t cache this on disk (you can usually mandate this with HTTP headers) you’ve got a memory-resident malware threat that doesn’t need browser exploits, is easy to obfuscate, and has full networking capabilities. On the other side of things, arbitrary code execution exploits within browsers might be leveraged to load executable modules into process memory. It would be relatively simple to write malware that remains resident in the browser process, or infects other long-running processes on the system. It’s also usually possible to prevent swapping on memory pages, so you can guarantee that the malware never touches the disk. It’s a nightmare for AV software, and a nightmare for forensic analysts.

Whilst the technical aspects of these attacks are a daunting opponent to anti-virus systems, the economic aspect is the nail in the coffin. According to PayScale, an average software developer in India gets about 320,000 INR per year, which equates to roughly 5700 USD. Compare that to the price of a malware analyst or systems security analyst, which is 60,000 USD before insurance, pension and other benefit costs are tacked on. That means that for every analyst that an AV company hires, the bad guys can hire 10 developers. That’s easily enough to work on 3 or 4 malware projects in parallel. There’s no competition here – the bad guys have more people working for them, for less money, and they don’t need to adhere to employment standards or ethical working practices. They can produce and update malware significantly more quickly (and cost-effectively) than the AV guys can analyse and defend against it.

Now don’t get me wrong, AV still has its place in the security world – without it, sysadmins would have to deal with a deluge of common malware used by script kiddies. However, it’s no longer much more than a filter for the most basic attacks.


15 thoughts on “The anti-virus age is over.”

  1. I don’t know. I found the whole hyperbolic tone of the article to be funny. Bad guys are sending 10 Indians to fight every AV good guy. I think the winning solution would be to fire the AV developers and, for each developer they get rid of, hire ten Indians.

    1. The 320000 INR programmers cannot even understand malware exploiting 0 day vulnerability. They are at most good for writing .NET programs or PHP pages (with its own vulnerabilities)

  2. I reached the same conclusion almost a decade ago while cleaning up root kits and Blaster. AV is mostly after-the-fact. If a system is compromised, there’s little hope of proving that it can be perfectly “disinfected.” Reimaging is another temporary band-aid that doesn’t address the source of compromises. The permanent cure requires defense-in-depth guarding the abilities of write and execute. The joke is that commercial AV vendors’ business model depends on malware’s existence. This would make a nice subject for investigative journalism. Also:

  3. “The anti-virus age is over” ends up with “AV still has its place in the security world”. So…nothing has actually changed. BTW: Application whitelisting FTW. You don’t have to block if your users are that sensitive, but you can always report on any application signature running that you haven’t seen before so the machine can get immediate attention. Remember: Prevent, Detect, Respond, in that order. If you can’t prevent (often the case with application whitelisting) then do the other two. And log log log everything.

  4. So I guess the question really gets back to how to compete against arbitrage, and of course defunding paid virus writers? I think maybe this is not endemic to the virus writing market – where I would imagine the arbitrage point is not some low-pay Indian worker, but rather some free/very low cost killer software (as you mentioned polymorphic Turing complete virus-writing kits).

    Secondly, while writing basic front-end software and website work is clearly possible , because there are generous overseas pockets, how actually lucrative is the virus writing business is it enough to employ 10 or 15 people for relatively long term – at any payscale?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s