The anti-virus age is over.

As far as I’m concerned, anti-virus systems are as good as dead. Or, if they aren’t just yet, they’re certainly headed that way.

Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.

We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.

The next problem is memory-resident malware. It’s very difficult (i.e. computationally expensive) for AV software to monitor the contents of program memory, let alone provide accurate detection of in-memory exploits on a live system. If malware never touches the disk, most AV software will never catch it. In his  “HTML5 – A Whole New Attack Vector” talk at BSidesLondon, Robert McArdle talked about botnets and other malware, written in HTML5, that reside within a browser tab. Now, assuming the browser doesn’t cache this on disk (you can usually mandate this with HTTP headers) you’ve got a memory-resident malware threat that doesn’t need browser exploits, is easy to obfuscate, and has full networking capabilities. On the other side of things, arbitrary code execution exploits within browsers might be leveraged to load executable modules into process memory. It would be relatively simple to write malware that remains resident in the browser process, or infects other long-running processes on the system. It’s also usually possible to prevent swapping on memory pages, so you can guarantee that the malware never touches the disk. It’s a nightmare for AV software, and a nightmare for forensic analysts.

Whilst the technical aspects of these attacks are a daunting opponent to anti-virus systems, the economic aspect is the nail in the coffin. According to PayScale, an average software developer in India gets about 320,000 INR per year, which equates to roughly 5700 USD. Compare that to the price of a malware analyst or systems security analyst, which is 60,000 USD before insurance, pension and other benefit costs are tacked on. That means that for every analyst that an AV company hires, the bad guys can hire 10 developers. That’s easily enough to work on 3 or 4 malware projects in parallel. There’s no competition here – the bad guys have more people working for them, for less money, and they don’t need to adhere to employment standards or ethical working practices. They can produce and update malware significantly more quickly (and cost-effectively) than the AV guys can analyse and defend against it.

Now don’t get me wrong, AV still has its place in the security world – without it, sysadmins would have to deal with a deluge of common malware used by script kiddies. However, it’s no longer much more than a filter for the most basic attacks.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s