- Apr 25, 2013
- 5,355
If you rely only on traditional, signature-based antivirus, you are going to get infected—and probably a lot! Antivirus was, and still is, a valuable addition to your layered security strategy, but only if you understand its limitations, which have become more and more prominent over time.
What’s wrong with signature-based AV?
You probably know signature-based antimalware solutions work by recognizing patterns in known files. If a human or automated system identifies a particular file as malicious, it’s relatively easy to find some pattern that uniquely identifies that specific file, whether it be a file checksum (hash), a binary pattern, or even a more complex algorithm that looks for multiple “signs” or patterns. However, this detection methodology suffers from two issues (which even its inventors realized years ago).
1. Signatures only help after you know something’s malware – Signatures are reactive. They’re great at the prevention part, but worthless for initial detection; you can’t write them until after you’ve discovered something bad. This means unless the signature writer (AV company) identifies malware before anyone else, some initial victims will get infected.
2. Bad guys can obfuscate executables almost endlessly – Some might think a particular executable program always looks the same on a binary level (barring its creator changing something and recompiling). However, the truth is you can repack and obfuscate the same executable using many different techniques. In the underground world, black hats refer to this as packing and crypting. Without going into technical specifics, they essentially jumble up an executable on a binary level, so it looks different and even has a different checksum, but still runs. The malware does the exact same thing, but its old signature no longer catches it.
These problems are not new. Researchers, and antivirus experts have known about them for decades. However, these weaknesses have become much more prevalent over time. Here’s why.
What’s AV's dirty little secret?
First, threat actors, and their motives and methods, have changed over time. When AV was born, you could basically categorize black hats into two profiles—script kiddies and unorganized cyber criminals. For the most part, these types of attackers didn’t customize malware or target attacks. They were indiscriminate in their victims, spamming as many folks as they could or designing malware that would mass scan the Internet and infect any victim opportunistically. This was good news for legacy AV since the malware associated with these attacks quickly hit the threshold necessary for AV companies to notice it and write a signature.
However, now that organized criminals have entered the fray, and now customize malware for specific targets (such as Point-of-Sale malware), today’s threat do not wildly spread and touch as many victims quickly. This means it takes much longer for new malware to hit the threshold where AV companies might notice and analyze it. In short, signature-based AV has always had a vulnerability window—a period of time before protection gets implemented—but that window is getting wider and wider as attackers get smarter about limiting their malware.
Second, and more importantly, today’s malware has become much more evasive. Packing and crypting, and other AV evasion techniques, have existed for quite awhile. In fact, I think security researchers discovered many of the techniques before the bad guys did. However, these techniques are technically hard. You have to understand a lot about programming, executable standards, and assembly in order to obfuscate an executable program without actually “breaking” it. Year ago, this relegated these tricks to the most sophisticated attackers.
Full Article
What’s wrong with signature-based AV?
You probably know signature-based antimalware solutions work by recognizing patterns in known files. If a human or automated system identifies a particular file as malicious, it’s relatively easy to find some pattern that uniquely identifies that specific file, whether it be a file checksum (hash), a binary pattern, or even a more complex algorithm that looks for multiple “signs” or patterns. However, this detection methodology suffers from two issues (which even its inventors realized years ago).
1. Signatures only help after you know something’s malware – Signatures are reactive. They’re great at the prevention part, but worthless for initial detection; you can’t write them until after you’ve discovered something bad. This means unless the signature writer (AV company) identifies malware before anyone else, some initial victims will get infected.
2. Bad guys can obfuscate executables almost endlessly – Some might think a particular executable program always looks the same on a binary level (barring its creator changing something and recompiling). However, the truth is you can repack and obfuscate the same executable using many different techniques. In the underground world, black hats refer to this as packing and crypting. Without going into technical specifics, they essentially jumble up an executable on a binary level, so it looks different and even has a different checksum, but still runs. The malware does the exact same thing, but its old signature no longer catches it.
These problems are not new. Researchers, and antivirus experts have known about them for decades. However, these weaknesses have become much more prevalent over time. Here’s why.
What’s AV's dirty little secret?
First, threat actors, and their motives and methods, have changed over time. When AV was born, you could basically categorize black hats into two profiles—script kiddies and unorganized cyber criminals. For the most part, these types of attackers didn’t customize malware or target attacks. They were indiscriminate in their victims, spamming as many folks as they could or designing malware that would mass scan the Internet and infect any victim opportunistically. This was good news for legacy AV since the malware associated with these attacks quickly hit the threshold necessary for AV companies to notice it and write a signature.
However, now that organized criminals have entered the fray, and now customize malware for specific targets (such as Point-of-Sale malware), today’s threat do not wildly spread and touch as many victims quickly. This means it takes much longer for new malware to hit the threshold where AV companies might notice and analyze it. In short, signature-based AV has always had a vulnerability window—a period of time before protection gets implemented—but that window is getting wider and wider as attackers get smarter about limiting their malware.
Second, and more importantly, today’s malware has become much more evasive. Packing and crypting, and other AV evasion techniques, have existed for quite awhile. In fact, I think security researchers discovered many of the techniques before the bad guys did. However, these techniques are technically hard. You have to understand a lot about programming, executable standards, and assembly in order to obfuscate an executable program without actually “breaking” it. Year ago, this relegated these tricks to the most sophisticated attackers.
Full Article