THE BIRTH OF THE ANTIVIRUS INDUSTRY
A long, long time ago, in the mid-90s world of the “Hackers” movie, malware protection wasn’t standard practice, and virus code had little to nothing to do with bypassing security mitigations. Then the antivirus industry emerged. The industry had an easy job of identifying unique patterns in malware—and thanks to the small size of the internet—any subscriber to an anti-malware solution was more likely to receive the signatures before encountering the actual malware.
KEEPING UP WITH THE THREATS
However, all of this changed when the black hats attacked. Suddenly, there were way more viruses out in the wild, and the white hats couldn’t keep up. The internet had also grown exponentially, and people encountered new malware pieces before security products had a chance to release signatures. This led to the birth of heuristics-based an -malware packages. These didn’t require unique code patterns; instead, they flagged potentially malicious software by the file structure itself and the data present in different sections of an executable file.
This wasn’t enough to deter the bad guys, since even heuristics-based malware detection was outclassed by the presence of strong encryption, resulting in malware files containing heavily randomized data. Black hats have full access to the same anti-malware software in popular use, and they can reliably write encryption software rendering the current generation of viruses completely undetectable by antivirus software. These crypters are so large in number that it is virtually impossible for an antivirus suite to keep up with them in terms of releasing signatures every time a virus pops up featuring a new encryption.
The next generation of malware protection software relies on data mining and machine learning to create an intelligent detection engine. These are, however, still in their infancy and subject to detection performance in real-world or targeted tests.
THE CURRENT STATE OF ANTIVIRUS
Antivirus software is not enough in itself to protect the casual user, and certainly not even close to enough to protect corporate entities. The biggest weakness to security is lack of awareness. When it comes to secure environments, people should trust nothing and employ a healthy dose of paranoia—assume any executable is bad, all web pages’ host exploits, and all links are an attempted phish.
Endpoint security has evolved to prevent the execution of any code not explicitly run by the user, but this doesn’t mean that antivirus is useless. It’s still an amazingly useful tool for detecting and stopping known malware. It is, however, wholly unable to keep up with the latest and greatest malware. This is why proper endpoint protection almost always has behavior-based detection; it can detect the results of malware execution, such as finding rootkits on the system, suspicious background services, registry values, or even contacting known malicious hosts in case of malware that is based on a CnC server.
This article was originally published in the 2015 Winter Issue of Zero Day Magazine.