RSA '07: New threats could hamper traditional antivirus tools

An emerging breed of sophisticated malware is raising doubts about the ability of traditional signature-based security software to fend off new viruses and worms, according to experts at this week's RSA Security Conference in San Francisco.
Signature-based technologies are now "crumbling under the pressure of the number of attacks from cybercriminals," said Art Coviello, president of RSA, the security division of EMC. This year alone, about 200,000 virus variants are expected to be released, he said. At the same time, antivirus companies are, on average, at least two months behind in tracking malware. And "static" intrusion-detection systems can intercept only about 70 percent of new threats.
Read the latest WhitePaper - Frost & Sullivan Report - Competitive Advantage Today, Competitive Requirement Tomorrow

RSA '07 HQ: Click here for complete coverage

"Today, static security products are just security table stakes," Coviello said. "Tomorrow, they'll be a complete waste of money. Static solutions are not enough for dynamic threats."

What's needed instead are multilayered defenses -- and a more information-centric security model, Coviello said. "[Antivirus products] may soon be a waste of money, not because viruses and worms will go away," but because behavior-blocking and "collective intelligence" technologies will be the best way to effectively combat viruses, he said.

Unlike the low-variant, high-volume threats of the past, next-generation malware is designed explicitly to beat signature-based defenses by coming in low-volume, high-variant waves, said Amir Lev, president of Commtouch Software, an Israeli vendor whose virus-detection engines are widely used in several third-party products.

Until last year, most significant e-mail threats aimed for wide distribution of the same malicious code, Lev said. The goal in writing such code was to infect as many systems as possible before antivirus vendors could propagate a signature. Once a signature became available, such viruses were relatively easy to block.

New server-side polymorphic viruses threats like the recent Storm worm, however, contain a staggering number of distinct, low-volume and short-lived variants and are impossible to stop with a single signature, Lev said. Typically, such viruses are distributed in successive waves of attacks in which each variant tries to infect as many systems as possible and stops spreading before antivirus vendors have a chance to write a signature for it.
Storm had more than 40,000 distinct variants and was distributed in short, rapid-fire bursts of activity in an effort to overwhelm signature- and behavior-based antivirus engines, Lev said.
One example of such malware is WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them. The fragmented nature of such code makes it harder to write removal scripts and to know whether all malicious code has actually been cleaned off a computer.