IT-Analysis.com
IT-Analysis.com Logo
Enterprise SME Business Issues Technology Services Channels
Top Level padlock  Members Area | Registration 
Archive  | Papers  | Research  | Events  | Newswire  | Blogs  Contact IT-Analysis.com 
Module Header
Peter AbrahamsAbrahams Accessibility
Peter Abrahams
7th October - Using scripting to improve accessibility
Jon CollinsFreeform Comment
Jon Collins
3rd October - Is IT offshoring ready for "Designed in India"?
Clive LongbottomQuocirca
Clive Longbottom
3rd October - PUE, DCiE and TCE - and what's still missing...
IdaRose SylvesterFreeform Comment
IdaRose Sylvester
2nd October - Socialtext Launches Socialtext 3.0, Battle for Enterprise 2.0 Heats Up
David TebbuttTeblog
David Tebbutt
2nd October - Social software and a troubled bank
Bob TarzeyQuocirca
Bob Tarzey
2nd October - McAfee and the provision of secure computing
Module Header
Q. How many email addresses do you have?
 
  • addtomyyahoo4
  • Subscribe in NewsGator Online
  • Add to My AOL
  • Subscribe with Bloglines
  • Add to netvibes
  • Add to Google
Blogs > Robin Bloor
AV Vendors embarrassed yet again
Robin Bloor By: Robin Bloor
Published: 12th April 2007
Copyright © 2007

Polymorphic viruses are not new. The first polymorphic virus was written in 1990 by Mark Washburn. You'd think that the AV vendors with 16 years to prepare would have been able to do something effective to counter them and you'd think wrong. A polymorphic computer virus is one that changes itself when it reproduces. Actually if you are an expert in the evolution of viruses you'll also know that there are also metamorphic viruses which rewrite themselves completely (rather than just make a little change) when they reproduce, but we're not concerned with them here. No need to go metamorphic when polymorphic is so effective.

As you will know, if you read these blog postings regularly, AV technology is a crock. It doesn't protect its users against new viruses—the so called "zero day threats". I'm not sure who invented the term "Zero Day Threat" but I'm moved to smile every time I see it written. "Zero day" means "you're screwed". Now if you happen to be a polymorphic virus then every day is a new "zero day"—at least it is if the AV software you are up against only uses signatures.

But, truth to tell, some AV products use "statistical pattern analysis" of the virus body to try to recognize a polymorph. Does it work? Well it wont work against a metamorph anyway and it will only work against a polymorph if the polymorph doesn't implement too many radical changes. That's why the AV vendors went into blind panic early this year when the Storm Worm (named after Halle Berry in the XMen I was hoping, but not so) emerged.

When the Storm Worm (by the way, it was misnamed because it wasn't a worm) was originally spotted on January 18th this year, it had 350 variants. Four days later, the number of slightly-different versions jumped to more than 7,300. By the end of January there were more than 54,000 varieties. Worse than that, most of the variants didn't last more than 3 hours so if you (as an AV vendor) produced a signature, then it was irrelevant in respect of further infections, before it was ever implemented. Are you getting the picture?

Last year somewhere between 80,000 and 100,000 new viruses appeared, and here's one little polymorph that creates 54,000 new viruses in the space of thirteen days. If your AV product is signatures-only then all I've got to say to you is "zero day". But actually some of its variants seem to have got past all the AV products.

The Storm Worm was actually a Trojan specifically designed for harnessing hundreds of computers into a Zombie network (or bot net). By February, reports were circulating that it had (probably) created a Zombie network with between 20,000 and 100,000 PCs which was merrily disgorging spam across the globe. If it never got your PC then it's quite possible that at least you got some spam, courtesy of Storm, and if it did get your PC you may have even sent spam to yourself.

Now if you had a whitelisting product installed from SecureWave, Savant Protection, AppSense, Bit9 or CA then the Storm Worm will have been less than a storm in a tea cup. These products stop malware stone dead. (And I'll not stop saying this until the world comes to its senses and start replacing useless AV products with products that actually do protect you).

Reader Comments

We are no longer accepting comments against this item. We suggest contacting the author directly.

12th April 2007: 'Simon W.' said:

You are happy to call AV technology a crock but you qualify your statements by using statistics from the AV community!
Cake and eating it springs to mind.
Don't get me wrong, AV is not the be all and end all. But if you're going to dismiss it don't do it by using its own statistics because... well I've already made the point.
To quote a commentator "what a crock".

Reply to Simon W.?

12th April 2007: 'Robin Bloor' said:

Is there some point to this comment, Simon W. One cannot use stats from the AV community because, er, why? Are the stats unreliable? Are you suggesting that they are being economical with the truth? Are you suggesting that you should only quote the stats if you think AV technology is wonderful?

Reply to Robin Bloor?

18th April 2007: 'Simon.W' said:

Mr Bloor. You dismiss the AV industry by saying "AV technology is a crock.". Then you validate this claim by un-dismissing AV technology just so you can use the stats from the industry, which is so "a crock" according to your previous statement, to further support your subsequent statements.
Where do you stand? Which side of the fence?
"AV technology is a crock." side, or AV technology works and is a reliable enough tool so that you can quote its stats.
Stats from tools are only valid if the tool is valid, but you made the statement that the tool is not valid; QED the stats cannot be valid, except when you need them to support a proposition that the tool is a crock.
I'm staggered I've had to point this logical flaw in your augument out in such simple terms.
I hope my response to your article is that much clearer for you now.

Reply to Simon.W?

19th April 2007: 'Robin Bloor' said:

Dear Simon W

The stats on the polymorphic growth are an estimate based on observation of of its behaviour. Because an Av vendor can observe virus behaviour after the fact does not mean that their technology can stop viruses. I have little doubt that AV vendors can accurately observe virus behaviour. Your line of reasoning implies that if someone cannot do one thing well they cannot do anything well. It's absurd.

Reply to Robin Bloor?

27th June 2007: 'Dr. Vesselin Bontchev' said:

Mr. Bloor, you're an incompetent crackpot who has no clue how anti-virus programs work. 1) Anti-virus programs stopped rellying exclusively on "statistical pattern analysis" (a.k.a. "scan strings") a couple of decades ago. How else do you think they detect polymorphic and metamorphic viruses? 2) Storm is not polymorphic. A polymorphic program is a program that modifies *itself*. Such a program can be analyzed, it can be determined how exactly the modification is performed, and detection of all possible variants can be implemented. But Storm doesn't do that. Instead, Storm is modified by a program residing on a server. This program is not available to us. It keeps creating new variants (*not* different morphisms of the same thing). The anti-virus people don't have it. They cannot analyze it and they cannot determine how exactly it generates the modifications - ergo, they cannot implement detection of all possible variants that it can create. 3) Whitelisting can never replace known-malware scanning (although it can be a valuable edition to it, if implemented and used correctly). The guys from Bit9 admit that the known good software is many orders to magnitude more numerous than the known malware. New good software is created many orders of magnitude faster than new malware, too. The idea that someone can stop malware by scanning for known good software instead of for known malware is plain ridiculous. In addition, malware can exist in data objects (such as GIF, JPG or WMF images, ANI cursors, Office documents and so on) that you can never hope to block by policy. You really should start writing about subjects you know at least a little bit about. Anti-virus is clearly not "it".

Reply to Dr. Vesselin Bontchev?
Advertisement


Analysts
Bloor Research Freeform Dynamics Hurwitz & Associates Hydrasight Macehiter Ward-Dutton Quocirca Sageza Group, Inc. The Information Difference
Amplitude Research, Inc. Applied Computer Research, Inc. Callio Technologies Computer Economics CoreBrand Cranfield School of Management DMC Valuations Group eMarketer
About The Website | Advertising | Contact | Site Map | Terms of Use | Privacy | Accessibility
Copyright © IT Analysis Communications Ltd., unless stated otherwise		 Tel: +44 (0)203 051 5760
Fax: +44 (0)870 345 9922

Published by: IT Analysis Communications Ltd.
T: +44 (0)203 051 5760 | F: +44 (0)870 345 9922
Email: