[AI] The battle against Internet viruses

V. Balakrishnan vataran77 at verizon.net
Sat Mar 22 12:09:34 EDT 2008

Dear list members,

This article shows the extent of the problem we all computer users face.
Can you imagine, over 5 million malicious software were unleashed last year!
This emphasises the importance of not relying only on the anti virus 
programme and to  exercise caution regarding attachments, clicking on 
unknown links, downloading from dubious web sites etc.
Wishing you all safe surfing.

V. Balakrishnan

     Anti-Virus Firms Scrambling to Keep Up
     Sophistication of Viruses and Other Threats Poses Big Challenges for
     Companies, Consumers

     By Brian Krebs
     washingtonpost.com Staff Writer

     The sheer volume and complexity of computer viruses being released on
     the Internet today has the anti-virus industry on the defensive,
     experts say, underscoring the need for consumers to avoid relying on
     anti-virus software alone to keep their home computers safe and

     Approximately 5.5 million malicious software programs were unleashed
     on the Web last year, according to [13]AV Test Labs, a German company
     that measures how quickly and accurately anti-virus products detect
     the latest malicious software, also known as "malware." That volume,
     AV said, forced anti-virus firms to analyze between 15,000 and 20,000
     new specimens each day -- more than four times the daily average they
     found in 2006, and at least 15 times as many the company recorded in
     2005. In the first two months of 2008 alone, AV Test found more than
     one million samples of malware spreading online.

     "Back in 1990 we were seeing a handful of new viruses each week," said
     David Perry, global director of education for [14]Trend Micro, an
     anti-virus company headquartered in Japan. "Now, we're having to
     analyze between 2,000 and 3,000 new viruses per hour."

     This glut of malware is the result of a long-running digital arms race
     between security companies and criminals intent on stealing personal
     financial data from vulnerable computers and using networks of
     commandeered PCs for all manner of lucrative criminal enterprises --
     from sending spam to hosting scam Web sites.

     The rapid increase of viruses and other malware has forced the
     anti-virus industry to overhaul its traditional approach writing its
     software, with the result that security products on the market today
     are far more powerful and sophisticated. But many observers say that
     despite all its new bells and whistles, the anti-virus industry as a
     whole continues to fall behind in identifying the very latest
     malicious software.

     The challenge, security experts say, is that criminal groups
     responsible for manufacturing most of the malicious software in
     circulation today are reinvesting their illicit profits in research
     and recruiting talented computer programmers. A special emphasis is
     placed on creating malware that coexists peacefully with an infected
     computer system, doing its work quietly in the background.

     "A lot of these [malware] shops are now hiring professionals and doing
     quality assurance work, things that generally make the job of the
     anti-virus researcher that much harder," said Randy Abrams, director
     of technical education at [15]ESET, an anti-virus company based in
     Bratislava, Slovakia.
     Nightmarish Arms Race

     Spurred by enormous profits, organized criminals largely based outside
     of the United States and Western Europe are automating the creation
     and modification of new viruses, making it possible to churn out
     thousands of variations of the same viruses every few hours in a bid
     to stay a step ahead of the anti-virus firms.

     Malware writers increasingly are taking steps to ensure that computers
     infected with their creations stay infected, according to security
     researchers. In years past, no matter how quickly an anti-virus
     product shipped updates to detect the most recent malware, most
     anti-virus software would eventually sound the alarm if a virus
     managed to slip past its initial defenses.

     But more of today's cyber criminals are continuously updating the
     malware they have managed to install on victims' computers replacing
     older malicious files with new ones in a bid to keep them hidden.

     This strategy has had a profound impact on the daily operations of
     anti-virus companies. The industry has traditionally fought malware by
     maintaining large libraries of digital genes known as "signatures,"
     tiny snippets of computer code pulled from known viruses and worms.
     Under this tried-and-true method, if the anti-virus software spots a
     match between a virus signature in its database and segment of code in
     the user's downloaded file or e-mail, the security software will alert
     that user that the program is malicious and attempt to block it from
     gaining a foothold on the system.

     But the large volume of malware that anti-virus firms are processing
     each day has made it virtually impossible for those companies to
     create individual signatures for each new specimen. Instead, the
     anti-virus firms have been forced to invest heavily in methods and
     technologies for automating new malware analysis.

     For its part, [16]Sunbelt Software, a security software company based
     in Clearwater, Fla., recently added more than 50 new servers to its
     malware analysis center to lighten the load of a lab already straining
     under the daily deluge of new virus samples.

     "We've had to bring in a great deal more hardware and come up with
     tons of different new detection methods just to deal with the incoming
     malware load in the past year," Sunbelt President Alex Eckelberry

     Much of that automation involves creating more generic signatures
     capable of detecting a broader range of malicious files. That approach
     relies less on recognizing any telltale code fragment than it does
     identifying a suspicious type of behavior or overall resemblance to a
     well-known family of malicious software.

     This labor- and time-saving method has its shortcomings, however. For
     one thing, employing more generic detection methods can lead to a
     greater number of false alarms, wherein innocent files are mistaken
     for viruses. These kinds of errors can be extremely disruptive for
     customers, and they've become more common as anti-virus makers have
     increased their reliance on generic detection methods, said Andreas
     Marx, managing director for AV Test.

     Marx said that while all anti-virus companies maintain comprehensive
     lists of known "good" files with which to test their daily anti-virus
     updates and avoid false alarms, many times those tests are never

     "It looks like more and more that for time reasons these scans are not
     even performed, but the update is released 'as is,' putting the users
     at a high risk to destroy their running, non-infected systems," Marx

     A handful of these so-called false positives have had a fairly broad
     impact on customers. In December, Russian anti-virus maker
     [17]Kaspersky erroneously flagged Windows Explorer -- the visual
     interface for Windows itself -- as a Trojan horse program. Earlier in
     the year, a faulty update to certain versions of [18]Symantec's Norton
     Antivirus program detected two essential Windows components as
     malicious, crippling millions of Windows PCs.
     Headache for Consumers

     Malicious software is becoming harder to remove because more virus
     writers are including components that bury the malicious files deeper
     within the operating system. For many users, some of today's most
     tenacious intruders cannot easily be removed without re-installing the
     operating system. Re-installing isn't such a huge hassle for business,
     which tend to keep user-generated data files in separate digital
     storage bins than the underlying operating system. Indeed, for some
     businesses, a virus infection is grounds to rebuild the infected
     machine with a known safe copy of Windows and any other needed

     But home users often will try almost anything before re-installing
     Windows, mainly because they typically do not have those same data and
     system backup plans in place, said Don Jackson, a senior security
     researcher for Atlanta-based [19]SecureWorks.

     "Comprehensive remediation of infections is badly hurt by generic
     detection, and unfortunately a lot of today's infections are extremely
     difficult for the average user to remove completely," Jackson said.
     "You can see the evidence of that by number of people desperately
     posting to various security self-help sites."

     An increasing reliance on generic detection also has made it more
     difficult for consumers to find instructions online for removing an
     infection that can't be completely eradicated by anti-virus software.
     Instead of pinpointing a malicious intruder with a specific filename
     (e.g. "MyTob Worm.AB"), generic signatures often will assign plain
     vanilla names to malware files, such as "Generic Trojan Dropper," or
     "Backdoor.generic." Such vague names entered into a search engine
     produce so many results that people with machines victimized by such
     malware often are at a loss as to how to proceed, said David Harley,
     an anti-virus consultant and administrator of the [20]Anti-Virus
     Information Exchange Network (AVIEN), a group made up of corporate IT
     security administrators who share trends and data on the latest
     malware threats. .

     "What happens now is some stuff can be removed generically, and that
     does happen, but a lot of the time [the victim's anti-virus product]
     says I think you have a problem here, but I'm afraid you're going to
     have to sort it out yourself," Harley said. "That puts the user who
     just wants this stuff off his machine in a terribly awkward position."

     Experts say PC users shouldn't depend on anti-virus software to save
     them from risky online behaviors, such as clicking on Web links
     included in unsolicited e-mail and instant messages. Rather, they say,
     anti-virus should be part of a layered security approach that includes
     using a firewall to keep out unwanted Internet traffic and applying
     software updates for both Microsoft Windows and third-party software
     -- particularly popular programs used to display documents or play
     audio and video files.

     "The problem is that we have this ongoing, unrealistic expectation
     that somehow we are going to detect 100 percent of the malware out
     there, when in fact what we have today is slightly less detection than
     we did, say, in the mid-1990s, when we were actually catching 70 to 80
     percent of the new threats," said AVIEN's Harley.

     For security researchers on the bleeding edge of defending information
     networks, even those less-than-stellar numbers may be seem a bit
     inflated. Jerry Dixon, director of analysis for [21]Team Cymru, a
     security research firm in Burr Ridge, Ill., said his team recently
     submitted more than 1,000 samples of brand new malware for scanning by
     32 different commercial anti-virus products from around the globe. The
     result: Only 37 percent of the programs were detected as malicious by
     any of the products.

     "The real challenge here is for people to get it through their heads
     that anti-virus is not a panacea, and that it's always going to fall
     short of identifying threats in real-time," said Trend's Perry. "The
     challenge for us as an industry is to try to change that perception,
     while at the same time integrating new threat mitigation features into
     our products."

More information about the AccessIndia mailing list