Traditional Anti-Virus

1

• Traditional Anti-Virus A Busted Flush!
• by Kerry Davies
• Commercial Director, Abatis (UK) Ltd.
• 10-09-11

2
Background

• Computer Science degree in early 80s
• Security field since 1986
• Security Evaluator Consultant Manager
  Company Founder Director in Big 4 Business
  Partner
• MSc in Information Security at Royal Holloway
  2007-8 (Graduate 2009)
• Why is traditional A/V a Busted Flush?
• What is malware?
• How does malware work?
• How does traditional A/V work?
• An alternative approach (that works!)

3
WHAT IS MALWARE ?

• Virus, Worm, Trojan Horse, Key-Logger, Root-Kit,
  Logic Bomb, etc.
• Malware is a value judgement
• Malware is BIG BUSINESS for cyber criminals,
  cyber terrorists and hostile state actors - APTs
• Traditional anti-virus (A/V) is reactive not
  proactive infections have to occur in order for
  the A/V vendors to collect samples to generate
  A/V signatures and the antidote
• Symantecs 2010 report announced that they had
  found 286 million pieces of new malware that year
  traditional A/V vendors cant keep up with this
  volume and the user community cant keep taking
  the megabytes of signature updates that the
  vendors push out daily

4
How does Malware work?
Elements of a worm (as an example)
Payload implementation of specific actions such
as opening backdoors, Botnet, spyware,
keylogger, rootkit
Scanning Engine scanning across the network
Target Selection Algorithm looking for potential
new victims to attack
Warhead gains access to the victims machine
Propagation Engine transfers the body to the
victim
From Malware Fighting Malicious Code, p. 79
Ed Skoudis, Prentice Hall 2004
5
Assessing the Threatscape

• Malware is everywhere and easily spread nothing
  is safe any more
• As smart-phone use rockets and social networking
  explodes, we struggle to balance the need for
  security versus the need to share information
• Connection between the Hoover Dam and Natanz
  Nuclear facility in Iran?
• Consumerisation of IT - the blurring between
  professional and personal use of technology,
  mobile platforms and social networking pose
  serious threats
• Email spam, phishing, pharming and spear-phishing
  on increase
• So far in 2011, McAfee has identified 150,000
  malware samples every day. One unique file almost
  every half second, and a 60 increase over 2010
• 19,000 new malicious URLs each day in the first
  half of this year. And, 80 of those URLs are
  legitimate websites that were hacked or
  compromised

6
Consensus in the A/V Industry
Back in the 80s, computer experts were quick to
dismiss PC viruses as harmless. We need to learn
from this mistake and start taking the mobile
malware threat seriously. Only by taking
pre-emptive measures can we equip ourselves
against this pernicious and escalating menace
Davey Winder Security Journalist and Consultant
Symantec recorded that in 2010 it saw 286 Million
pieces of new malware
anti-virus technology can't stop targeted
attacks....Anti-virus is dead because it is
unable to detect attacks properly and is
incapable of working on mobile devices Nir Zuk,
founder and CTO of Palo Alto Networks to SC
Magazine, September 9th 2011
The security industry has done a miserable job
of protecting customers and industry. More than
half of malware is not blocked by anti-virus, as
vendors can only deal with known
malware........the approach taken by most
anti-virus vendors is not good enough, as most
claim to block 99 per cent of known malware, but
most cyber criminals use unknown variants.M86
Security CEO John Vigouroux Speaking to SC
Magazine
In 2007 ....there were about 200 malware threats
for mobile phones and more than 250,000 viruses
for Windows. Graham Cluley, senior technology
consultant at Sophos
.With mobile menaces steadily on the rise, we
can only anticipate how virulently worms can
multiply, especially with the explosion of
Bluetooth and the increase in workforce mobility
in organisations like the NHS Leslie Forbes,
Technical Manager, F-Secure
According to Ken Silva, CTO of Verisign
.Criminals will go where the money is," Silva
told CNET News. "If you start doing things of
financial interest with your mobile phone, they
will find a way to get your money."
7
Effectiveness of Anti-malware solutions
Popular AV signature-based solutions detect on
average less than 19 of malware threats. That
detection rate increases to only 61.7 after 30
days Malware Detection Rates for Leading AV
Solutions A Cyveillance Analysis 04/08/10

• Recent malware infection tactics
• Drive-by download infection
• Fake security tool and free scanning services
• Social engineering social networks, e.g.
  Facebook
• Embed malicious link in email phishing,
  pharming and spear phishing type attacks
• Cracked PDF and document files embedded
  link/payload

8
OTHER METHODS OF PROTECTION

• Isolation
• Avoid questionable sites, download software only
  from reputable sites, run an anti-virus scan on
  any downloaded material
• Signature Based as last table showed, average
  19 effective on day 1, max 60, reactive
• Heuristic reactive, signature based fuzzy
  pattern matching, false positives (achieves 19)
• Reputation Based incomplete coverage, limited,
  vendor specific, error prone, can be defeated
• Hashing used as part of reputation based
  approach (hashes can be defeated)
• Blacklisting seriously?
• Whitelisting attractive in principle but a huge
  maintenance nightmare as hashes have to be
  recalculated and redistributed to every machine
  for every change
• Combination what the better A/V is doing
  now.
• Kernel-level Control over I/O use fundamental
  nature of malware as executable code and
  ring-based integrity mechanisms of the O/S to
  block storage of executable program files on the
  hard disk to produce a fast, reliable, non
  signature-based, proactive anti-malware solution

9
HDF - IMPLEMENTATION
Applications e.g. WinWord (User Mode / Ring 3)
(b) save business.doc
(a) save keylog.exe
Operating system e.g. Windows (Kernel mode /
Ring 0)
Without HDF protection
With HDF protection
HDF filter
10
PRODUCTS AND BENEFITS

• HDF Workstation
• HDF Server
• All versions of Windows from NT to latest 64 bit
• Red Hat Linux
• Mobile Platforms (future), Real Time, SCADA
• Enforce system integrity
• Stop zero day attacks and targeted attacks
• Block all unwanted software execution
• No signature updates required fit forget
  low TCO
• No performance impact potential improvement

11
HARD DISK FIREWALL (HDF)
12
Questions
Kerry Davies Abatis (UK) Ltd Royal Holloway
Enterprise Centre Royal Holloway University of
London Egham Surrey TW20 0EX Tel 44 (0) 7767
240799 kerry_at_abatis-hdf.com