Antivirus: Dead, Dying, or Here to Stay?

Happy New Year! One of the big stories in the infosec community right now is the leak of Symantec’s Antivirus software source code. Symantec confirmed that the source code for both Symantec Endpoint Protection 11 and Antivirus 10.2 had been exposed after a partner’s network was breached. So what does this mean, really? It makes for good drama in the security community, and goodness knows this is a group that LOVES its drama. In my opinion, though, the impact will be negligible at best. Why? Because antivirus is essentially extinct anyway. There are so many ways for savvy malware authors and attackers to evade detection by antivirus, it’s not even funny. No, really, it’s not funny.

Most people in the security community have known this for a long time, but I think our eyes were fully opened at DEFCON in 2008 during the “Race to Zero” contest. At this event, teams of researchers spent one day – some teams completed the task in just a few hours - modifying malware and exploits to evade detection by AV. There are plenty of routines built into Metasploit to easily obfuscate and modify your code to evade detection, and many new and advanced techniques have been devised to further alter the code to avoid detection, including this one. Yet many organizations still cling to AV. Several compliance mandates require it (these two scenarios are not mutually exclusive for many, of course). Given that AV is rapidly losing its efficacy, why do so many still rely on it? Based on my conversations with many in the industry, the answer seems to be “It’s better than nothing.” For some, this may be the case. For others, the hassle of maintaining signatures, deploying agents, fighting the resource consumption battle on older systems, and getting AV to work on specialized or legacy systems may in fact make it WORSE than nothing.

But let’s not go there just yet. I have nothing against vendors in this space; they are providing a product that, for many years, was pretty useful and worked well enough. But the times, they have changed, my friends. Even attackers with a low level of skill can defeat standard “blacklist” antivirus capabilities. Keeping up with the number of new malware variants alone makes this type of product untenable, really. So what to do? Where do we go? Whitelisting? Behavior analysis and heuristics? File integrity monitoring? Yes, yes, yes. Honestly, we’ve got to change course. I know some of the major products are building these capabilities into their endpoint agents now. But what I think we need is a complete mindset shift. We have to get out of the “good enough” mentality and start trying to get ahead of the problems or we’re just putting a Band-Aid on the issue and pretending it will go away. It won’t. The attackers are getting better faster than we are innovating with security products and operational tactics to fight them off. That is disconcerting, to say the least. I go to the RSA conference every year with the sincere hope we’ll see some innovation around malware prevention and detection, but as it stands right now, I’m not holding my breath.

Some other interesting security topics in the last week or so:

• The code-sharing site Pastebin.com experienced multiple DDOS attacks in the last week. This site, as most know by now, is the preferred location for posting pilfered documents and other data by the likes of Anonymous and Lulzsec.
• It turns out that many SOHO wireless routers running WiFi Protected Setup (WPS) are vulnerable to brute force PIN guessing attacks. Multiple researchers found this issue and wrote POC tools to perform the attacks. Ouch.
• Japan decided to create some “good” malware to fight off those wily and evil hackers. This brings me back to the days of 2001-2003 when the security community debated the “good worm” concept, decided it was WAY too risky, and abandoned it. Maybe Japan didn’t get the memo?