Saturday, September 26, 2009

Ants attacking malicious code (or the slow death of antivirus tools II)

Three researchers are working on a new method of detecting malicious code. The approach is basically based on mimicking ant behavior. So far it is in a development stage but has already identified a worm that was purposely introduced into a network of computers. The so called digital ants depend on agents so called "sentinels" installed on each machine, which in report back to so called "sergeants" on the network that are monitored by humans.

According to an article on the system only works in large networks where computers have the same build. Which means: If an "ant" sees a deviation from the standard build it will alert others to inspect what it could be. Just that it does not happen in real-time. Most infections require to act fast (i.e. a keyboard logger are sending your credit card data across as you type). Also the number of ants is concerning...the researches already planning on having 3,000 different type of ants. Is this another signature based approach?

Again a technology that only works in large networks/clouds. What about the typical corporation that has a sales force with laptops that randomly connects to check just email?

Here is the article - Ants vs worms: New computer security mimics nature

1SSA - Security Consulting, Training and Products

Tuesday, September 22, 2009

The slow death of antivirus tools

I think by now everyone using a computer that is somehow connected to the Internet is using an antivirus/Internet security/Spyware/etc. solution. No matter which one you choose they all are based on signatures to recognize malicious code entering your system. Those signatures need to be updated on a regular basis, to keep up with the known malware out there. You wonder why "known"? An antivirus company needs to have a sample of the malicious code to produce a signature. Which means Zero-day malicious code cannot be recognized by the program. Also if you do not update the signatures, the antivirus tool might not catch the latest known malicious code (e.g a virus or a worm) since you are lacking the signature. Let's summarize this and take a closer look:

First of all the malicious code needs to be already known and identified as such before your software can do anything about it. Most vendors incorporate so called heuristic analysis routines into their programs but they are usually so sensitive that most users turn them off (some vendors even have them turned off by default!) or do not react at all. Fact is that the industry has failed to provide a reliable heuristic scan solution so far.

Second those programs do not reliably identify all the viruses they "know". There is not one program out there that has recognized 100% of all the malicious code that is out there in the wild, even having all signatures installed. This is quite disturbing but a reality.

I am sure everyone has complaint about his/her computer being slow or flaky. Ever thought that this might be because of the antivirus program you are running? Reality is that those programs have hooks into all kinds of system calls and are constantly checking memory and files for malicious code. All this costs performance and your time. Unfortunately the signature based checks can only work that way.

Which brings me to the third point, the number of signatures has increased so much that each year the antivirus vendors set a new record in pushing out new signatures.

So what is the point? The point is that all these malicious code programs are dieing a slow death, the death of too many signatures to check in the time available.

Some of the vendors have realized that and are already turning to solutions that utilize the "cloud" (see cloud posting in this blog) and that way recognize infected files that way. But what happens to the people that are offline for an extended time? I guess they might be out of luck.

Here is some further reading:
Antivirus tools compared August 2009

1SSA - Security Consulting, Training and Products

Tuesday, September 15, 2009

Erasing HD: One time is enough?

For decades I have heard about HDs needing to be overwritten several times before being discarded. All to avoid someone from being able to retrieve information from that HD. It seems that we have been a little too paranoid. At least that is what Craig Wright, Dave Kleiman, and Shyaam Sundhar three forensic experts say in a White Paper they published.

According to the White Paper the chance of getting a Bit back the correct way is only 56% (which is close to flipping a coin). As a result the chance to reconstruct a Byte correctly is only 0.97%! You can imagine how this looks like for even a file in the Kilobyte range.

1SSA - Security Consulting, Training and Products