Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

When Antivirus Fails, All Is Not Lost

Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network

Starting in late 2011, unknown attackers attempted to install malicious code on a computer belonging to a client of security firm Bit9. The attack, which occurred around 6 a.m. each day, failed because the company's whitelisting technology did not recognize the program as an approved application and so blocked its installation.

Only recently was the attack given another name: Flame.

Although Bit9 and its client, which the company would not name but says is based in the Middle East, did not investigate the routine security incidents last year, recent events convinced Bit9 to search through its database of hashes to identify past executables that its technology had blocked. When it found a match, the company -- with permission -- performed forensics using the client's local database of security events. Bit9 found that a dropper had attempted to install at least two different files on the targeted system.

"Somebody had remotely targeted that system and compromised it enough to try to remotely drop executables on the computer, and we flagged them as unauthorized," says Harry Sverdlove, chief technology officer with Bit9. "It attempted to run. We said no, and that was the end of it."

Following Flame, the most recent targeted attack to hit the headlines, antivirus companies are facing a great deal of criticism for missing signs of the attack for more than four years. Even one of the industry's own, Mikko Hypponen of F-Secure, issued a mea culpa in Wired, saying that the company and its competitors could do better.

"All of us had missed detecting this malware for two years, or more," F-Secure's chief research officer wrote. "That's a spectacular failure for our company, and for the antivirus industry in general."

[ Microsoft issued an emergency patch for all versions of Windows after it discovered the attackers had abused one of its digital certificates to help spread the Flame infection from one machine to others within the targeted organization. See Flame Burns Microsoft With Digital Certificate Hack. ]

Historically, however, antivirus software's strength has been in detecting viruses, worms, and other mass attacks. More recent improvements, such as threat communities and cloud analysis, continue to shorten the delay between detection and the distribution of specific protections. Yet antivirus and anti-malware programs continue to be ill-suited to detect the low-volume threats like targeted attacks.

It's not just nation-state attacks, such as Stuxnet and Duqu, both of which spread for at least 12 months before detection. Cybercriminals routinely run their own targeted attacks against antivirus firms' software to make sure they are not detected. In more than 300 investigations performed by security firm Trustwave in 2011, all involved malware and none were detected by the antivirus software installed on the clients' systems, the company stated in its Global Security Report earlier this year.

"The clients would say, 'We were running antivirus on this system, and we know we updated all of our signatures -- why wasn't this caught?'" says Nick Percoco, senior vice president and head of Trustwave's SpiderLabs. "The vast majority of people don't understand that the bad guys can test target an environment and write a piece of malware to evade detection."

To detect targeted threats, companies must first be more aware of what is going on in their networks, Percoco says. By watching for events -- and not just suspicious activity -- a company can detect the existence of an infection. Known as indicators of compromise, or IOCs, these events can tip a company off that something unwanted is inside the firewall.

"We have found that a chain of three or four positive events -- such as a successful login followed by Web activity and an uptick in disk utilization -- can equal something negative, a compromise," he says.

What works at the network level can also work at the systems level. Because there are so many attack vectors today, it is hard to watch every one; instead, companies can monitor systems and memory for the telltale evidence that something bad is happening, says Pascal Longpre, chief technology officer for anti-malware firm Silicium Security. The company's software analyzes events in the system memory to detect anomalies that may indicate an infection.

"Our approach looks at the behavior of the system," he says. "And then we send that to a central server, where a security expert can make the call."

Finally, companies can take the "deny all" approach to applications, just like the recommended practice for firewall rules. Known as whitelisting, the defensive technology allows only known good programs to run on systems. With millions of variants of malware being generated every year, focusing on the 10,000 to 25,000 programs running on a typical system make more sense, Bit9's Sverdlove says.

"Just trying to keep up with the bad stuff and trying to identify more and more malware is not an effective solution," he says.

Sverdlove stresses that whitelisting has grown up. Once known for its difficulty to maintain the trusted applications lists, whitelisting now focuses on accepted general policies.

In the end, it's not so much that antivirus is not working, but that people are expecting software created to detect commoditized attacks to work against made-to-order targeted attacks. Companies need to use the right defenses for the job, Silicium's Longpre says.

"If you want to protect your office, you put a lock on the door, but there is only so much a lock can do," he says. "Instead, you start adding other defenses, such as video cameras and motion sensors. Thats the approach we need to take."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
6/6/2012 | 3:55:18 AM
re: When Antivirus Fails, All Is Not Lost
As youGve said, application whitelisting is not a foolproof method for ensuring corporate data is protected. The fact remains that Flame breached the network perimeter and was able to compromise the targeted systems even though Bit9 blocked the Flame .exe drop. Because APTs like this one tend to fly low and slow under the radar, itGs unlikely most enterprises will be able to keep them at bay. Companies canGt simply lock the door, they need to classify their most valuable data, then apply access controls, data leak monitoring, and encryption.-
@Cryptodd @Vormetric
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.