Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

When Antivirus Fails, All Is Not Lost

Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network

Starting in late 2011, unknown attackers attempted to install malicious code on a computer belonging to a client of security firm Bit9. The attack, which occurred around 6 a.m. each day, failed because the company's whitelisting technology did not recognize the program as an approved application and so blocked its installation.

Only recently was the attack given another name: Flame.

Although Bit9 and its client, which the company would not name but says is based in the Middle East, did not investigate the routine security incidents last year, recent events convinced Bit9 to search through its database of hashes to identify past executables that its technology had blocked. When it found a match, the company -- with permission -- performed forensics using the client's local database of security events. Bit9 found that a dropper had attempted to install at least two different files on the targeted system.

"Somebody had remotely targeted that system and compromised it enough to try to remotely drop executables on the computer, and we flagged them as unauthorized," says Harry Sverdlove, chief technology officer with Bit9. "It attempted to run. We said no, and that was the end of it."

Following Flame, the most recent targeted attack to hit the headlines, antivirus companies are facing a great deal of criticism for missing signs of the attack for more than four years. Even one of the industry's own, Mikko Hypponen of F-Secure, issued a mea culpa in Wired, saying that the company and its competitors could do better.

"All of us had missed detecting this malware for two years, or more," F-Secure's chief research officer wrote. "That's a spectacular failure for our company, and for the antivirus industry in general."

[ Microsoft issued an emergency patch for all versions of Windows after it discovered the attackers had abused one of its digital certificates to help spread the Flame infection from one machine to others within the targeted organization. See Flame Burns Microsoft With Digital Certificate Hack. ]

Historically, however, antivirus software's strength has been in detecting viruses, worms, and other mass attacks. More recent improvements, such as threat communities and cloud analysis, continue to shorten the delay between detection and the distribution of specific protections. Yet antivirus and anti-malware programs continue to be ill-suited to detect the low-volume threats like targeted attacks.

It's not just nation-state attacks, such as Stuxnet and Duqu, both of which spread for at least 12 months before detection. Cybercriminals routinely run their own targeted attacks against antivirus firms' software to make sure they are not detected. In more than 300 investigations performed by security firm Trustwave in 2011, all involved malware and none were detected by the antivirus software installed on the clients' systems, the company stated in its Global Security Report earlier this year.

"The clients would say, 'We were running antivirus on this system, and we know we updated all of our signatures -- why wasn't this caught?'" says Nick Percoco, senior vice president and head of Trustwave's SpiderLabs. "The vast majority of people don't understand that the bad guys can test target an environment and write a piece of malware to evade detection."

To detect targeted threats, companies must first be more aware of what is going on in their networks, Percoco says. By watching for events -- and not just suspicious activity -- a company can detect the existence of an infection. Known as indicators of compromise, or IOCs, these events can tip a company off that something unwanted is inside the firewall.

"We have found that a chain of three or four positive events -- such as a successful login followed by Web activity and an uptick in disk utilization -- can equal something negative, a compromise," he says.

What works at the network level can also work at the systems level. Because there are so many attack vectors today, it is hard to watch every one; instead, companies can monitor systems and memory for the telltale evidence that something bad is happening, says Pascal Longpre, chief technology officer for anti-malware firm Silicium Security. The company's software analyzes events in the system memory to detect anomalies that may indicate an infection.

"Our approach looks at the behavior of the system," he says. "And then we send that to a central server, where a security expert can make the call."

Finally, companies can take the "deny all" approach to applications, just like the recommended practice for firewall rules. Known as whitelisting, the defensive technology allows only known good programs to run on systems. With millions of variants of malware being generated every year, focusing on the 10,000 to 25,000 programs running on a typical system make more sense, Bit9's Sverdlove says.

"Just trying to keep up with the bad stuff and trying to identify more and more malware is not an effective solution," he says.

Sverdlove stresses that whitelisting has grown up. Once known for its difficulty to maintain the trusted applications lists, whitelisting now focuses on accepted general policies.

In the end, it's not so much that antivirus is not working, but that people are expecting software created to detect commoditized attacks to work against made-to-order targeted attacks. Companies need to use the right defenses for the job, Silicium's Longpre says.

"If you want to protect your office, you put a lock on the door, but there is only so much a lock can do," he says. "Instead, you start adding other defenses, such as video cameras and motion sensors. Thats the approach we need to take."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
6/6/2012 | 3:55:18 AM
re: When Antivirus Fails, All Is Not Lost
As youGve said, application whitelisting is not a foolproof method for ensuring corporate data is protected. The fact remains that Flame breached the network perimeter and was able to compromise the targeted systems even though Bit9 blocked the Flame .exe drop. Because APTs like this one tend to fly low and slow under the radar, itGs unlikely most enterprises will be able to keep them at bay. Companies canGt simply lock the door, they need to classify their most valuable data, then apply access controls, data leak monitoring, and encryption.-
@Cryptodd @Vormetric
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka allows escalation of privileges by local users via manipulations involving files and using symbolic links.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.