For the last 20 years, hackers and antivirus software programmers have played a cat-and-mouse game over computer security. Whenever one side would innovate, the other would catch up. And for most of that time, the conflict remained a benign contest between tech savvy vandals looking for street cred and the professional programmers trained to counter them.
But around late 2005/early 2006, malware production transformed from a hobby of malevolent computer geeks into a major source of money for organized crime. Funded by mobsters to steal credit card information or propagate Internet scams, virus writers began churning out malware at a rate, and of a complexity, orders of magnitude larger than antivirus software could deal with.
Recently, antivirus software companies have responded with new technologies to counter the enhanced threat, but some experts believe even that may be too little, too late. [See graphic "Current Computer Virus Threat Types."]
“The viruses are winning because the defenses don’t work very well,” said Golden Richard III, a professor of computer science at the University of New Orleans. “It’s much harder to be on defense. And the offensive guys are really smart, they’ve got a lot of resources. It’s a bleak situation.”
Out of the open and into the shadows
Malware encompases any kind of malicious program, from computer viruses that crash computers to Trojans that steal credit card information. Until a couple of years ago, hackers wrote malware to gain respect in their community, with programs designed to perform some task that other computer programmers would easily notice. After all, a hacker would hardly gain any notoriety if no one noticed the virus they made, Richard said.
This deliberate obviousness also made it easy for antivirus software (AV) to find and eliminate the infections. However, once the goal switched from infamy to criminal profit, malware writers began adding stealth features to their programs. That way, the malware could continue its illegal activity as long as possible without triggering an antivirus response.
Modern malware uses a variety of methods to conceal itself. As a result, even the most advanced antivirus software only detects between 40 and 70 percent of infections, said Danny Quist, a malware specialist and founder of Offensive Computing, LLC.
Some malware packs itself into innocuous looking code that an antivirus program will only recognize as malicious after it starts running, and by then, it’s too late. Other malware will shuffle its own code, destroying the markers that antivirus software searches for. Some malware will even contain no dangerous code at all, but automatically downloads the dangerous software from a website once it has passed an antivirus check. Many types of malware do all those things and more, Quist said.
“There was this contest at Defcon [a computer security conference], where the contestants were given old malware code, and asked to make it undetectable to AV, but still run. The contest went on for about four hours, and they got all the files. Some AV fell in minutes,” Quist said. “It’s trivially easy to modify a file so it does not get detected by AV.”
Not only has the malware gotten stealthier, it has multiplied in variety and number at an unmanageable rate, said Sean-Paul Correll, a threat researcher at Panda Security, an antivirus software company.
“In 2006, we started noticing this growth in malware samples,” Correll said. “Samples were doubling year after year. In 2009, we received 25 million new strains of malware. That was bigger than the past 20 years combined. Through July 2010, we had 46.6 million malware samples in our database. We have almost 100 percent growth since 2009, with 5 months to go.”
AV companies strike back
To combat the immense number of stealth malware programs poised to attack commercial and private computers, antivirus software companies have turned to powerful server networks to analyze and block new malware. Whereas old antivirus programs simply used the resources of a single computer to analyze itself, this pooled approach, called cloud computing, allows AV companies to go beyond just checking malware code against a library of previously observed programs, said Toralv Dirro, a security strategist for antivirus software maker McAfee.
The first advantage of cloud computing involves increased memory. The server clouds can hold vast lists of previously identified programs. If a user downloads a program that doesn’t appear on that list, a unique program that hasn’t been reported from anyone else in the world, the server cloud flags it as malware that has probably scrambled its coding to avoid detection, Dirro said.
For the malware that camouflages itself in innocuous packing, the cloud can download and run the program in a safe, self-contained, environment. If after unpacking and running, the program begins to behave maliciously, the cloud can flag the program as malware, said Sean Sullivan, a security advisor at F-Secure Labs, an antivirus software company.
“Nowadays we have 40-50,000 samples that come in every day. So we’ve had to build a lot of automation,” Sullivan said. “Whereas 5 years ago, we have dozens of cases, these days we have to rely on our servers and automation to do the work. Now, the guy who was doing the research is designing the computers that do the research.”
However, not everyone is convinced that cloud computing is strong enough to combat the threat of modern malware. No independent study has ever shown that cloud computing increases the efficacy of antivirus software, said Paul Royal, a research scientist at the Georgia Tech Information Security Center.
Even the AV companies admit that to a degree, they are outgunned.
“I would compare [AV] to a lock on the door,” F-Secure Lab's Sullivan said. “Everyone has a lock on the door to prevent home invasion. But just by itself, against a dedicated, penetrated attack, it probably doesn’t help.”
Browse responsibly
At this point, computer security cannot go back to a pre-2006 time when simply running AV software would protect the computer against most threats. To truly protect a computer against malware, the user must work as hard as the antivirus software by practicing safe Internet browsing.
“Antivirus software isn’t good enough on its own. You need to combine it with common sense as a human being,” McAfee's Dirro said. “You’ve got airbags in your car, but you still don’t drive into a concrete wall at full speed. If you think any email is dodgy, don’t open it.”
Responsible browsing means staying away from websites that traffic in pirated material, avoiding adult websites without the proper level of security and, yes, installing the most up to date AV software, since, after all, even 40 percent protection is better than nothing, Correll said.
However, even safe browsing habits are often not enough.
Last year, hackers inserted malicious code into an advertisement that appeared on the USA Today website, Royal said. The malware infected computers regardless of whether or not the user clicked on the ad; simply reading an article with the advertisement on the same page lead to infection. And since the ads rotated, anyone simply looking for news became at risk, Royal said.
“Things may suck right now, but they’re not going to get any worse,” Quist said, “because it’s the worst case scenario right now.”
