Wednesday, 19 May 2010

Return postage for Mr Zalewski

All due respect to Michal Zalewski. He is, after all, a very smart man. Much smarter than me, I'd wager. That being said, I disagree with some of his recent Zero Day Threat Post blog, Postcards from the anti-virus world . go ahead and read it, if you haven't already. Go ahead, I'll wait for you.....okay done?  The most glaring problem is in the logic fail around the first bullet points. Hey says that most users are not keeping their anti-virus up to date. He then claims this is to the average AV user's advantage because malware writers don't bother to write AV evasion. First of all, this seems a bit specious to me, but let's continue on to the real problem here. In the first sub-point of the second item, he says that malware authours punt their malware so fast and so widespread there will be signature updates for it quickly, and this is good.

So excuse me, Mr Zalewski, but people don't update their AV with the latest signatures, but it's okay because they push out new signatures really fast? These two points of logic can in fact work together, as strange as it seems. The problem is that, in this scenario, the user base that is all good, has been marginalized to a fraction of the total user base. So what is really being said here is not that AV blacklisting methodology works really well, but rather that the fundamental failure of this approach for the majority constitutes a success for a minority of the users. So if you are a home user, who keeps his antivirus up to date you are better off than a home user who doesn't, or a corporation that does or does not.

Now let's talk about the second failure of this thinking. Mr Zalewski is thinking in the immediate. Even if the current trend continues on for N iterative cycles, the AV users do not win. The reason for this is simple: Blacklist methodology is not sustainable where N has grown to a large enough number in relation to the resource capacity of the machine running it. Antivirus has always been a resource hog, and has only gotten worse with time. the reason for this is the escalation factor. The 'bad guys' keep coming up with new malware, new techniques, new exploits etc. So the AV firms come out with new signatures, new heuristics, and new scan engines. With every cycle, the product becomes less manageable from a resource perspective. I have had consultants tell me that 'most major companies' do not run AV products on production servers, because it is too resource intensive.

There is also the manageability of the program itself. Remember that AV is code just like any other program, and not some magical box. It's prone to bugs big and small, like any other code. The more you mess with the code, the more the chance of introducing NEW bugs into it. As the complexity increases so do the odds of deviation from expected behaviour. i'm sure that smarter people than me have expressed this mathematically, but I don't know where such a formula resides. So as the N described above continues to increase so do the odds that we will see something like the Mcafee DAT 5958 bug. This factor alone takes a bite out of the security of an AV solution, because security will constantly be fighting operational needs for resources, and every time we have a bug like DAT 5958 or the Symantec Y2k10 bug, the rest of IT hates AV more.

Now let's get back to the bit about most malware authours not using AV evasion. now, I am not Dancho Danchev  or any other malware researcher. Remember i'm just some schmuck penetration tester. That being said, I find it hard to believe this statement is entirely true. What I would be more inclined to believe is that there are now an abundance of skiddies out there using malware 'kits' to assemble tons of variant malware and distributing it. These people, of course, have no idea how to create evasion techniques and so they don't bother. They just cherry-pick. I would hazard a guess that a lot of the people really spending time on writing their malicious code, spend the time on at least some basic AV evasion.

Whether that's true or not, evasion is somewhat unnecessary. Mr. Zalewski hints at this as well in his article.  He says that they don't bother because people don't update their anti-virus, so they don't worry about signature updates. This is just a demonstration of the utter failing of blacklist methodology. The malware authours don't need to write evasion techniques, because if a signature doesn't exist, and the heuristics won't catch it, what's the point? They can release their code into the wild now, then create a new variant when the AV companies get a sig out. They can play this game for quite a while. Tools like virustotal even give them a running scorecard of how they are doing against all the major players.  Relying on signatures leaves holes you could drive trucks through. Those trucks, by the way, happen to be hauling your private data away to China and Russia.

Now please don't get me wrong here. I am not trying to call foul on the AV companies. At least not in any particular fashion. The thing of it is, if you are an MNC that got hit by a worm that exfiltrated trade secrets, and then F-Secure releases a signature a little later, that doesn't help much. It's rather like someone breaking into your house and stealing all of your stuff. the cops catch the crook, but may not get your stuff back. you don't blame the cop, but you do wish they had caught the guy while he was trying to break in, not after the fact.

As always, discussion and opinions are always welcome here.


  1. My post actually wasn't meant to be a defense of the antivirus industry; in fact, I see many problems with how the model currently operates, and the parts you highlight were specifically an attempt to highlight this. It just seemed pointless to turn it into a fully-fledged rant.

    That said, specifically because I do not consider AV to be a proper security mechanism, I find it disappointing that we get worked up about antivirus bypass "vulnerabilities" - as if these products offered any strong security assurances to begin with, and weren't essentially inherently designed to be bypassable. This probably leads to people making misinformed decisions on the extent of trust they should put with AV software. This is the arguably more important point I hoped to make.

  2. Ah. Well I guess I missed some of the point of your article while turning around and trying to make it myself. I would have to agree that AV is a failure as a 'security mechanism'. There is no silver bullet for security unfortunately, but if I had to lay money down on the most effective use of resources it would be outside of the technical arena anyways.

    I would say the most important use of the security industry's time would be to continue working on building and fostering more mature processes. Development processes need to be moved along the lines of an SDL for all developers. It also needs to mean more than a buzz-word. The SDL concept itself needs to continue to grow and mature. Operational processes need to be grown and matured in the same way. all of IT needs to feel security is an integral part of their job. Whether it's network config, server builds, software installs etc. Everything needs to be done with an eye on the security implications of each decision.

    Finally, security processes need to be grown and matured. We need to step back and evaluate the way we approach security. As you said, we often place too much trust in AV. I'd say that we rely too heavily on products in general though. Many times we set up our firewalls, our NIPS, maybe some HIPS, some AV, and some WEB proxies. Then we step back, dust our hands and say "okay, now we're secure". This bare minimum is laughable now. There is so much more that has to happen, from the obvious vulnerability and permissions auditing, to correlation of events from all of our various tools, to training our people to make the right decisions and beyond. It isn't the technology that will save us. It will be people making the right decisions.

    Well, sorry that rant went on a lot longer than I expected. Thank you, Mr Zalewski, for taking the time to respond to my post and clarifying your position.