Home » Data Protection » Malware/Cybercrime

Antivirus: Great Business, Lost Cause

Signature-based scanning software ultimately can't keep up with the high-speed proliferation of viruses and worms

CIH/Chernobyl is no match for today's signature-based antivirus systems. The typical virus scanner has a database of signaturesunique byte stringsfor roughly 50,000 viruses. On a properly protected computer, executables infected with a familiar signature such as Chernobyl's simply can't run. Signature-based antivirus software is also slowly making its way from the desktop to the network, adding another layer of security.

But there is a serious failing with signature-based systems that few people in the antivirus community admit. Antivirus scanners do nothing to protect against the most serious virus threat today: new viruses. By definition, a new virus won't be in any existing database of viral signatures. Back when the Melissa and I Love You worms hit, the only way that businesses could protect themselves was to update their antivirus systems. At times this meant updating every dayor even every houras new variants of these viruses hit the network.The Monoculture ProblemUnfortunately, even this won't be good enough in the near future. A paper that was presented at this year's Usenix Security Symposium convincingly showed several strategies for infecting between 1 million and 10 million Internet hosts in 15 minutes or less. The paper is titled "How to Own the Internet in Your Spare Time," by Stuart Staniford at Silicon Defense, Vern Paxson at ICSI Center for Internet Research and Nicholas Weaver at UC Berkeley. The authors' findings are based on results they discovered with an Internet simulator that they created for this purpose. (The full text of the paper can be found at www.cs.berkeley.edu/~nweaver/cdc.web.)

There are several workable infection strategies, it turns out. One is to scan in advance for vulnerable machines that are connected to high-bandwidth networks. Another approach is to divide up the Internet's address space in an intelligent manner so that each copy of the worm has the maximum chance of infecting a virgin machine. Staniford and company call such worms Warhol and Flash. It is impossible to protect against those worms with signature-based antivirus systems: Before a worm could be analyzed and a signature distributed, the damage would already be done.

If someone creates a worm that combines the infection strategy outlined in the Staniford paper with a Chernobyl-style payload, we are looking at a lot more damage than a few days of lost productivity. MSN, HotMail, eBay and tens of thousands of small and midsize businesses would all be shut down, and bringing those companies back up might require getting new hardware, restoring systems from backup tapes (assuming that backups exist) and finally, patching the security flaws. Such repairs could take weeks; many companies would fail.