Home » Data Protection » Malware/Cybercrime

Antivirus: Great Business, Lost Cause

Signature-based scanning software ultimately can't keep up with the high-speed proliferation of viruses and worms

Nevertheless, it's important to realize that a Warhol or Flash worm would almost necessarily be selective: such a worm would probably exploit just one or two vulnerabilities known to the authorsvulnerabilities that were not widely known, or at least not widely patched. The biggest bang for the worm author, obviously, is going to come from targeting the single largest platform: Microsoft Windows systems running on Intel-based architectures.

I'm not arguing that Windows is a fundamentally less secure OS than Unixthat's beside the point. All systems have had significant security problems. Even OpenBSD, which boasts just a single remote vulnerability in the past six years, was susceptible to a flaw discovered this fall in the OpenSSL library package. But because of architectural differences, every Unix computer with the OpenSSL library would have had a slightly different exploit. Windows systems, on the other hand, frequently have common exploits. Those computers can rightly be thought of as a monoculture cropwith all the strengths and weaknesses that a monoculture implies.

Much of American agribusiness has adopted monoculture farming in recent years: crops that are genetically identical, have less variation, simplified growing procedures and, as a result, generally increased profitseven though the seeds usually cost more. American business and government, likewise, is standardizing on the Microsoft monoculture to decrease training and deployment costseven though the software itself costs more. But just as a single virus or fungus can wipe out an entire field of genetically identical organisms, so too can a single computer virus wipe out a network of identically configured Windows servers.Palladium: Nice TryMicrosoft's Palladium initiative might be an approach to solving the monoculture problem: In theory, if computers are gimmicked so that they will run only cryptographically signed programs, then viruses won't run because they won't be signed. I personally don't believe that computer users will put up with such a system, but even if they did, Palladium will not put an end to viruses unless every signed program is itself bug-free. Otherwise, a clever hacker will always be able to booby-trap the signed code with a data-driven attack. This isn't just theory. There have already been several examples of bugs in digitally signed ActiveX applets that could be used to propagate viruses and other nasty programs.

Other researchers are trying to build an "immune system" to protect modern operating systems against virusessuch a system would monitor a computer's health and attack any program that seems to be acting in a suspicious manner. But just as our own immune system is susceptible to viruses such as AIDS, a monoculture immune system would necessarily have its own Achilles' heel. Hackers would find it and exploit it.