Voice of the Customer

TMCnet - The World's Largest Communications and Technology Community
New Coverage :  Asterisk  |  Call Center Outsourcing  |  Call Recording  |  SIP Trunking  |  Hosted Exchange  |  PBX
Webinars
Channels by Topic
Share
 
| More
RSS-XML alerts
Print this page
E-mail this page to a friend
Voice of the Customer Featured Article Archive

[December 10, 2005]

Antivirus Vendors Struggle To Keep Up With Attacks

(TechwebNews.com) At 5:07 p.m. on Dec. 21, 2004almost a year ago to the daythe Santy worm surfaced in Moscow. It arrived at Kaspersky Lab in an E-mail message and was immediately assessed, categorized, and routed to a virus analyst.

At 5:14 p.m., after dissecting the worm with a software disassembler and various propriety code-analysis tools, the virus analyst understood enough to generate the binary signature that Kaspersky's antivirus software would use to block the malware.

At 5:18 p.m., the signature was complete. It was submitted to a bank of some 30 computers to be tested on various operating systems and checked against a database of software and security fixes for compatibility, to make sure the cure wasn't as damaging as the disease.

A warning about the new worm appeared on the Kaspersky Web site at 5:33 p.m. At 5:40 p.m., the signature update was issued, and by 5:55 p.m., a more detailed description of how the worm worked had been posted on Kaspersky's viruslist.com site.

A year ago, having gotten all that done in less than an hour was an accomplishment for an antivirus company. Now, even that short time span may be too long. Malwaresoftware created to cause damage or commit crimeshas proliferated in recent months as spam did before it. And the window of time between the appearance of malware and the point at which its impact becomes significant, combined with the overall increase in the amount of damaging code in circulation, has become such a challenge that anti-virus companies are having a hard time keeping up.

According to Eugene Kaspersky, head of virus research and co-founder of Kaspersky Lab, few antivirus companies are capable of maintaining a break-neck pace. The result is that customers may get protection only after their systems are infected.

"We had time before to figure out what they where doing," says Patrick Hinojosa, CTO of Panda Software USA. "Now we're up against very fast moving attacks that don't give us time to come up with a vaccine to adequately protect our client base."

"The game has definitely changed over the past few years, even in the past twelve months, about what is an acceptable speed of response to a new virus," says Richard Wang, manager of Sophos Labs U.S.

Kaspersky Virus Lab in Moscow says it receives between 200 and 300 new malware samples a day. U.K.-based Sophos reports that in 2005, the number of new threats rose by "a staggering 48%." Panda Software USA warns that more than 10,000 new botsautomated worms or Trojans that secretly infest PCs and turn them into zombies under a hacker's controlhave appeared in 2005.

There's a concurrent trend that complicates matters: This year both the U.S. Computer Emergency Readiness Team and the U.S. Department of Energy Computer Incident Advisory Capability warned about a rise in targeted attacks. So while there's more malware in circulation, much of it affects fewer users because the attacks are targeted at specific groups such as customers or employees of a certain companya strategy that generally produces better results for malware authors. This poses a particular challenge to the traditional antivirus companies, which have to see a threat to craft a defensive signature to block it.

Mastercard International in June disclosed a security breach that exposed some 40 million credit cards at CardSystems Solutions Inc., a processor of payment card data. According to Hinosoja, criminal hackers used custom code to exploit vulnerable software at the company in order to install a rogue program to help steal data. Targeted attacks of this sort are beyond the scope what current antivirus software can protect against.

Apocalyptic news of rampant malware and abundant vulnerabilities is to be expected from an industry that profits from insecurity. But in a post of uncommon candor to his company's viruslist.com Web site in November, Eugene Kaspersky observed that the antivirus industry itself is vulnerable. He wrote, "Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection. The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today."

Kaspersky also cited the rising volume of malware, the speed at which it propagates, the increasingly criminal intent of malware authors, the trade-off between malware scan speed and effectiveness, and the general incompatibility of antivirus programs from different vendors, as issues facing the industry.

Further clouding the antivirus industry, the SANS Institute's recent report on the 20 most critical vulnerabilities of 2005 noted that holes in antivirus software itself had become a focus of attack, raising the possibility that the very software meant to protect companies might make them more vulnerable.

What's more, the industry as a whole suffered a black eye recently when security expert Bruce Schneier questioned why antivirus software from companies like McAfee and Symantec offered no protection against the vulnerabilities created by the XCP digital rights management software Sony BMG recently used to protect its music CDs.

Despite these problems, neither Kaspersky nor his company's competitors are willing to concede defeat. "[An] experienced attacker can develop such a malware which will be undetected by most (all) antivirus programs," he writes in an E-mail. "[An] experienced antivirus lab with [the] right knowledge and technologies is able to stand up against the attacks and develop the protection in time."

And that's as it should beno one will pay a security vendor that doubts its defenses.

Yet there are clearly reasons for antivirus vendors to be insecure. As Kaspersky, Hinojosa, and others in the industry observe, current attack trends demand the development of proactive defenses because there's no longer enough time to muster broadly effective reactive defenses. "There're going to be those AV producers who make the switch from reactive to proactive, and there're going to be those who don't and who are no longer with us in 36 months," says Hinojosa.

The antivirus industry is working frantically to adapt. "Because viruses and Trojans use a greater variety of techniques, and a greater variety of means of delivery now, there's certainly a broadening in the capabilities of antivirus products," says Wang. That includes automated measures such as looking for suspicious behavior from software or users and blocking it and improved heuristic analysis to better recognize malware.

As a result, virus research, which used to be an intellectual contest between security researcher and malware author, has become more automated, more rote. Mainly, that's because most malware authors today focus on releasing code quickly, as soon as an exploit becomes known, rather than trying to craft innovative attacks.

While Shane Coursen, Kaspersky Lab's senior technical consultant in the United States, maintains the work is still engaging, there's a hint of melancholy in the way he characterizes his job. "If you're a virus analyst that has been, say, doing this since the early '90s, it may not be as exciting as it used to be, but there's definitely an art in disassembling viruses," he says.

"We've had to switch to automating analysis and building tools into the software that can analyze an attack and new code before the researchers have a chance to see it," explains Hinojosa. That's necessary, he says, "because we often don't see something in the lab until it's halfway across the planet."

In effect, virus analysts face the task of training the computers that are replacing them. But don't mourn for them prematurely. Instead of making vaccines to inoculate computers after an outbreak, they're increasingly being asked to fortify the network immune system before the contagion spreads.

"A lot of the people including our guys and people like Eugene are now switching that deep knowledge of code into coming up with proactive defenses," explains Hinojosa. "It's still extremely challenging, it's just a matter of applying that knowledge in a slightly different direction. One chapter is closing, but a new one is opening."

[ Back To Voice of the Customer Community's Homepage ]
› Return to Voice of the Customer Home

FOLLOW US

FREE Voice of the Customer eNewsletter

Subscribe Now

Featured White Papers

  • Seven Best Practices for Speech Analytics: Speech analytics is valuable for identifying issues in the contact center. However, limiting its use to the contact center only considers a portion of all customer interactions and subsequently only reveals a small part of the voice of the customer. This paper discusses how organizations can optimize their Speech Analytics implementation strategy to realize the promise of this exciting technology.
  • Understanding the Voice of the Customer: Today's contact centers involve a sea of information that must be captured, processed, and distributed on a daily basis. Effective use of this information enables companies to remain competitive in an increasingly aggressive and customer centric marketplace. An overwhelming percentage of the information that circulates in a contact center's audio recordings, documents, web pages, and emails is unstructured in that it resides outside of a normal structured database and cannot be managed efficiently. These unstructured items contain valuable information, yet this information historically has been difficult to organize, categorize, and access.
View All ›

Case Studies

  • Aflac: Aflac, the leading provider of guaranteed-renewable insurance turned to Autonomy to help them automate the process of monitoring their contact center agent for quality and compliance. The company now has a system that can offer continued improvement in agent quality and productivity while enhancing the customer experience. ...
  • Avaya: Avaya, a global leader in business communications, inherited 880 websites as well as numerous intranets and extranets when it was spun off from Lucent Technologies. The sheer volume and diversity of the sites and the over 500 content creators resulted in inefficient content distribution rife with divergent branding, messaging, and product information. ...
View All ›

Video Showcase

    Interview with Autonomy: Rich Tehrani interviews Simon Hayhurst, SVP of Autonomy

Featured Events

  • Multichannel Analytics with Autonomy Explore: In today's world of constant connectivity there are a variety of direct and indirect channels of communication between an enterprise (or a brand) and its customers. 80% of these valuable interactions are generated in a human-friendly, unstructured format across multiple touchpoints and channels. With this ever growing mountain of information how do you extract the emerging trends and topics of interest to the enterprise? ...
  • SES Chicago 2011: Marketers and SEO professionals attend SES Chicago each year to network and learn about topics such as PPC management, keyword research, SEO, social media, local, mobile, link building, duplicate content, multiple site issues, video optimization, site optimization, usability and more. The conference offers 70+ sessions, intensive training workshops, and an expo floor packed with companies that can help you grow your business. While you're at it, network with peers and leading industry vendors. Programmed by the SES advisory board, you can be assured - SES content really is king! ...
View All ›
 
Share
 
| More
RSS-XML alerts
Print this page
E-mail this page to a friend