why your antivirus app can’t always save you

June 5, 2012 — 4 Comments

Contrary to the gripes of many security types, your antivirus software is not useless. Were you turn it off, many routine infections from contaminated websites, that nowadays are more likely to ask you to give to the poor than to pay for a live nude webcam show, would quickly turn your computer into a gold mine for a lazy identity thief armed with simple viruses. Really advanced and powerful malware using zero day exploits, however, will always elude it because that’s the nature of the arms race between virus writers and antivirus makers. Those with the means and motive attack systems and applications, the companies and researchers who discover a security breach either patch the vulnerability if possible, or add a new algorithm to look for the threat signature in the future, such a self-modifying files or local services suddenly trying to open an internet connection. And a piece of malware that slips by the antivirus and doesn’t get reported can work in silence for years, just like the widely reported cyberweapons Stuxnet and Flame did. To explain how these worms went unnoticed, both Ars Technica and Wired, published a self-defensive missive by an antivirus company executive which basically boils down to an admission of defeat when it comes to proactively recognizing sophisticated malware.

Slightly longer version? Some of the most advanced cyberweapons work a lot like typical software and uses a lot of the same tools, or uses legitimate frameworks and packages included in most legitimate software as a launching pad for deploying hidden code designed to act in the sort of malicious ways antivirus would flag as an attack but executed in a way that circumvents the channels through which it would scan. So when Flame is installed, the antivirus checks its components, probably saying to itself "all right, we got what looks like a valid certificate, SQL, SSH, some files encrypted using a standard hashing algorithm… yeah, it all checks out, that’s probably a network monitoring tool of some sort." And herein lies the problem. Start blocking all these tools or preventing their installation and you’re going to cripple perfectly valid applications or make them very difficult to install because every bit of them will have to be approved by the user. How does the user know which piece of software or what DLL is legitimate and which one is not? For the antivirus to help there, it would need to read the decompiled code and make judgments about which behaviors are safe to execute on your machine.

But having an antivirus suite decompile and check the code of every application you run for possible threats is not much of a solution because the decisions it makes are only as good as the judgment of the programmers who wrote it, and because a lot of perfectly legitimate applications have potentially exploitable code in them; a rather unfortunate but very real fact of life. Remember when your antivirus asked you if a program you installed just a couple of minutes ago could access the internet or modify a registry key? Just image being faced with a dialog asking you to decide whether some potentially exploitable function call in one of your programs should be allowed to run or not, faced with the following disassembly snippet to help you make a decision…

00000010 89 45 E4              mov    dword ptr [ebp-1Ch],eax
00000013 83 3D A4 14 9D 03 00  cmp    dword ptr ds:[039D14A4h],0
0000001a 74 05                 je     00000021
0000001c E8 5E 40 3D 76        call   763D407F

Certainly you can see why an antivirus suite that tries to predict malicious behavior, rather than simply watch if something suspicious starts happening on your system, simply wouldn’t be practical. No user, no matter how advanced, wants to view computer-generated flowcharts and disassembly dumps before being able to run a piece of software, and nontechnical users confronted with something like the scary mess above may just turn their computers off and sob quietly as they imagine their machines crawling with viruses, worms, back doors for identify thieves looking for their banking information, and other nightmarish scenarios. Conspiracy theorist after conspiracy theorist would start posting such disassembly dumps to Prison Planet, Rense, and ATS, and portray them as proof that the Illuminati are spying on them through their computers. Unless we want to parse every function call and variable assignment, look into every nook and cranny of every bit of software we’ve ever installed, or write our own operating systems, browsers, and applications, and never using the web, shutting off and physically disconnecting all our modems, we’ll just have to accept that there will always be malware or spyware, and the best we can do is keep our systems patched and basic defenses running.

Share
  • Brett

    I wonder if a trend towards “network” PCs (like the Google Chrome Laptop) and central server “cloud services” would make it possible for that type of anti-virus software, though, particularly with increasingly useful artificial intelligence. They could probably afford the infrastructure for it, at least.

  • Mehrdad

    the solution is so simple… using linux instead of windows.
    around a year ago i said good bye to microsoft and viruses and im happy that there is NO virus or badware here

  • Greg Fish

    Fun fact Mehrdad, Mac and Linux are just as susceptible to viruses as Windows as shown again and again at many security conferences. It’s just that nobody bothers to write viruses for them. Security by obscurity is not a great long term security strategy.

    I wonder if a trend towards “network” PCs and “cloud services” would make it possible for that type of anti-virus software…

    Oh it’s already possible to make this sort of antivirus suite but my point is that no one will want to use it because it would be too in depth and too difficult to configure for any complex legitimate apps you’ll need to run.

  • Paul451

    I used to run Win XP, updates turned off, no anti-virus (Okay, I had Clam AV, but you might as well have nothing**). And when I switched over to Win7, I ran every virus scanner I could find, free trial software from all the majors. Nothing. No viruses, no spyware, no adware. Not one damn alert. Not even a false-alarm.

    I surf porn sites. I download software. So what am I doing wrong?

    I heard the scare stories about unprotected PCs, especially WinXP boxes back then, infected within so many seconds of connecting to the Internet. Why didn’t the viruses like me?

    (** I did occasionally run a free-subscription version from a major a/v company, I wasn’t completely reckless. But I never left anything running, just scan and uninstall.)