Mikko Hypponen of F-Secure, an antivirus company, has a revealing post on the limits of antivirus software. He notes that Flame, Stuxnet, and Duqu were all reported to antivirus firms months or years before they were flagged as malware. He blames the failure of his company and other antivirus firms on the sophistication of Western intelligence agencies:
"As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
We really should have been able to do better. But we didn’t. We were out of our league, in our own game."
I think he's kidding himself. And we're kidding ourselves if we think that only sophisticated Western intelligence agencies can beat antivirus software.
Criminals, too, have been testing new malware for years before launching it. Quite successfully too. They just test, tweak, and retest even aging malware until it evades antivirus programs. As a result, the whole business model for antivirus software is in slow-motion collapse, or should be.
Could the problem be solved? Maybe.
We know that the earliest users of updated AV software are likely to be either sophisticated defenders or sophisticated attackers. If we can identify those early users reliably, then we have a relatively small pool that includes the bad guys. Which should give us a head start on catching them. To do that, though, AV companies would probably have to control their new releases more carefully, moving from the current radically decentralized "install and update everywhere" model to one in which the AV company keeps its updated versions on secure servers and insists that users authenticate themselves before running code past the AV screen.
Is that workable? I defer to those with more expertise, and invite comment, but I doubt it can be a bigger failure than the current model.
Photo credit: Clue Online