Stuxnet, Aurora: Why AVs Fail and Why We Need Them

Tuesday, October 05, 2010

Pascal Longpre

43559f6a0465c923b496a260211995c0

Operation Aurora, which attacked Google and other Fortune 1000's last year, and the more recent Stuxnet worm targeting SCADA systems (nuclear and energy power plants), are here to remind us of the failure of traditional antiviruses to protect corporate systems against targeted and high level attacks.

In the case of Stuxnet, tens of thousands computers have been infected before antivirus company VirusBlokAda identified it and made it public last June.

Numerous articles have been written describing the new methods and numerous zero-day Stuxnet exploits to propagate and bypass traditional security systems.

Very few articles have been written explaining why AV companies failed to detect it. This is true about Stuxnet, but the same applies to Operation Aurora or to the many variants of the Zeus bot, TDSS, TDL3 and numerous others.

Why do AVs fail?

AVs fail simply because they are signature-based. Everybody agrees on that. AV companies need to have a sample of the malware to analyze it, create an identification signature and have it distributed across their customer base. This process requires time and highly skilled manpower.

The number of new virus samples now averages 300,000 each day and that makes it practically impossible for AV companies to process them all.

Virus writers are aware of this weakness and they prepare new versions of their malware in advance and release them as soon as AV companies have created a signature detecting the previous version.

Another weakness of AVs is their predictability. Most of them can be downloaded from the Internet for free for 30 days and cost less than 40$ a year to purchase. They can be analyzed, tested and reverse engineered at will at no cost for the attacker.

In most cases, it is trivial to disable their signature update system or to simply uninstall them from the infected host.

This fight is unfair and the advantage is to the malware authors. Unfortunately, there is not much AV companies can do about it.

Nevertheless, this business model continues to thrive. McAfee and Symantec are worth billions of dollars and businesses and individuals still continue to rely on them for their protection.

So Why Do We Still Need Them?

Signature-based detection is great because its false positive rate is very low. If the AV tells you that virus ABC is on your system, you can trust it (except for some rare exceptions) and as a bonus, since the virus has been previously analyzed, the AV can usually safely remove it from the infected system.

For new viruses, this model works for the same reason flu shots work:  because we accept the fact that some individuals will be sacrificed for the good of the community.

When a new computer virus is released, thousands of systems will be infected before the AV vendors have time to analyze it and create a working signature. But once this is done, hundreds of million systems are immunized and will be effectively protected from infection.

In the end, it all boils down to probabilities and luck.

This is acceptable for most individuals or corporations that have little or nothing to lose to malware. Is this enough for high value targets like governments, military, critical infrastructure management, high stakes R&D companies, banks and numerous others? Of course not!

Is it normal that we rely on a publicly available $5 software (average price of an AV for large accounts) to secure a $2000 system holding hundreds of thousand dollars of data?

I think the question is the answer.

Cross posted from Silicium Security

 

Possibly Related Articles:
9987
Viruses & Malware
Software
Antivirus SCADA Stuxnet
Post Rating I Like this!
4085079c6fe0be2fd371ddbac0c3e7db
Jamie Adams Excellent information. Thank you for posting. The shortcomings of traditional, signature-based AV is one of the reasons my company was part of the R&D of anomalous-based intrusion detection systems. --and now the commercialization of it. (http://www.trustedcs.com/CounterStorm/)

But it has its shortcomings, too when it comes to deployment scenarios and those viruses. What are your thoughts on anomalous-based detection systems?
1286294511
E68c72e1e8be98215f1fa5155236f5c6
Anthonie Ruighaver It is a long time since I looked at AV research, but my understanding is that the AV industry stayed with the signature-based approach as that approach generates a steady income stream. There were a number of very interesting research papers over ten years ago on more generic approaches that worked just as well (if not better) as a signature based approach.
1286325325
43559f6a0465c923b496a260211995c0
Pascal Longpre Thanks for sharing Anup, very interesting article.
I also suggest you take a look at the approach we use in our software, ECAT (http://www.siliciumsecurity.com). Although this is not as "pure" as performing an out-of-band integrity check, we are able to detect Stuxnet type of attacks by performing integrity checks with low level kernel access. This has the advantage of combining live memory analysis and physical low level disk access in order to find discrepancies between a program's image in memory and its original version on disk, among others. Using the same technique, we can also detect floating code like the injected libraries of Stuxnet or Meterpreter.

Stuxnet generates lots of buzz and let's hope this serves as a wake up call for many but we must also be as concerned by less technically advanced threats that can be also very damaging like described in http://bit.ly/8XwWiS.
1286334756
E68c72e1e8be98215f1fa5155236f5c6
Anthonie Ruighaver Thanks Anup. That's an excellent reference that I had not seen before. Current software only security solutions are simply not able to cope with the escalating security problem.
1286341633
Fe0cdd659ff88db65dc29352c82cb314
Shalom Cohen For critical networks and highly secured networks a white-list is probably practical. But most of the organizations are based on non-strict security policies which makes white-listing impossible.
1286371557
43559f6a0465c923b496a260211995c0
Pascal Longpre Jamie, I think we both agree that signature based a/v is not enough. Our company develops a host based detection system using live memory analysis and forensics. I deeply believe in our approach since it gives security personnel the complete picture of what is happening in memory within the systems.
I don't know enough about anomalous-based intrusion detection systems to comment at this stage. I did some work on that field a few years ago and found it useful to detect obvious exfiltration channels with statistical analysis of in/out bytes for example. The main drawback I found (as with many network IDS) was being unable to dig deeper into the potentially infected systems to get rid of false positives. Like I said, this was a while ago. I guess a lot of progress has been made on that front since.
Can you share information about how the solution you work on would have detected Stuxnet before it was made public for example?
1286632536
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.