« The effect of legislation | Main | What can homeland security teach us about IT security? »
May 02, 2005
Oh those spelling errors
Last week F-Secure reported on a nasty web site - gookle.com - that exploits a typing error to infest unsuspecting visitors with at least a dozen pieces of malware.
I would recommend you don't go anywhere near gookle.com, but of course, I didn't take my own advice and had to visit the site to see how well Sana's latest Active Malware Defense Technology (MDT) would work. I was extremely excited to see that it detected and stopped everything! By contrast, when I used several other popular commercial offerings of AV and anti-spyware software, with fully up-to-date signatures (at the time of testing), the best any of those signature-based systems could do was detect half of the malware.
In general, the purpose of this blog is certainly not to push my company's products, since this blog is totally independent from Sana, and intended to be a way of getting my random thoughts and comments out. However, this time around I felt this deserved a mention, because it illustrates something very important about the changing nature of malware and the security arms race.
Sana's Active MDT uses heuristics to look at program behavior to determine whether or not a running program is malicious. As such, it uses no signatures and doesn't need to know anything particular about the malware, as long as the malware does nasty things. Hence it was straightforward to detect all of the malware at gookle with Active MDT. By contrast, signatures aren't good at getting new varieties of malware, a fact that is clearly illustrated by the poor detection rates of traditional technolologies on the gookle malware.
And these limitations in signature-based defenses are only going to become more extreme. In a previous posting I talked about how mutating and changing malware was avoiding signature-based defenses. The gookle attack is a good example of how new malware can avoid signatures. If attackers are going to go to the trouble of putting up such a website, there is no reason why they wouldn't use a tool such as Morphine to ensure that none of the malware on their site is detectable by signatures. Clearly they didn't do that for all the malware on gookle, but I suspect that in future attackers like them will.
Another point about the gookle site: we became aware of it when it was discovered by F-Secure, but gookle.com was first registered on the 30th December, 2000. So the site could have been up for a long time before it was discovered by F-Secure, and could have been infecting people all that time, and their signature-based AV defenses would have been largely useless. Signature-based technologies are playing catch-up, but I'm afraid they're falling further and further behind in the race. It's time for a change.