W32/Flamer detection failure: The real lesson
Is your smartphone spying on you?
Does the fact that Flame(r) stayed below the radar for so long – exactly how long is not altogether clear – really prove that signature detection is dead? In reality, it proves the opposite, though in a very limited sense. Once samples of the malware were available, adding detection to anti-virus products wasn't really a big deal. In fact, mainstream products added detection quite quickly.
The May StratBlog post cited in an SCMagazineUK.com article doesn't press the “AV is dead” button you might have expected. It simply observes, quite correctly, that “Detection-wise, simplistic signature-based detection is obsolete these days,” and goes on to note the importance of emulation in the detection of hidden malicious code, as well as proposing some reasons as to why Flame might have stayed hidden for so long. In other words, signature detection as most people understand it, is of limited use at best, but it ceased to be AV's primary weapon many years ago.
What it does prove, unfortunately, is that if anyone still thinks that anti-virus could ever detect all unknown malware, they are in urgent need of a reality check. If there is a 100 percent solution (and I don't think there is), AV isn't it, though it does have a place as part of a defensive strategy. In particular, it's been proved time and time again that targeted malware is particularly difficult to detect proactively (i.e., using heuristics, sandboxing, and so on).
Certainly this is the case when copious – maybe government-subsidized – resources are poured into developing a targeted attack. This is a different ballgame to the workmanlike development model used by common or garden crimeware, where ROI is a major factor and just enough effort is expended to make a binary difficult to detect for a while.
In a blog post by Kurt Wismer, he suggests that AV could evolve in ways better suited to the safety of its customers, but that it won't, because it would mean the end of its present business model. I don't think it's about industry manipulation of the customer's expectations, though. Rather, it's about the safe option of giving the customer a partially effective version of what they want: 100 percent detection and no false positives or inconvenient generic controls.
The integrity checker model didn't die because the AV industry killed it, but because customers didn't want to have to make decisions on detection themselves. In fact, it isn't really dead: Apart from the variations on the theme that are commonly promoted as the 100 percent solution that will replace AV (if only!), it has actually morphed into whitelisting and allied technologies that are – to some extent – incorporated into today's mainstream AV.
“...if anyone still thinks that anti-virus could ever detect all unknown malware, they are in urgent need of a reality check..”
– David Harley, ESET senior research fellow
Is it the industry's job to persuade people to look after themselves better, rather than rely entirely on automated software? I don't know, but as someone whose role is at least as much educational as technical, I do think it's (at least part of) my job, and it seems to me that quite a few vendor-aligned bloggers and evangelists have a similar orientation. But a great deal of AV marketing continues to take the “buy our product and we'll take care of everything” line, because that's what people want to believe.
Making the customer think about their own share of responsibility for enlightened/more knowledgeable self-protection might work better in the real world than the present product-dependency model. But if AV – or security in general – is to evolve along those lines, the initial impetus to change will have to come from the customer. Most companies are focused on giving customers what they want, not what they should want.