Viruses have won, antivirus is no longer much protection

When look at customers’ computers and find malware, I am constantly asked “Why is there malware when I have antivirus on the computer?”

It is used to be because the user’s antivirus had expired or wasn’t updated. In the last couple of years, however, I have found dozens of infected machines with up to date antivirus.

The truth is, the nature of malware has changed. They used to be in the form of executable files, which had signatures that antivirus could pick up. Now, in the typical mode of infection, malware usually runs scripts on websites that find vulnerabilities in legitimate programmes, causing those programmes to be weakened or malfunction. Java is one of those programmes, and is a legitimate programme, so antivirus is happy with it. However, Java is a programme that has full system access on a pc, although in theory this is restricted. The exploits remove this restriction. This allows network connections to be opened internally to contact malicious sites, which bypasses most firewalls, because “outbound” connections are allowed. The exploits can also modify Windows (and Macs) settings, further weakening, just like the wooden horse of Troy, when the soldiers smuggled inside opened the gates of the city. This can also disable antivirus or prevent antivirus from loading on start up. Because this is done via a legitimate programme, the antivirus is none the wiser. Opening network connections to malicious sites also allows the malware to update itself, similar to Windows Update.

By turning off antivirus and auto-updating, less subtle malware can be downloaded which can have free reign. All that is needed is a single vulnerability. Many of these vulnerabilities are discovered long before patches are released to fix them.

My conclusion is that antivirus is not an effective protection against malware. The most effective protection is users being educated in safe behaviour. The status quo is like a flock of lambs wandering into a wilderness occupied by starving wolves.


Chrome Safest Browser?

In a recent annual hacking competition,held on March 24th 2010, a total prize fund of $100,000 was awarded to hackers (sorry..cough…security experts) who successfully break into various types of software. The big four web browsers were among these targets. These browsers are fully up to date with all security patches, so the hackers have to discover unknown vulnerabilities (they have all year to prepare!) and they just hope that the vulnerabilities aren’t discovered and fixed days before the event!

Anyway, the first browser to fall (in a few seconds to Charlie Miller) was Safari on the Mac OS X. So much for the Mac being secure! A case of security through obscurity…

Another guy “Nils” successfully cracked Firefox, I.E and Safari.This was on Windows 7 on the first day. On the second two days, the task of cracking IE7 on Vista and XP was trivial as the 64 bit version of Windows 7 is microsoft’s most secure desktop product, combining kernel patch protection with User Account Control UAC

After three days, no-one had hacked Google Chrome. This was stated to be because of the “sandbox” feature of Chrome that helps to isolate it from the operating system.

There were also prizes offered for cracking mobile phone software. The iPhone fell during the first session.

Further reading from the pwn2own organizers