LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Tech: present anti-virus techniques flawed
From:	"Senk, Mark J." <[log in to unmask]>
Reply To:	Senk, Mark J.
Date:	Fri, 5 Sep 2003 14:55:20 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (109 lines)

From NewScientist.com

Computer antivirus strategies in crisis

19:00 03 September 03

Special Report from New Scientist Print Edition.

The speed with which US law enforcers last week tracked down Jeffrey Lee
Parson, one of the alleged culprits behind the destructive computer virus
MSBlaster, was heralded as a great victory in the battle against computer
crime. But an investigation into antivirus software shows that there is no
cause for celebration. Antivirus specialists are fighting a losing battle
against malicious code like viruses and worms, it concludes.

The research, undertaken at Hewlett-Packard's labs in Bristol, UK, is the
first to evaluate the effectiveness of antiviral software. It shows that the
way we fight viruses is fundamentally flawed, because viruses spread faster
than antivirus patches can be distributed. By the time the antivirus
software catches up, the damage has already been done, says Hewlett-Packard
researcher Matthew Williamson.

Most antivirus software works by identifying unique characteristics or
patterns in the computer code that makes up a virus. Once identified, this
"signature" is distributed to everyone who has bought antivirus software,
allowing the software to block or eradicate the malicious code. But this
strategy means you have to know what the virus looks like before you can do
anything about it, Williamson points out.

Williamson's research, due to be presented at a conference in Toronto later
in September, is the first time anyone has analysed how effective this
antivirus software is. One way of doing this would be to compare how a
company network protected by antivirus software fares, compared with an
unprotected network.

But there is an obvious problem with this approach. "Few companies would be
willing to turn off their antivirus software to be part of a control group,"
Williamson observes.

Biological spread

Instead, he designed a computer model to mimic the way in which viruses
spread, based on a model that tracks the spread of biological viruses. He
then introduced parameters to represent the way the antivirus software
responds to this spread.

He found that even if a signature is available from the moment a virus is
released, it cannot stop the virus spreading if it propagates fast enough.
"These fast viruses are what we are getting at the moment," Williamson says,
adding that they are getting better at being quicker.

What emerged clearly from Williamson's model is that code to combat these
viruses cannot be distributed fast enough. Antivirus software checks for
updates no more than once an hour, and this is too slow.

The problem is that too many checks may be perceived as an attack. When the
Slammer worm struck in January 2003, 78,000 machines were infected in half
an hour. "That's before anyone's pager went off," Williamson says.

Ultimately, the antiviral software gains the upper hand and the virus stops
spreading. "It will run out of machines that it can infect," says
Williamson.  But by this stage the damage has already been done.

Suspect code

An additional problem with using a signature-based approach is that it clogs
up the system. Every email has to be scanned for every virus that has ever
existed, and with tens of thousands of viruses this has become more and more
cumbersome and less sustainable. Signatures cannot be thrown away, in case
that particular virus returns from a non-inoculated source, so the list just
keeps getting longer.

Signature-based approaches should not be abandoned, says Williamson, as they
are useful for cleaning up infected computers. But to stop the spread of a
fast-propagating virus, the antiviral mechanisms have to step in before
signatures become available.

McAfee Avert in Amsterdam, the Netherlands, is developing a strategy
designed to do this. It uses "heuristics" - essentially a set of loose rules
and probabilities - to spot suspect code, and this approach does a good job
of catching new viruses. But there is a catch: it also tends to sound the
alarm over code that turns out to be harmless.

"Customers don't want any false positives," says Marius van Oers, an
antivirus research engineer at McAfee Avert. "It can cause panic."

As software becomes ever more complex the number of weak points for viruses
to exploit inevitably increases, says Myles Jordan, an analyst with Computer
Associates, an antivirus company based in Australia.

And virus writers do not have to be particularly adept programmers. It
appears that Parson was caught because he made the mistake of renaming the
virus file after his internet pseudonym. The next culprit may not give
himself away so easily.

Duncan Graham-Rowe

Posted by
 Mark Senk | 412-386-6513 | [log in to unmask]


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG