Antivirus Software: How far we’ve come
There’s a few interesting articles which talk about antivirus applications getting weaker over time, which I believe is true and will continue to be true. Modern day virus writers have many more techniques up their sleeves than they used to.
I find it quite interesting to see the techniques used to get around things such as firewalls, antivirus programs and the like. I’m not going to say I’ve seen it all, but I’ve seen a lot of it and a lot of what is going on today was only in the beginning stages back in the late 90’s and early 2000’s.
I refer to this period, as during this time I had a contact whom had access to the underground scene’s 0-day code and techniques which were used and would pass on this information to me so that I could get a better understanding, and eventually try to help thwart it. While on that note, that same contact that I had then is now working for the US government in trying to protect your freedom. I wish him the best of luck in his future endeavors.) I think it’s important that I mention that the underground group that my contact was involved with may have been indirectly a part of a similar group which was responsible for the attack on the root DNS servers and the demise of one of the largest IRC networks, DALnet, though I can’t confirm any of that.
Antivirus companies have gotten a lot smarter, though they’re still not smart enough, along with the security of the OS and software getting better in general also. This is a game of cat and mouse, or a game of chess. The antivirus corporations make a move and the virus writers make a move to counter it. I believe that ultimately, this is a game that cannot be won. Resistance is futile. (If you get that joke, congrats)
When I speak of the antivirus companies getting smarter, I’m talking about things such as scanning with heuristics along with putting code into a sandbox to be tested and identified, which they used not to be able to do. There’s a good article over at Secureworks about the Pushdo trojan, which has some techniques that I’ve never seen before, and I actually applaud them for using them - hard drive serial numbers which can also be identified if the host is running on a virtual drive or server. Having hosts run their own http server is nothing new, in fact I’ve even seen code for viruses that run off of peer-to-peer networks such as Kazaa, along with IRC. The thing with running a virus off of port 80 is that it’s legitimate traffic - it’s traffic that you use for every day website browsing, so you can’t just close the port off. You’re going to have to either detect the virus file on you’re machine, or detect and filter out the port 80 packets. I think the former is done easier than the latter.
Another new thing that is being done is hacking a persons’ DNS. An article over at Dark Reading talks about this. While I personally use OpenDNS, the hacking and filtering of a persons DNS is something that I’ve never heard of before this. I find that this is an extremely innovative and effective move and attack and I also applaud whoever first thought of this. This is really going to give antivirus companies something to mull over because now they’re also going to have to add in some sort of DNS detection into their software.
I could go on for hours about the things I’ve seen and at one point in the past, I tried to help out and battle against such trojans, and I successfully uncovered and closed down several IRC botnets. However, there’s only so much that one person can do, and this is a game of chess that can never be truly be one. Although I don’t have any contacts in the underground scene anymore, and I’m glad I don’t since the scene has changed from being done for personal achievement to working for financial gain, I attempt to keep track of what is going on through some of the websites I mentioned above.
In conclusion I’d like to recommend an antivirus software which I’ve found, is the very effective and likely to detect viruses and malware, Kaspersky antivirus. While common sense is the most effective protection, Kaspersky works well along side that. With a large deployment of virtual software and OS’s, along with the federal mandate that many things be compliant with IPv6, I think the next few years will prove just as interesting, if not more. I see down the road that things will get much tougher for antivirus companies, and I truly hope that they’re able to keep up with these ever-changing threats.