Virus Fighters Can't Keep UpVirus Fighters Can't Keep Up

At 5:07 p.m. on Dec. 21 a year ago this week, the Santy worm arrived at Kaspersky Lab in Moscow via an E-mail message. It was immediately assessed, categorized, and routed to a virus analyst. By 6 p.m., the analyst had dissected the worm and generated a binary signature that the lab's antivirus software could use to block it.

But such a quick response to malware is becoming difficult, and in some cases even an hour may be too long. Fast-propagating malware has been on the increase in recent months, and companies that develop and sell software to stop new forms of damaging code admit they're having difficulty keeping up.

In a post of uncommon candor to his lab's Viruslist.com Web site in November, Eugene Kaspersky described the scope of the problem. "Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection," he wrote. "The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today."

Kaspersky cited the rising volume of malware, the speed at which it propagates, the increasingly criminal intent of malware authors, the trade-off between malware scan speed and effectiveness, and the general incompatibility of antivirus programs from different vendors as issues facing the industry.

Panda Software USA is one of the antivirus vendors trying to cope with more-sophisticated hackers. "We had time before to figure out what they where doing," says Patrick Hinojosa, Panda Software's chief technology officer. "Now we're up against very fast-moving attacks that don't give us time to come up with a vaccine to adequately protect our client base."

Kaspersky Lab receives 200 to 300 new malware samples a day. Sophos plc, a U.K. research lab, reports that the number of new threats rose by 48% this year. Panda Software warns that more than 10,000 new bots--automated worms or Trojans that infest PCs and turn them into zombies under a hacker's control--have appeared in 2005. "The game has definitely changed over the past few years, even in the past 12 months, about what is an acceptable speed of response to a new virus," says Richard Wang, manager of Sophos labs.

The trend toward attacks aimed at a group, such as a bank's credit-card customers, also creates challenges. Antivirus companies have to see a threat to craft a defensive signature to block it--a difficult task when malware isn't widespread.

Proactive defenses are needed because there's no longer enough time for broadly effective reactive defenses. "There are going to be those [antivirus] producers who make the switch from reactive to proactive, and there are going to be those who don't and who are no longer with us in 36 months," Hinojosa says.

Adapt Or Die?

Antivirus companies are working frantically to adapt. Since viruses and Trojans are using a broader range of techniques and a greater variety delivery methods, products need to broaden the capabilities they offer to fight back, Sophos' Wang says. That includes automated measures such as looking for suspicious behavior from software or users and blocking it, and improved heuristic analysis to better recognize malware.

Most malware authors are focused on releasing code quickly, as soon as an exploit becomes known, rather than trying to craft innovative attacks. As a result, virus research, which used to be an intellectual contest between security researcher and malware author, has become more automated. "We've had to switch to automating analysis and building tools into the software that can analyze an attack and new code before the researchers have a chance to see it," explains Hinojosa. That's necessary, he says, "because we often don't see something in the lab until it's halfway across the planet."

Such changes are necessary if antivirus vendors stand a chance of keeping up with the bad guys. "It's still extremely challenging; it's just a matter of applying that knowledge in a slightly different direction," Hinojosa says. "One chapter is closing, but a new one is opening."