The Zero-Day DilemmaBy Ryan Naraine | Posted 2007-01-24 Email Print
Anti-virus companies such as Kaspersky Labs are working around the clock to keep zero-day attacks at bay.
The recent surge in malware attacks against zero-day flaws in some of the most widely used software packages is confirmation of an IT administrator's worst nightmare: Stand-alone, signature-based anti-virus software offers no protection from sophisticated online criminals.
During 2006, there was a wave of zero-day attacks against Microsoft Office applicationsthrough vulnerabilities known only to the attackersthat bypassed all anti-virus protection at the network and desktop level. Because traditional anti-virus technology depends on the ability to quickly capture malware samples, reverse the code for the specific characteristics, and then write and release detection signatures, the zero-day attack presents a major dilemma.
"Signatures have been dead for a long time now," said Roger Thompson, an anti-virus pioneer who now runs the Atlanta-based Exploit Prevention Labs, in an interview with eWEEK. "[Attackers] use new packers or tweak their code so that it's different enough to bypass signatures for a short while. By the time you get a signature out, it's too late. They've already hit enough targets."
The death of stand-alone, signature-driven anti-virus software has forced incumbent security software vendors to reshape their product lineups. Industry heavyweights such as Symantec, McAfee and Trend Micro are all rolling out converged suites, offering multiple capabilities including anti-spyware, personal firewall and endpoint policy enforcement, with intrusion prevention as the foundation.
In Moscow, the state of security is not lost on Eugene Kaspersky, founder and chief technologist at Kaspersky Lab, a privately held, 700-employee outfit.
"We're already there," Kaspersky declared, when confronted with the anti-virus eulogies. "There are no stand-alone anti-virus products anymore. It's now anti-everything. You have to do things like behavior blocking and heuristic detections and add anti-spam, anti-spyware, anti-rootkit capabilities to your software," Kaspersky said in an interview with eWEEK.
Kaspersky, a former military officer who founded the company in 1997 and oversaw its expansion into the United States, Europe and Asia, said he still believes there's value in the ability to respond to malware outbreaks in real time.
"We're losing this game with computer criminals. There are just too many criminals active on the Internet underground, in China, in Latin America, right here in Russia. We have to work all day and all night just to keep up," Kaspersky said.
In a room full of flat-screen monitors, Kaspersky shows off his "woodpeckers," a youthful crew of virus hunters responsible for tracking computer threats in real time and working around the clock to write and ship signatures to millions of computer users.
This is the company's secret sauce: its highly touted ability to ship anti-virus signatures every hour on the hour, seven days a week, 365 days a year.
"We just can't depend on signatures," Kaspersky said. "You need information backup, you need parental controls, you need anti-phishing. It's a different world today. Ten years ago, we were fighting against smart kids who hacked as a hobby. Now, we're dealing with criminal gangs that control your computer to make money. Different world, different protections."
The new protection suites must also feature data leak prevention and patch and configuration management; be bundled in a single console; and, more important, be sold at heavily reduced prices.
"This has been a great party while it lasted," said Jon Oltsik, an analyst with Enterprise Strategy Group. "These guys have been making money hand over fist, but things are changing. Customers are demanding more, and the [security companies] are now living in a competitive, lower-market world."
Oltsik said he believes the security improvements in Windows Vista and Microsoft's aggressive approach to selling its enterprise and consumer security offeringsdirectly and via the channelwill definitely affect smaller players such as Kaspersky Lab, but, in a discussion with eWEEK, he stressed that the bigger incumbents will feel it even more.
"I don't think anyone should be underestimating Microsoft," Oltsik said, pointing out that the company has pushed into the markets through acquisitions of Sybari for enterprise-grade anti-virus and Giant Company Software for anti-spyware and real-time malware protection.
Sybari has undergone a major makeover and is being rebranded as Microsoft Forefront; Giant's technology is now powering Microsoft's Windows Defender software.
Next Page: Strategy for growth.
In an interesting twist, Microsoft resells Kaspersky Lab's anti-virus scanner to enterprise customers as part of Forefront's multiscanner strategy. The Kaspersky Lab anti-virus kernel also is integrated in products sold by a range of IT vendors, including Aladdin Knowledge Systems, F-Secure, G Data Software, Deerfield, Alt-N Technologies, Microworld and Borderware.
This puts Kaspersky Lab in the unique position of competing against its OEM partners. As a differentiator, Kaspersky said the company is shipping the new Version 6.0 engine in its own product suite and is licensing the 5.0 version to partners.
"I think you'll see Microsoft being very aggressive on pricing. It will push prices down throughout the sector," Oltsik said.
According to data from research company Gartner, the global market for computer security protection could top $10 billion in 2007, making it a lucrative target even for Microsoft.
On the consumer side, Microsoft's OneCare security suite is struggling to gain a foothold, despite the company's heavy investments in virus research. In a research note released in January 2006, Piper Jaffray analyst Gene Munster used NPD Group retail sales data to show Microsoft's security suite has less than 1 percent market share.
"While OneCare's exact market share is debatable, it's safe to conclude that OneCare's market share is fractional at best," Munster said.
This comes as a big surprise to John Pescatore, a Gartner analyst. "Microsoft spent three years building this product, investing heavily in the technology, but it doesn't appear they are spending any money to market the product. I've seen television ads for the Zune, but I can't recall seeing an ad for OneCare," Pescatore said in an interview with eWEEK.
Natalya Kaspersky, who keeps a close watch on the company's day-to-day operations in the United States, United Kingdom, France, Germany, the Netherlands, Poland, Japan and China, shrugged aside suggestions that Microsoft will use its marketing might to roll over rivals and painted a picture of a company on the rise, building out new technologies and pushing into new markets.
One such rollout is Infowatch, a Kaspersky Lab subsidiary headed by Andrey Nikishin that offers a multilayered approach to data leak detection and prevention. Founded in 2003 and launched primarily in the Russian market, InfoWatch provides monitoring software for e-mail, Internet and Web usage, mail storage, and mobile devices.
The company is positioning InfoWatch as technology to help businesses manage compliance requirements and track internal data theft, even from mobile devices.
Nikolai Grebennikov, deputy director in Kaspersky Lab's department of innovative technologies, said Kaspersky Lab's new Internet Security 6.0 software will hold its own against the competition. "We have the best virus detection rates and the fastest response time to new threats. We do hourly updates and support more than 1,200 formats of archives and compressed files," said Grebennikov.
Grebennikov said the company has worked hard on improving scan speeds and system loads by scanning new and modified files only, caching data from previous scans, and suspending scanning in case of increased user activity.
The new security suite also has been fitted with a new system for anti-virus scanning of compound objects, optimizing system performance.
This helps to address a long-standing complaint that anti-virus software with multiple executables eating away at system resources is an impediment to proper computer usage.
Another big addition, Grebennikov said, is the addition to the software of rootkit detection and removal. He said new proactive detection technology will block hidden objects (stealth rootkits), keystroke loggers, buffer overflow attacks, data execution attacks and backdoors that turn infected machines into zombies in botnets.
"These integrated threats are the scariest," Grebennikov added. "Anytime you find malware that's using rootkit techniques to hide, you have to get really nervous. Some of these threats are very, very sophisticated."