RE: Kaspersky strikes again

[Peter Kosinar <goober () nuf ksp sk>]

Sorry to be a nitpicker, but...

> If you update your sigs hourly, then you have less than an hour to do all
> the testing.

Strictly speaking, this implication is false (assuming the common 
interpretation of "update your sigs hourly"). Think of pipelining: You 
start by making an update and dropping it onto your QA conveyor belt. 
After an hour, you create another one, and drop it on the same belt, which 
has moved a little in the meantime. Repeat this 24*30=720 times. By then, 
the -first- update will have reached the end of the testing and will be 
ready to be sent out. Since then, you'll be able to release one update per 
hour (assuming that they pass QA). Hourly updates along with month-long QA 
period, woohoo!

Unfortunately, the above scenario is only fictional, the actual times 
between receiving a sample and releasing an update that detects it are 
(and need to be) considerably shorter. Stay tuned for more...

> A month would probably be enough. A day would probably not be enough.

Making a wild guess based on imprecise observation of very small subset of 
the actual threats, a piece of malware that is more than a few days old 
has reached the end of its lifetime -- it infected all the machines it 
could get to and allowed its author to do whatever he wanted with them. 
Then, it's time to replace it with something fresh and not known. It'll 
very likely remain on computers of those who are not using any kind of 
active (read: working and up-to-date) anti-malware protection, but those 
who won't be affected by your update at all).

If you want to be a janitor, who only cleans up stuff that has been long 
forgotten, you can take your time. If you want to help at least some 
fraction of those who are yet to be infected, you need to be faster than 
the turnabout cycle of the malware-writers. As usual, the shorter the 
time, the bigger this fraction can be. [*] Oh, and that "few days" guess 
is an overestimation :-)

> > That's one of the big reasons why it isn't possible to write a
> > signature-based antivirus these days. You're caught in the nutcracker of
> > 1) need to update frequently and 2) need to test adequately.

Almost all antiviruses are signature-based. Unless you're going to base 
your decisions on a (not necessarily fair) coin-toss, the antivirus is 
going to consist of a bunch of rules of the form:

"If this, that and somethingelse, report IT IS somename VIRUS"
"If at least three of these five are true, report IT IS CLEAN"

Each of these rules -is- a signature per se. Their premises can range from 
the very simple ones ("contains these seven bytes: 0x73, 0x55, 0x4d, 0x73, 
0x44, 0x6f, 0x73 somewhere inside the file"), through statically analysed 
("it starts by 100 instructions, neither of which accesses memory 
indirectly") or behavioral ones ("it tries to open a file 
'%windir%\system32\lassa.exe', regardless of the particular method"), etc. 
This covers all the "heuristic", "behavioral", "proactive" methods.

Depending on how your signatures work, you have more or less control over 
what will and what won't be detected by them. If your signatures were just 
MD5-hashes of the whole file, you'd have exceptionally small chance of 
detecting an unintended file [**]. The problem has just been reduced to 
the human factor who decides whether the file should or should not be 
detected in the first place when creating the signature.

Again, most of the signatures used by current AVs do not work this way -- 
precisely because such signatures are way too narrow and way too easy to 
evade (not that the others are not). Thus, one signature usually covers 
many different files and this is where the role of cleanset-testing 
becomes vital. Unfortunately, there is a very thin line between "good" and 
"bad" software nowadays and it gets thinner every day (sometimes its width 
seems to be negative :-) ).

Uh oh, this rant ended up longer than I hoped :-) Thanks for the attention 
(or lack thereof).

Peter

[*] And yes, I'm well aware of Slammer and other quick guys ;-)
[**] And if you really found a "real-life" file with the same MD5, you
     would at least be able to write a nice paper about it :-)

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.