twitter facebook rss

The anti-virus industry does itself no favours

Posted by on July 11, 2015.

For years there have been suspicions that the anti-virus industry is maybe not so clean from NSA taint as it should be. I have been one of those doubters:

AV and the NSA: is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV? 
FBI, CIPAV spyware, and the anti-virus companies

More recently, news from the Snowden-leaks that the spy agencies have spent considerable effort in trying to break into anti-virus companies seems to suggest that they are not co-operating — otherwise why need to subvert the code? See Still speculating about anti-virus after all these years?

And yet those doubts still linger. One of my own concerns goes back to Stuxnet, one of the earliest known examples of government malware. At the beginning of 2012, Mikko Hypponen published a mea culpa: Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet:

Researchers at other antivirus firms have found evidence that they received samples of the malware [Flame] even earlier than this, indicating that the malware was older than 2010.

What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.

It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild…

Let me say that I have the very highest regard for Mikko and F-Secure. And yet…

Hacking Team, producer and purveyor of government spyware has itself been hacked. Pardon me if I’m not bothered — poetic justice and all that. From the leaked material we find that HT had a number of Adobe 0-day exploits. We didn’t know about these earlier than the leak — but lo and behold, as soon as the leak happened, the AV industry discovered at least one being used in the wild.

More than that, Trend Micro announced that it actually discovered this zero-day being used before Hacking Team’s hack was released:

However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan. Most significantly, these took place before the Hacking Team leak took place; we first found this activity on July 1.
Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1

Now, although we’re only talking about a few days, this 0-day exploit known to Trend was still a 0-day exploit a week later. Trend doesn’t seem to have reported it to Adobe. Indeed, the Adobe patch released 7 July makes no mention of Trend:

Adobe would like to thank Google Project Zero and Morgan Marquis-Boire for reporting CVE-2015-5119 and for working with Adobe to help protect our customers.
Adobe Security Bulletin: APSA15-03

(Let’s simply gloss over the phenomenal speed with which Adobe patched this exploit…)

I asked Trend, “If you knew about the exploit then, how come it was still a 0-day 7 days later?” Rik Ferguson, vice president security research, told me, “We identified the use of the exploit on July 1st through a retrospective investigation of data collected by the Smart Protection Network, it was unknown at the the [time?], but looking back armed with new knowledge we can recognise it.”

In other words, just as with Flame and Stuxnet (but probably for a much shorter time) the AV industry were aware of the issue but either didn’t recognise the problem or didn’t do anything about it. Either

AV turns a blind eye to certain problems (and hence the lingering doubts)
AV is simply not as good as it pretends.

Once again, let me stress that I have a high regard for Trend Micro and a very high regard for Rik Ferguson. If there is any collusion between AV and governments, it is at a higher level than the foot soldier researchers who all, every one, deny it.

But what about the other option: AV isn’t as good as it claims? Here I really do have a problem. The industry continually publishes test results proving that it stops 99.9% (or more) of all malware. And yet we still get breached.

Well, if you ask an AV researcher he or she will always tell you, ‘I never suggest that AV is all you need — it should be part of a layered defence.’ Every security professional I have ever met knows this. It is very, very easy for a professional hacker to get through anti-virus defences by modding the malware. It doesn’t work for long; but then he just does it again.

And yet the AV industry persists with its claims of 100% effectiveness against malware. The problem here is that while professionals are not taken in, the home user often is. The person who most needs help is instead given a false sense of security — believing that his AV will protect him, why should he bother doing anything else?

Much of the great work undertaken by the researchers is undone by the marketers — and that is part of a much bigger problem across the whole of the industry: FUD marketing: a stick generated by the industry and wielded by governments. This is one area in which the security industry at large really does collude with government.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: ,