The Zero-Day Dilemma

[Bolt_Gundam510]

The Zero-Day Dilemma

By Ryan Naraine

January 24, 2007

The recent surge in malware attacks against zero-day flaws in some of the most widely used software packages is confirmation of an IT administrator's worst nightmare: Stand-alone, signature-based anti-virus software offers no protection from sophisticated online criminals.

During 2006, there was a wave of zero-day attacks against Microsoft Office applications—through vulnerabilities known only to the attackers—that bypassed all anti-virus protection at the network and desktop level. Because traditional anti-virus technology depends on the ability to quickly capture malware samples, reverse the code for the specific characteristics, and then write and release detection signatures, the zero-day attack presents a major dilemma.

"Signatures have been dead for a long time now," said Roger Thompson, an anti-virus pioneer who now runs the Atlanta-based Exploit Prevention Labs, in an interview with eWEEK. "[Attackers] use new packers or tweak their code so that it's different enough to bypass signatures for a short while. By the time you get a signature out, it's too late. They've already hit enough targets."

The death of stand-alone, signature-driven anti-virus software has forced incumbent security software vendors to reshape their product lineups. Industry heavyweights such as Symantec, McAfee and Trend Micro are all rolling out converged suites, offering multiple capabilities including anti-spyware, personal firewall and endpoint policy enforcement, with intrusion prevention as the foundation.

In Moscow, the state of security is not lost on Eugene Kaspersky, founder and chief technologist at Kaspersky Lab, a privately held, 700-employee outfit.

"We're already there," Kaspersky declared, when confronted with the anti-virus eulogies. "There are no stand-alone anti-virus products anymore. It's now anti-everything. You have to do things like behavior blocking and heuristic detections and add anti-spam, anti-spyware, anti-rootkit capabilities to your software," Kaspersky said in an interview with eWEEK.

Kaspersky, a former military officer who founded the company in 1997 and oversaw its expansion into the United States, Europe and Asia, said he still believes there's value in the ability to respond to malware outbreaks in real time.

"We're losing this game with computer criminals. There are just too many criminals active on the Internet underground, in China, in Latin America, right here in Russia. We have to work all day and all night just to keep up," Kaspersky said.

View: Orginal Article