Traditional Anti-Virus – A Busted Flush! by Kerry Davies Commercial Director, Abatis (UK) Ltd.

1. Traditional Anti-Virus – A Busted Flush! by Kerry Davies Commercial Director, Abatis (UK) Ltd. 10-09-11

2. Background • Computer Science degree in early ‘80s • Security field since 1986 • Security Evaluator – Consultant – Manager – Company Founder – Director in Big 4 – Business Partner • MSc in Information Security at Royal Holloway 2007-8 (Graduate 2009) • Why is traditional A/V a “Busted Flush”? • What is malware? • How does malware work? • How does traditional A/V work? • An alternative approach (that works!)

3. WHAT IS MALWARE ? • Virus, Worm, Trojan Horse, Key-Logger, Root-Kit, Logic Bomb, etc. • Malware is a value judgement • Malware is BIG BUSINESS for cyber criminals, cyber terrorists and hostile state actors - APTs • Traditional anti-virus (A/V) is reactive not proactive – infections have to occur in order for the A/V vendors to collect samples to generate A/V signatures and the antidote • Symantec’s 2010 report announced that they had found 286 million pieces of new malware that year – traditional A/V vendors can’t keep up with this volume and the user community can’t keep taking the megabytes of signature updates that the vendors push out daily

4. How does Malware work? Elements of a worm (as an example) Payload: implementation of specific actions such as opening backdoors, Botnet, spyware, keylogger, rootkit … Scanning Engine: scanning across the network Target Selection Algorithm: looking for potential new victims to attack Warhead: gains access to the victim’s machine Propagation Engine: transfers the body to the victim From: “Malware – Fighting Malicious Code“, p. 79; Ed Skoudis, Prentice Hall 2004

5. Assessing the Threatscape • Malware is everywhere and easily spread – nothing is safe any more • As smart-phone use rockets and social networking explodes, we struggle to balance the need for security versus the need to share information • Connection between the Hoover Dam and Natanz Nuclear facility in Iran? • Consumerisation of IT - the blurring between professional and personal use of technology, mobile platforms and social networking pose serious threats • Email spam, phishing, pharming and spear-phishing on increase • So far in 2011, McAfee has identified 150,000 malware samples every day. One unique file almost every half second, and a 60% increase over 2010 • 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised

6. Consensus in the A/V Industry “Back in the 80s, computer experts were quick to dismiss PC viruses as harmless. We need to learn from this mistake and start taking the mobile malware threat seriously. Only by taking pre-emptive measures can we equip ourselves against this pernicious and escalating menace…” Davey Winder: Security Journalist and Consultant Symantec recorded that in 2010 it saw 286 Million pieces of new malware “anti-virus technology can't stop targeted attacks....Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices” Nir Zuk, founder and CTO of Palo Alto Networks to SC Magazine, September 9th 2011 “The security industry has ‘done a miserable job of protecting customers and industry. More than half of malware is not blocked by anti-virus, as vendors can only deal with known malware........the approach taken by most anti-virus vendors is not good enough, as most claim to block 99 per cent of known malware, but most cyber criminals use unknown variants.M86 Security CEO John Vigouroux Speaking to SC Magazine In 2007 ‘....there were about 200 malware threats for mobile phones and more than 250,000 viruses for Windows. Graham Cluley, senior technology consultant at Sophos ‘….With mobile menaces steadily on the rise, we can only anticipate how virulently worms can multiply, especially with the explosion of Bluetooth and the increase in workforce mobility in organisations like the NHS’ Leslie Forbes, Technical Manager, F-Secure: According to Ken Silva, CTO of Verisign: ‘….Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."

7. Effectiveness of Anti-malware solutions Popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases to only 61.7% after 30 days Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis 04/08/10 • Recent malware infection tactics: • Drive-by download infection • Fake security tool and free scanning services • Social engineering – social networks, e.g. Facebook • Embed malicious link in email – phishing, pharming and spear phishing type attacks • Cracked PDF and document files – embedded link/payload

8. OTHER METHODS OF PROTECTION • Isolation • Avoid questionable sites, download software only from reputable sites, run an anti-virus scan on any downloaded material • Signature Based – as last table showed, average 19% effective on day 1, max 60%, reactive • Heuristic – reactive, signature based fuzzy pattern matching, false positives (achieves 19%) • Reputation Based – incomplete coverage, limited, vendor specific, error prone, can be defeated • Hashing – used as part of reputation based approach (hashes can be defeated) • Blacklisting – seriously? • Whitelisting – attractive in principle but a huge maintenance nightmare as hashes have to be recalculated and redistributed to every machine for every change • Combination – what the better A/V is doing now…………. • Kernel-level Control over I/O – use fundamental nature of malware as executable code and ring-based integrity mechanisms of the O/S to block storage of executable program files on the hard disk to produce a fast, reliable, non signature-based, proactive anti-malware solution

9. Operating system Input and output control (IO Manager) Block keylog.exe Business.doc is not blocked Interface to hardware (NTFS, FAT etc) Interface to hardware (NTFS, FAT etc) NTFS drive, C:\ NTFS drive, C:\ HDF - IMPLEMENTATION Applications e.g. WinWord (User Mode / Ring 3) (b) save business.doc (a) save keylog.exe Operating system e.g. Windows (Kernel mode / Ring 0) Without HDF protection With HDF protection HDF filter

10. PRODUCTS AND BENEFITS • HDF Workstation • HDF Server • All versions of Windows from NT to latest 64 bit • Red Hat Linux • Mobile Platforms (future), Real Time, SCADA • Enforce system integrity • Stop zero day attacks and targeted attacks • Block all unwanted software execution • No signature updates required; fit & forget – low TCO • No performance impact – potential improvement

11. Keylogger Protection incl USB Mobile worker Laptops eg. Sales people Drive-by Download protection Windows NT Windows 2000 Windows XP Windows VISTA CLAMPDOWN SECURE REAL TIME SYSTEMS PERFROMANCE IMPROVEMENT Android Windows 7 Mobile Linux Tablet Devices HDF Battery Life Enhancement Research Stop website defacement & secure hosted environments Security effectiveness Improvement if used with traditional A/V CRITICAL SYSTEMS PROTECTION PROTECTION OF LEGACY EQUIPMENT SECURE MOBILE PLATFORMS Mission Critical Systems including Virtualised environments Faster if used w/o A/V or on-demand only scanning Safety Critical Systems CNI & SCADA Embedded Systems HARD DISK FIREWALL (HDF)

12. Questions Kerry Davies Abatis (UK) Ltd Royal Holloway Enterprise Centre Royal Holloway University of London Egham Surrey TW20 0EX Tel: +44 (0) 7767 240799 kerry@abatis-hdf.com