Stuxnet, Aurora: Why AVs Fail and Why We Need Them

Tuesday, October 05, 2010

Pascal Longpre


Operation Aurora, which attacked Google and other Fortune 1000's last year, and the more recent Stuxnet worm targeting SCADA systems (nuclear and energy power plants), are here to remind us of the failure of traditional antiviruses to protect corporate systems against targeted and high level attacks.

In the case of Stuxnet, tens of thousands computers have been infected before antivirus company VirusBlokAda identified it and made it public last June.

Numerous articles have been written describing the new methods and numerous zero-day Stuxnet exploits to propagate and bypass traditional security systems.

Very few articles have been written explaining why AV companies failed to detect it. This is true about Stuxnet, but the same applies to Operation Aurora or to the many variants of the Zeus bot, TDSS, TDL3 and numerous others.

Why do AVs fail?

AVs fail simply because they are signature-based. Everybody agrees on that. AV companies need to have a sample of the malware to analyze it, create an identification signature and have it distributed across their customer base. This process requires time and highly skilled manpower.

The number of new virus samples now averages 300,000 each day and that makes it practically impossible for AV companies to process them all.

Virus writers are aware of this weakness and they prepare new versions of their malware in advance and release them as soon as AV companies have created a signature detecting the previous version.

Another weakness of AVs is their predictability. Most of them can be downloaded from the Internet for free for 30 days and cost less than 40$ a year to purchase. They can be analyzed, tested and reverse engineered at will at no cost for the attacker.

In most cases, it is trivial to disable their signature update system or to simply uninstall them from the infected host.

This fight is unfair and the advantage is to the malware authors. Unfortunately, there is not much AV companies can do about it.

Nevertheless, this business model continues to thrive. McAfee and Symantec are worth billions of dollars and businesses and individuals still continue to rely on them for their protection.

So Why Do We Still Need Them?

Signature-based detection is great because its false positive rate is very low. If the AV tells you that virus ABC is on your system, you can trust it (except for some rare exceptions) and as a bonus, since the virus has been previously analyzed, the AV can usually safely remove it from the infected system.

For new viruses, this model works for the same reason flu shots work:  because we accept the fact that some individuals will be sacrificed for the good of the community.

When a new computer virus is released, thousands of systems will be infected before the AV vendors have time to analyze it and create a working signature. But once this is done, hundreds of million systems are immunized and will be effectively protected from infection.

In the end, it all boils down to probabilities and luck.

This is acceptable for most individuals or corporations that have little or nothing to lose to malware. Is this enough for high value targets like governments, military, critical infrastructure management, high stakes R&D companies, banks and numerous others? Of course not!

Is it normal that we rely on a publicly available $5 software (average price of an AV for large accounts) to secure a $2000 system holding hundreds of thousand dollars of data?

I think the question is the answer.

Cross posted from Silicium Security


Possibly Related Articles:
Viruses & Malware
Antivirus SCADA Stuxnet
Post Rating I Like this!
Jamie Adams Excellent information. Thank you for posting. The shortcomings of traditional, signature-based AV is one of the reasons my company was part of the R&D of anomalous-based intrusion detection systems. --and now the commercialization of it. (

But it has its shortcomings, too when it comes to deployment scenarios and those viruses. What are your thoughts on anomalous-based detection systems?
Anthonie Ruighaver It is a long time since I looked at AV research, but my understanding is that the AV industry stayed with the signature-based approach as that approach generates a steady income stream. There were a number of very interesting research papers over ten years ago on more generic approaches that worked just as well (if not better) as a signature based approach.
Pascal Longpre Thanks for sharing Anup, very interesting article.
I also suggest you take a look at the approach we use in our software, ECAT ( Although this is not as "pure" as performing an out-of-band integrity check, we are able to detect Stuxnet type of attacks by performing integrity checks with low level kernel access. This has the advantage of combining live memory analysis and physical low level disk access in order to find discrepancies between a program's image in memory and its original version on disk, among others. Using the same technique, we can also detect floating code like the injected libraries of Stuxnet or Meterpreter.

Stuxnet generates lots of buzz and let's hope this serves as a wake up call for many but we must also be as concerned by less technically advanced threats that can be also very damaging like described in
Anthonie Ruighaver Thanks Anup. That's an excellent reference that I had not seen before. Current software only security solutions are simply not able to cope with the escalating security problem.
Shalom Cohen For critical networks and highly secured networks a white-list is probably practical. But most of the organizations are based on non-strict security policies which makes white-listing impossible.
Pascal Longpre Jamie, I think we both agree that signature based a/v is not enough. Our company develops a host based detection system using live memory analysis and forensics. I deeply believe in our approach since it gives security personnel the complete picture of what is happening in memory within the systems.
I don't know enough about anomalous-based intrusion detection systems to comment at this stage. I did some work on that field a few years ago and found it useful to detect obvious exfiltration channels with statistical analysis of in/out bytes for example. The main drawback I found (as with many network IDS) was being unable to dig deeper into the potentially infected systems to get rid of false positives. Like I said, this was a while ago. I guess a lot of progress has been made on that front since.
Can you share information about how the solution you work on would have detected Stuxnet before it was made public for example?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.