Antivirus: great business, lost cause

Here’s a paradox: the business of antivirus software has never been better. And yet the long-term prognosis in the antivirus battle has never been more bleak.

This fall, the “National Strategy to Secure Cyberspace” stated that all home and business users need to install antivirus software on their computers and update their systems on a regular basis. Most CSOs and CIOs – dare we say all of them? – by now realize that it is irresponsible to deploy computers without antivirus protection. Nevertheless, the war against computer viruses and their authors is stumbling. Tens of thousands of computer viruses are in circulation.

Academics who follow viruses say that the threat is being understated. “Currently we are seeing new computer viruses and worms, targeted at [Microsoft Corp. Windows], reported approximately once every 75 to 90 minutes, on average,” wrote Gene Spafford, computer science professor and director of Purdue University’s Education and Research in Information Assurance and Security, in the 2003 AAAS Science and Technology Yearbook. There’s a key bit of information in Spafford’s line – the bit about Windows. All operating systems have displayed vulnerabilities over the years.

But the reliance throughout corporate North America on a single OS means all of our eggs are in one basket. There’s a solid argument to make that in the long run, all the antivirus add-ons in the world won’t stem the tide of viruses and worms. Diversity is going to be a necessary element of successful antivirus defense.

In North America, the worms that have been the most successful at propagating have inflicted comparatively little damage on their inflicted hosts. The Melissa, I Love You, Nimda and Code Red worms infected tens of millions of machines in a day and cost corporate America more than a billion dollars in “lost productivity.” Aside from sending out a lot of e-mail and clogging servers, though, those worms didn’t fundamentally damage the computers that were infected.

Compare that with what happened to Korea on April 26, 1999, when more than 1 million computers had their hard drives wiped and their system BIOS erased by the CIH/Chernobyl virus. In many cases, damaged systems required new BIOS chips or motherboards. Total losses were pegged at US$250 million in hard dollars.

CIH/Chernobyl is no match for today’s signature-based antivirus systems. The typical virus scanner has a database of signatures – unique byte strings – for roughly 50,000 viruses. On a properly protected computer, executables infected with a familiar signature such as Chernobyl’s simply can’t run.

But there is a serious failing with signature-based systems that few people in the antivirus community admit. Antivirus scanners do nothing to protect against the most serious virus threat today: new viruses. By definition, a new virus won’t be in any existing database of viral signatures.

The potential is there

Unfortunately, even this won’t be good enough in the near future. A paper that was presented at this year’s Usenix Security Symposium convincingly showed several strategies for infecting between 1 million and 10 million Internet hosts in 15 minutes or less. The paper is titled “How to Own the Internet in Your Spare Time,” by Stuart Staniford at Silicon Defense, Vern Paxson at ICSI Center for Internet Research and Nicholas Weaver at UC Berkeley.

The authors’ findings are based on results they discovered with an Internet simulator that they created for this purpose. (The full text of the paper can be found at

There are several workable infection strategies, it turns out. One is to scan in advance for vulnerable machines that are connected to high-bandwidth networks. Another approach is to divide up the Internet’s address space in an intelligent manner so that each copy of the worm has the maximum chance of infecting a virgin machine. Staniford and company call such worms Warhol and Flash. It is impossible to protect against those worms with signature-based antivirus systems: Before a worm could be analyzed and a signature distributed, the damage would already be done.

If someone creates a worm that combines the infection strategy outlined in the Staniford paper with a Chernobyl-style payload, we are looking at a lot more damage than a few days of lost productivity. MSN, Hotmail, eBay and tens of thousands of small and midsize businesses would all be shut down, and bringing those companies back up might require getting new hardware, restoring systems from backup and finally, patching the security flaws. Such repairs could take weeks; many companies would fail.

Nevertheless, it’s important to realize that a Warhol or Flash worm would almost necessarily be selective: such a worm would probably exploit just one or two vulnerabilities known to the authors – vulnerabilities that were not widely known, or at least not widely patched. The biggest bang for the worm author, obviously, is going to come from targeting the single largest platform: Microsoft Windows systems running on Intel Corp.-based architectures.

All systems have had significant security problems. Even OpenBSD, which boasts just a single remote vulnerability in the past six years, was susceptible to a flaw discovered this fall in the OpenSSL library package. But because of architectural differences, every Unix computer with the OpenSSL library would have had a slightly different exploit. Windows systems, on the other hand, frequently have common exploits. Those computers can rightly be thought of as a monoculture crop – with all the strengths and weaknesses that a monoculture implies.