AV Firms Databases Will Fail To Halt Trojan Crimeware Onslaught

As reports from companies like McAfee and F-Secure reveal soaring numbers of malware variants appearing in their databases, Tier-3, the behavioural analysis IT security firm, says that behavioural analysis software is now the best way of protecting company IT resources against unknown, as well as known, security threats.

According to some end-of-year reports, McAfee and F-Secure's malware databases, which stretch back to 1986, when the first viruses started to appear, doubled in size during 2007, said Geoff Sweeney, CTO of Tier-3.

Accessing these databases within active memory to tackle malware in real time is still feasible, but there will eventually come a day when IT security vendors have to resort to different approaches to ensure their software fully protects the host computer, he added.

ìWe have already seen from Didier Stevens, a Belgian IT security expert with more than a quarter of a centuryís experience in the industry that malware authors have stumbled on the fact that many of todayís 32 and 64-bit IT security software still limit their signature analyses to the first 256 or 512 bytes of a script. If a script is padded out with a lengthy string of zero byte entries, then it follows that a modern script can pass unnoticed and wreak havoc on a Windows-driven computer system,î he added.

ìQuestions need to be asked as to why some AV products and internet browsers are still susceptible to this type of obfuscation technique. Some initial thoughts have centred around the fact that it may be to do with catering for the lowest common denominator in terms of client hardware or an indication of performance issues more generally. The performance degrading relationship between higher bandwidth speeds and larger signature databases is a well known problem to the industryî, he explained

Against this backdrop, Sweeney says that behavioural analysis software technology is the logical next step forward, mainly because it protects against unknown - i.e. new - threats, as well as known ones without impacting on memory performance.

It protects a system against known and unknown threat vectors and, as such, it's a lot more efficient than a database or hash data- driven database, which can often require relatively high memory resources, he said, adding that the problem of loading larger and larger databases into active memory is a problem that can only get worse for the conventional anti-malware vendors in the future.