We have all been taught (and intuitively felt) that traditional antivirus signatures are, for the most part, a waste of time. I think I have myself argued something similar repeatedly. One could say that “byte signatures don’t work” is accepted conventional wisdom in the security industry. Especially in the light of the recent (and much-publicized) Aurora-attacks, this conventional wisdom appears to ring truer than ever.
One thing though that I have personally always liked about the security industry was the positive attitude towards challenging conventional wisdom — re-examining the assumptions underlying this wisdom. In this post (and the upcoming sequel), I will do just that: I will examine the reasons why everyone is convinced that traditional byte signatures do not work and ask questions about the assumptions that lead us to this conclusion.
So. Why do we think that traditional antivirus signatures are a waste of time ?
Let’s first recapitulate what the usual cycle in a targeted attack consists of:
- The attacker writes or obtains a backdoor component
- The attacker writes or obtains an exploit
- The attacker tests both exploit and backdoor against available AV tools, making sure that both are not detected
- The attacker compromises the victim and starts exfiltrating data
- The defender notices the attack, passes the backdoor to the AV company, and cleans up his network
- The AV company generates a signature and provides it to both the attacker and defender
- Goto (2)
This entire cycle can be clarified with a few pictures:
Let’s look at this diagram again. What properties of “byte signatures” does the attacker exploit in immunizing his software ? Well … none, really, except the fact that he fully knows about them before launching his attack. There is no information asymmetry: The attacker has almost the exact same information that the defender has. Through this, he is provided with a virtually limitless number of trial runs of his attack, and he can adapt his attack arbitrarily, over long time periods, until he is reasonably certain that it will be both successful and undetected.
The implication of this is that the underlying problem is not a feature of byte signatures, but rather a generic problem inherent in all security systems that provide identical data to both attackers and defenders and that have no information asymmetry at all.
In the next post, I will examine two approaches how this problem could be addressed to give the defender an advantage.