The failure of the antivirus industry

The interesting thing about nostalgia is things were seldom better in the past.

However, you can't really fault the attendants at the recent Association of Anti-Virus Researchers conference in Sydney for longing for better times, because the present malware situation is nightmarish.

At AVAR 2014 there were some serious deep-dives into low-level malware analysis, and it was useful to be reminded of how the malware scene has evolved over a relatively short period of time.

Not that long ago, the main motivation of virus writers was to cock a snook at users with silly messages and colourful screens. It was fun as both sides tried to outwit one another.

Source: Juraj Malcho, ESET

That changed pretty rapidly with more destructive viruses trying to either destroy user data or lock it away - in some cases, the malware even targeted hardware vulnerabilities.

The number of new malware discovered has increased from 300 a month a decade ago to 350,000 a month this year.

What that tells us is that the antivirus industry has failed in what it set out to do.

Don't get me wrong: we're better off with an antivirus/security industry than without it, and it employs some brilliant people who do fantastic work keeping our IT systems safe.

The researchers, however, face formidable forces that are motivated and skilled - and increasingly well-resourced.

ESET chief technology officer Pavel Luka estimated that there's at least a US$5 billion business out there for the bad guys - the security industry turns over US$6 billion.

Some digital miscreants do it for the money but then there are intelligence agencies and private companies joining in to exploit vulnerabilities for purported national security purposes.

This is in an environment where vendors churn out ever more networked equipment that is seldom tested for security and vulnerabilities.

That's before we consider users themselves doing dangerous and dodgy things.

With so much against it, it's amazing the antivirus industry has managed to provide any level of protection, but the industry won't solve the problem with the current thinking.

F-Secure chief research officer Mikko Hyppönen touched upon how his industry had failed its users massively by not detecting the Stuxnet state-sponsored malware two years ago. 

This week, we've been told about another state-sponsored malware, Regin, that may have been kicked off in 2003, and hit the antivirus industry radar five to eight years later. 

If that's the case, does Regin count as another antivirus industry failure?

At the time, Hyppönen suggested that antivirus alone was insufficient, and a defence-in-depth approach with multiple elements such as intrusion detection systems was required.

To some extent that's true, but all the technology deployed in the past has done very little to decrease the threats faced by organisations and individuals.

What's more, the technology deployed by antivirus vendors is usually good but it can't cover every case, not even with generics and behaviour blockers that aim to catch new and unknown bits of evil (in-joke for the AV oldies: hope Zvi Netiv doesn't read this).

It would have been apparent to the antivirus companies that malware and exploiting vulnerabilities would become not just a massive business but also an infowar weapon.

What the industry needs is binding international agreements that outlaw state-developed malware and cut off the money flows to cyber crims, while having technology safety certification schemes in place.

Greater transparency would also help - meaning that any entity that discovers malware should name the creators.

Instead, what the industry faces is secrecy and a threat landscape that's growing bigger by the day - and that is the real failure.

Unfortunately, it may be too late for the industry to address that oversight, as it's unlikely governments and criminals will want to give up their cyber weapons arsenals.

A few years on from now there won't be much nostalgic fun to be had.