Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on October 27, 2006 8:18 AM.

The previous post in this blog was How phishing can adjust to multi-factor authentication.

The next post in this blog is More information on Blue Pill.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« How phishing can adjust to multi-factor authentication | Main | More information on Blue Pill »

A great read - "anti-virus is ineffective"

eWeek released yesterday a story "Rutkowska: Anti-Virus Software Is Ineffective" which I strongly recommend readers read. The article interviews Joanna Rutkowska, who has recently gained a lot of press by releasing a rootkit attack on Windows Vista. More importantly, she also introduced "Blue Pill".

Blue Pill is a small program that creates a hardware virtual machine and then moves the running native operating system into that virtual machine while the program becomes something called a "hypervisor". The hypervisor can take contol of the full operating system without the system admins even knowing about it.

Rutkowska says that she thinks it will be two to three years before OS system and hardware vendors create defense mechanisms. She points out that this kind of attack will usually come from a targeted attack rather than in broad scale worm attacks.

Her analysis of anti-virus software is very hard. She says existing anti-virus software "They all concentrate on finding "the bad" instead of verifying that system is in a "good" shape." Further she goes on to say "Similarly, we see that most of the rootkit scanners implement various hacks to detect hidden objects, like hidden processes, forgetting that it's possible to create a powerful stealth malware without even creating a process. There's no need to hide anything. I actually demonstrated a "stealth-by-design" malware almost a year ago."

Joanna then goes on to describe what she thinks the future is for anti-virus software. Type II Malware ("malware which doesn't modify any code sections in memory, just data sections (thus it's so difficult to detect") should be detected by checking the integrity of all system components.

She points out that even with a perfect integrity check of all of the system components, that this will not detect Type III Malware of which Blue Pill is an example. "The whole point about Blue Pill is that it does not introduce even a single byte modification into kernel, or other processes' memory. So, no matter how sophisticated (complete) our integrity checker is, we would never detect it. We can only count on detecting some side effects, like network communication or trying to detect the presence of a hypervisor using a timing analysis."

All in all, I can't imagine a stronger case for having a multi-layered enterprise defense strategy. Enterprises must admit that their existing firewall and anti-virus software won't stop all attacks over the next one to three years. As a result, they need to implement stronger and stronger layers of defences for higher risk networks, applications and information.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on October 27, 2006 8:18 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/19

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)