The Antivirus Era Is Over - UNM 2020

6/12/12 The Antivirus Era Is Over ‑ Technology Review 

Published by MIT 

English en Español auf Deutsch in Italiano Ì 5 em Português 

HOME COMPUTING WEB COMMUNICATIONS ENERGY BIOMEDICINE BUSINESS VIEWS VIDEO EVENTS MAGAZINE 

C O M P U T I N G 

The Antivirus Era Is Over 

Conventional security software is powerless against sophisticated attacks like 

Flame, but alternative approaches are only just getting started. 

MONDAY, JUNE 11, 2012 BY TOM SIMONITE 

Audio » 

Veer | PixelEmbargo 

READ MORE » 

Two weeks ago today, computer security labs in Iran, Russia, and Hungary announced the 

discovery of Flame, "the most complex malware ever found," according to Hungary's CrySyS 

Lab. 

For at least two years, Flame has been copying documents and recording audio, keystrokes, 

network traffic, and Skype calls, and taking screenshots from infected computers. That 

information was passed along to one of several commandandcontrol servers operated by its 

creators. In all that time, no security software raised the alarm. 

Flame is just the latest in a series of incidents that suggest that conventional antivirus software 

is an outmoded way of protecting computers against malware. "Flame was a failure for the 

antivirus industry," Mikko Hypponen, the founder and chief research officer of antivirus firm F 

Secure, wrote last week. "We really should have been able to do better. But we didn't. We were 

out of our league, in our own game." 

The programs that are the lynchpin of computer security for businesses, governments, and 

consumers alike operate like the antivirus software on consumer PCs. Threats are detected by 

comparing the code of software programs and their activity against a database of "signatures" 

for known malware. Security companies such as FSecure and McAfee constantly research 

reports of new malware and update their lists of signatures accordingly. The result is supposed 

to be an impenetrable wall that keeps the bad guys out. 

www.technologyreview.com/news/428166/the‑antivirus‑era‑is‑over/ 

MORE IN COMPUTING 

Stay Connected 

Twitter 

YouTube 

Facebook 

StumbleUpon 

Newsletters Mobile Apps RSS Feeds 

Want Technology Review magazine delivered to 

your doorstep, desktop, or tablet? 

Order now » 

Technology Review Lists 

Use Their App, Keep Your Data 

Technologies Innovators Companies 

TR10 

Read more » 

search 

Our list of the 10 most innovative 

technologies of 2012. See list » 

UltraEfficient Solar 

Under the right 

circumstances, solar cells 

from Semprius could 

produce power more 

cheaply than fossil fuels. 

Explore our TR10 List: previous next 

Sponsored Content 

TECHNOLOGIES FROM NATIONAL 

INSTRUMENTS 

Welcome back, cirra 

1/5


However, in recent years, highprofile attacks on not just the Iranian government but also the 

U.S. government have taken place using 

software that, like Flame, was able to waltz 

straight past signaturebased software. Many 

technically sophisticated U.S. companies— 

including Google and the computer security 

firm RSA—have been targeted in similar 

ways, albeit with less expensive malware, for 

their corporate secrets. Smaller companies 

are also routinely compromised, experts say. 

Some experts and companies now say it's 

time to demote antivirusstyle protection. "It's 

still an integral part [of malware defense], but 

it's not going to be the only thing," says 

Nicolas Christin, a researcher at Carnegie Mellon University. "We need to move away from 

trying to build Maginot lines that look bulletproof but are actually easy to get around." 

Both Christin and several leading security startups are working on new defense strategies to 

make attacks more difficult, and even enable those who are targeted to fight back. 

"The industry has been wrong to focus on the tools of the attackers, the exploits, which are 

very changeable," says Dmitri Alperovitch, chief technology officer and cofounder of 

CrowdStrike, a startup in California founded by veterans of the antivirus industry that has 

received $26 million in investment funding. "We need to focus on the shooter, not the gun—the 

tactics, the human parts of the operation, are the least scalable." 

CrowdStrike isn't ready to go public with details of its technology, but Alperovitch says the 

company plans to offer a kind of intelligent warning system that can spot even completely novel 

attacks and trace their origins. 

This type of approach is possible, says Alperovitch, because, although an attacker could easily 

tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would 

still have the same goal: to access and extract valuable data. The company says its 

technology will rest on "big data," possibly meaning it will analyze large amounts of data related 

to many traces of activity on a customer's system to figure out which could be from an 

infiltrator. 

Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and 

business models of cyber attackers, says that makes sense. "The human costs of these 

sophisticated attacks are the one of the largest," he says. Foiling an attack is no longer a 

matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of 

people. "You need experts in their field that can also collaborate with others, and they are rare," 

says Christin. Defense software that can close off the most common tactics makes it even 

harder for attackers, he says. 

Other companies have begun talking in similar terms. "It goes back to that '80s law 

enforcement slogan: 'Crime doesn't pay,' " says Sumit Agarwal, a cofounder of Shape Security, 

another startup in California that recently came out of stealth mode. The company has $6 

million in funding from exGoogle CEO Eric Schmidt, among others. Agarwal's company is also 

keeping quiet about its technology, but it aims to raise the cost of a cyber assault relative to the 

economic payoff, thus making it not worth the trouble to carry out. 

A company with a similar approach is Mykonos Software, which developed technology that 

helps protect websites by wasting hackers' time to skew the economics of an attack. Mykonos 

was bought by networking company Juniper earlier this year. 

Antivirus companies have been quick to point out that Flame was no ordinary computer virus. It 

came from the wellresourced world of international espionage. But such cyberweapons cause 

collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected 

an estimated 100,000 computers), and features of their designs are being adopted by criminals 

and lessresourced groups. 

"Never have so many billions of dollars of defense technology flowed into the public domain," 

says Agarwal of Shape Security. While the U.S. military goes to extreme lengths to prevent 


Triggering 

Learn how to configure a start trigger on a 

USB data acquisition device 

> Click here for more National Instruments Videos < 

Whitepaper 

How To Measure Voltage 

Voltage is the difference of electrical potential 

between two points of an electrical or electronic 

circuit, expressed in volts. It measures the 

potential energy of an electric field to cause an 

electric current in an electrical conductor. 

Most measurement devices can measure 

voltage. Two common voltage measurements 

are direct current (DC) and alternating current 

(AC). 

Learn the fundamentals of creating an AC or 

DC voltage measurement system. See how to 

properly connect the signals to your data 

acquisition system for accurate acquisition. 

This document is part of the HowTo Guide for 

Most Common Measurements centralized 

resource portal. 

View full PDF > Listen to story > 

Find us on 

2/5


aircraft or submarines from falling into the hands of others, military malware such as Flame or 

Stuxnet is out there for anyone to inspect, he says. 

Agarwal and Alperovitch of CrowdStrike both say the result is a new class of malware being 

used against U.S. companies of all sizes. Alperovitch claims to know of relatively small law 

firms being attacked by larger competitors, and green technology companies with less than 100 

employees having secrets targeted. 

Alperovitch says his company will enable victims to fight back, within the bounds of the law, by 

also identifying the source of attacks. "Hacking back would be illegal, but there are measures 

you can take against people benefiting from your data that raise the business costs of the 

attackers," he says. Those include asking the government to raise a case with the World Trade 

Organization, or going public with what happened to shame perpetrators of industrial 

espionage, he says. 

Research by Christin and other academics has shown that chokepoints do exist that could 

allow relatively simple legal action to neutralize cybercrime operations. Christin and colleagues 

looked into scams that manipulate search results to promote illicit pharmacies and concluded 

that most could be stopped by clamping down on just a handful of services that redirect visitors 

from one Web page to another. And researchers at the University of California, San Diego, 

showed last year that income from most of the world's spam passes through just three banks. 

"The most effective intervention against spam would be to shut down those banks, or introduce 

new regulation," says Christin. "These complex systems often have concentrated points on 

which you can focus and make it very expensive to carry out these attacks." 

But Agarwal warns that even retribution within the law can be illjudged: "Imagine you're a large 

company and accidentally swim into the path of the Russian mafia. You can stir up a larger 

problem than you intended." 

RELATED ARTICLES 

Apple Charts a New 

Course on Mobile 

Maps 

At its annual conference, 

Apple announced it will 

move away from Google 

with its own mapping 

app, along with new Mac 

and mobile software. 

Send 135 people 

recommend 

Use Their App, Keep 

Your Data 

A modified version of 

Android feeds datasnooping 

apps fake 

bookmarks and empty 

contact lists. 

TAGS ANTIVIRUS SOFTWARE COMPUTER SECURITY GOOGLE 

4 comments 186 people listening 

cirra 


Translation Tools 

Could Save Less 

Used Languages 

Languages that aren't 

used online risk being left 

behind. New translation 

technology from Google 

and Microsoft could help 

them catch up. 

3/5


Privacy 

Terms of Use 

Sitemap 

+ Follow conversation 

Sort: Newest | Oldest 

About Technology Review 

Advertise with Us 

Work for Us 

Events 

Contact Us 

Post to 


Get the Magazine 

Manage Subscriptions 

Reprints and Permissions 

Customer Service 

Feedback 

Post comment 

vnedovic 

Great article until the very last paragraph. These people are smart enough not to use such 

stupid stereotypes. At the level of complexity discussed, every party is dangerous, regardless 

of its roots. The four legstwo legs reasoning in such cases sounds rather like propaganda than 

an argument. 

6 HOURS AGO 

Like 

Reply 

wctopp 

wonder how the stolen info makes it from the target computer back to the server collecting the 

info w/o someone spotting a permanently open i.p. link (direct or otherwise) between the two. 

even if it's intermittent and randomly so, over time it's persistently there. over a day my 

computer connects with thousands or tens of thousands of i.p. addresses but day to day only 

a few are always there and they're predictable (my preferred DNS, google, reuters etc.) 

9 HOURS AGO 

Like 

R Sweeney 

How sweet, Obama destroys the entire world of the internet for a chance to delay Iran and 

pretend he isn't doing it. 

17 HOURS AGO 

Like 

Reply 

Reply 

jonfingas 

R Sweeney The Stuxnet program (and quite possibly Flame, based on code 

age) was started under Bush Jr., not the current president. Obama's decision was, 

once he was told it had 'escaped,' to either close up shop or double down (the option 

he picked). If you have to blame him for something, blame him for that, although he 

was worried that Israel would get antsy and launch a realworld attack if it didn't think 

malware was keeping Iran at bay (remember, they struck Iraq's Osirak reactor in the 

1980s). It's hard to say if he was being overly servile to Israel or heading off 

disaster. Goodness knows there's a lot of Republicans that would gleefully start a 

military invasion first and question the wisdom of it later. 

8 HOURS AGO 

Like 

Reply 

Stay Connected 

Twitter YouTubeFacebook StumbleUpon 

Newsletters 

Mobile Apps 

RSS Feeds 

Take a 2 or 5 Day Executive 

Development Program or 

earn a professional 

certificate 

VISIT EXECUTIVE.MIT.EDU 

4/5



5/5

The Antivirus Era Is Over - UNM 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?