February 1, 2013 | By Paul Mah
Hackers based in China have allegedly broken into the networks of the New York Times, and separately, the Wall Street Journal. In the case of the former, security experts hired to investigate the break-ins found clues that point to the attack being the work of a state-sponsored hit team. According to investigators, these hackers were trying to find the names of those who provided information for a report that placed China’s prime minister in a negative light. You can read more about the story here.
What caught my attention though, was how 45 different pieces of malware code were apparently used to help the hackers worm their way further into the network. This happened despite the presence of Symantec anti-virus defenses, which were only able to identify and quarantine just one of the deployed malware.
So why did the anti-virus software from one of the top security vendors in the world fail to detect the threats?
Symantec declined to comment in the original Times report, citing company policy regarding its customers. So, it is left to us to take a stab at the answer. Fortunately, the conclusion in this instance is as simple as it is obvious: the definition-based security software installed did not have the signatures of the malware that were used.
And it’s no wonder, since the malware were customized pieces of code designed specifically for online intrusions. Because they were never spotted “in the wild” previously, security vendors never had the opportunity to study, catalogue and include them in virus definition files.
To be clear, this problem pertains to definition-based security software everywhere, not just those from Symantec. While security vendors would like us to think that their products are perfectly adequate against new and unknown threats, this particular incident proves that they don’t work that well. The sobering truth is that good malware writers will first test their latest creation against the latest security software.
It’s not that alternative methods don’t exist. Whitelisting, for example, works fairly well by only allowing known (and trusted) files to run. Unfortunately, the technology has not enjoyed the kind of mainstream acceptance that definition-based security software has.
Without going into the complexity and challenges that arise from a pure whitelisting solution deployment, I believe that a viable solution based on both definition and whitelisting can be put together by the top security vendors today, if they put their heads together. Ultimately, the onus is on them to re-engineer their products to combat the clear and present dangers of custom malware. – Paul Mah (Twitter @paulmah)
