Cloud Services is now a must
In avast! 7.3, gone is the prompt asking to run in the sandbox. The addition of the Cloud Services adds a highly mature white listing / black listing database with tens of millions of files. This database is too large to be housed on the PC, and requires the Reputation Services to be enabled. The AutoSandbox learns from every user, everyday! With 180 million users, this database is the most extensive of its type in the world. Removing known code from white/black listing, unknown code is then analyzed for other variables, including file prevalence/reputation, origin, source URL, signature, and static analysis. Streaming Updates allow avast! to always stay up-to-date against the latest threats.
Polymorphic code is the real problem
There are three types of files; Known, New, and Rare. Known files are easily identified using existing DAT technology and Cloud Services. Most Rare files are Polymorphic, which is impossible to detect using DAT technology. Injection of random characters and code scramblers guarantee that each sample is significantly unique (Microsoft uses code scramblers on Service Packs to prevent reverse engineering). With Polymorphism, the programmer, and the program, does not need to know the payload in advance. The exact behavior is only determined at execution. Final stage of assembly includes encryption into a self expanding executable. The packer information is embedded at the end of the file. Before the packer algorithm is understood, all initial scans see no decipherable code. So far, our antivirus has really had nothing to go. When the packer is known, the AutoSandbox will now decrypt the file using an appropriate decompression algorithm. If the file is not deemed safe, or it uses an unknown packer, then the file must be executed in the sandbox. As this code executes, it is interrupted at different levels for structural checks, undergoing analysis for viral characteristics and behavior. Did “start, run” open; was the registry modified?). If at any time the code is confirmed as malicious, it is moved directly to the virus chest. Under full analysis, the user will see “This code is being analyzed” for a maximum of 15 seconds. If at any time the code is deemed safe, it is allowed to fully execute. This type of code analysis will change antivirus software as we know it!
DAT detection, as we have known it, is basically dead, and here’s why. The Polymorphic infection engine guarantees that every sample will have a different DAT. They prevent analysis by halting multiple downloads to the same location. Some samples, such as the “Storm” worm, have a “self-defense” module. It will attack any Internet address that trips this module, and cause a denial-of-service towards any investigation. This intelligent “anti-analysis” technology hinders antivirus vendors, as they can only obtain just a few samples at best.
Every organized crime syndicate and terrorist organization has a cyber division. It is their number one monetary source of income to fund their organization. A single virus writer, with a single Polymorphic engine, can produce over 30,000 unique samples per day. Multiply this times: how many Polymorphic engines can he do, and how many servers he controls, times how many of his peers have this job, times how many organizations, and this number of unique infections is growing exponentially every day.
The sheer effort required for data entry to obtain and insert all these new definitions becomes theoretically impossible. The only real advantage to “brute Force” definitions is higher rankings in antivirus tests. The more definitions you have, the more samples you catch, the higher your ratings. The problem is that current antivirus testing does not mimic real life occurrences. How can you test, what you haven’t seen. How can you test what doesn’t exist yet. This is why, DAT detection, as we have known it, is dead!
How can we protect ourselves against Polymorphism?
1) Unplug the Ethernet cable and go offline – This defeats the whole idea of Internet, cloud applications, and email. Can’t we find a happy medium?
2) Virtualize your browser – This technology was slow to be adopted. Some functions / websites wouldn’t operate properly. The browsing experience was slowed, and you couldn’t save / install the way you normally did. This step offered no protection for email (my Outlook would not run in the sandbox).
3) AutoSandbox 7.3 is the only logical conclusion that I can see. Even adding a superior antispyware application, like Malwarebytes, or SuperAntiSpyware, does not completely prevent the possibility of infection.