X

New antivirus software looks at behaviors, not signatures

In the war with online scammers, security vendors like AVG and Damballa are increasingly turning to software that monitors behavior of code rather than its signature.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

It could be argued that security vendors are losing the battle with online scammers whose programs sneak onto computers and drop malicious programs, opening the computers up to remote attacks and turning them into zombies in botnet armies.

AVG

The problem is that most computers today rely on antivirus software that blocks malware by checking the code in a file against a database of signatures of known viruses. With thousands of new viruses arriving each day, many of them encrypted in part or otherwise disguised with modification, the signature lists require frequent updates and many new viruses slip through undetected.

As a result, security providers are turning their attention to behavior-based approaches for identifying new viruses, with software that focuses on watching for suspicious behavior, such as a program trying to write data to an executable program. Two security companies are set to make announcements on Monday that follow this trend.

Antivirus provider AVG is introducing AVG Identity Protection, software that analyzes the behavior and characteristics of programs running on a computer and shuts down activity that looks suspicious. The software is based on technology the firm acquired when it bought identity theft specialist Sana Security in January.

"The antivirus companies are flooded with malware to add to signature databases," with 20,000 to 30,000 new unique samples coming out every day, said Roger Thompson, chief research officer at AVG. "It's time to do something different."

Damballa

Meanwhile, Damballa is releasing its Failsafe 3.0 appliance that is designed to discover botnet malware on computers by listening for communications between compromised systems and command-and-control nodes controlled by attackers on the Internet.

As much as 5 percent of computers in a corporation are compromised with targeted attack type of bot malware, even with up-to-date antivirus and intrusion detection software in use, said Bill Guerry, vice president of product management and marketing at Damballa.

Of a sample of more than 200,000 malware samples scanned by a leading antivirus tool over six months, the average gap between the release of the virus and its detection was 54 days, with almost half going undetected on the day received and 15 percent still undetected after 180 days, according to a Damballa study.

Another company, Triumfant, announced behavior-based software last week that protects companies against zero-day attacks that arise from exploits of security vulnerabilities in software that has not yet been patched.

Triumfant Resolution Manager looks for changes in attributes of the computer, such as registry keys, security and port settings, and performance statistics, and removes code that is suspicious.