In addition to the more traditional methods of searching for virus signatures, like virus ‘mask’ matching, there also exists a range of detection technologies capable of recognizing the latest, unknown, malicious programs. The quality of these new technologies helps to raise the overall security level provided by each individual product. Such proactive protection methods include heuristic technologies for detecting malicious code and also behavior blockers.
Now and again, manufacturers of antivirus programs try to invent some innovative piece of technology that would solve all of the problems discussed so far in one hit. They are seeking to develop a kind of panacea that could protect every computer from every type of malevolent attack, once and for all. They try to ‘proactively’ protect the user by seeking to be able to detect and delete viruses and other emergent malware, even before it is created and launched on an unsuspecting world.
Unfortunately, this well-intentioned quest remains unfulfilled. Universal solutions can only be applied to generic problems, and computer viruses just don’t play by the rules. They are not the product of some well-documented process, but originate in the often sophisticated mind of the hacker. Viruses follow constantly changing paths which are largely dependent upon the aims and desires of those that inhabit the darker side of the digital world.
Let’s look at how a behavior blocker differs in detection methodology from a more traditional signature-based antivirus solution. They use two very different approaches to virus detection with the intention of arriving at the same end. Signature detection compares a program’s code with the code of known viruses, looking for a positive match. A behavior blocker monitors the launch and operation of programs to ensure that they conform to expected rules and blocks them if they appear suspicious or obviously malicious. Both methods have their own advantages and disadvantages.
On the plus side, a signature scanner is guaranteed to trap any ‘beast’ that it recognizes. The minus being that it may well miss the ones that are not familiar to it. Staying on the minus side, there are innumerable antivirus databases and this can push up the use of system resources considerably. Behavior blockers are advantageous as they are able to detect malicious programs, even those that they are unfamiliar with. However, it can easily miss well-known variants of malware, as the behavior of modern viruses and Trojans is so unpredictable that no one set of rules can ever encompass everything. Another downside of behavior blockers is that every once in a while they can throw up false positives, as even legitimate programs can behave in unexpected ways. Thus occasionally a behavior blocker will miss a malicious program and block the operation of a legitimate one.
A behavior blocker has one more inherent drawback and that is its inability to get to grips with some of the newer viruses. Let’s take as an example Company X, which has developed a behavior-blocking program called AVX capable of trapping 100% of all current viruses. How would hackers react to this? Surely they would invent an altogether different way of infecting the system, invisible to AVX. The AVX antivirus will then need to update its behavior recognition rules. So Company X issues updates. Then more updates, and more again, as the hackers and virus-writers constantly find new ways around the updates. Finally we end up with a signature scanner again, where the signatures take the form of ‘behavior’ instead of ‘fragments of code’.
The above scenario also encompasses the heuristic analyzer, another proactive protection method aimed at monitoring a programs launch and operational behavior and stopping it if it appears malevolent. As soon as such anti-virus technologies start to seriously thwart the hackers, preventing them from attacking their victims, a new set of virus technologies emerge that are geared towards avoiding heuristic protection methodology. As soon as a product that features advanced heuristics and behavior-blocking technology becomes popular, they fail to be efficient.
Thus these newly-invented proactive technologies tend to have a very limited shelf-life. Whilst amateur hackers may take weeks or months to bypass new proactive technologies, the more experienced among them may find a way around it in hours or even minutes. As effective as it is, a behavior blocker or heuristic analyzer requires constant improvement and updating. It should be remembered that to add a new signature to an antivirus database takes just minutes, whereas finalization and testing of proactive protection technologies is much more time consuming. In actual fact, the speed with which virus signatures can be added to databases and released in the form of updates is often considerably faster than updated solutions can be issued for similar proactive technologies. This has proven to be the case in many email and network worm epidemics, as well and in relation to spyware and other criminal software.
All this does not mean of course that proactive protection methods are useless. They do their job and are capable of blocking a great deal of unsophisticated malware developed by relatively unskilled hackers. Therefore they can be considered as a worthwhile addition to traditional signature scanners, but should not be wholly relied upon in isolation.
In Q1 2018, we observed a significant increase in both the total number and duration of DDoS attacks against Q4 2017. The new Linux-based botnets Darkai (a Mirai clone) and AESDDoS are largely responsible for this hike. Read Full Article
In March 2018, Japanese media reported the hijacking of DNS settings on routers located in Japan, redirecting users to malicious IP addresses. The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker. During our research we received some invaluable information about the true scale of this attack, we decided to call it ‘Roaming Mantis’. Read Full Article
Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment by pressuring owners of online resources and preventing them from making a profit. Read Full Article
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world. Read Full Article
Our growing dependence on technology, connectivity and data means that businesses present a bigger attack surface than ever. Targeted attackers have become more adept at exploiting their victims’ vulnerabilities to penetrate corporate defences while ‘flying under the radar’. Read Full Article
In the third quarter of 2017, we registered a considerable increase in the number of both DDoS attacks and their targets. Traditionally, China is the country with the largest number of attack sources and targets. It was followed by the United States and South Korea. The popularity of Windows OS as a basis for creating a botnet has fallen noticeably, while the share of Linux-based botnets increased proportionally. Read Full Article
A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. Read Full Article
The threat from ransomware continues to grow. Between April 2016 and March 2017, we blocked ransomware on the computers of 2,581,026 Kaspersky Lab customers. In May, we saw the biggest ransomware epidemic in history, called WannaCry. Read Full Article
According to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world. Read Full Article
The second quarter quite clearly showed that the DDoS-attack threat is perceived rather seriously. Some companies were prepared to pay cybercriminals literally after their first demand without waiting for the attack itself. This set off a whole new wave of fraud involving money extortion under threat of a DDoS attack, also known as “ransom DDoS”. Read Full Article