📜 ⬆️ ⬇️

Lies, big lies and antiviruses. Part Five "And the king is naked!"

What rules this world? Press? A television? Monstrous corporations? No - economy! It is she who controls people who want money. And people who want money make up the overwhelming majority of all those people who, in general, at least something else are willing and ready to act for that.

Where does the economy come from on malicious software? And it is taken from the surplus between resources stolen from a simple user minus the cost of circumventing the protection. Everything is very simple and logical, isn't it?

What is the cost of bypassing modern anti-virus tools? Given that epidemics occur regularly, and most users still have an antivirus with regularly updated signature databases, the result is disappointing - the cost of bypassing a modern antivirus is low enough so that the economics of malicious software cannot exist.

This happens because all antiviruses implement a “black list” approach to security. This means "I know that this is a bad module (bad behavior of the program), I block it." It is enough to disguise the module, knocking down the signature and pretending to be "well-behaved" - all defense is broken. As long as the information crawls to the manufacturer, while they react there ... You can act without fear of anyone or anything. And so that the antivirus does not interfere anymore, take it and turn it off. There is nothing complicated about it. Few expenses - and then only profit, profit and nothing but profit. The king is naked!

And only fundamentally different approaches can increase the cost of circumventing a remedy so much that continuing a business on malicious software will become unprofitable at all. Why? Let's look at the economy of the breakdown of new remedies.

If you take non-blacklist approaches, there are only two of them:

1. Based on whitelists. That is, we prohibit the launch of all that, about which we do not know that it is obviously good, non-harmful.

2. Based on the sandbox model, isolating potentially dangerous processes from all others and the operating system.

Pure white list solutions are not applicable in a mass product, since it is very difficult for the user to use them. This type of program will “swear” when updating the used software, for example, until they fall into the central database that stores the checksums of “good” modules. In addition, almost all such solutions have inherent flaws in the form of problems in working with files containing scripts, since the script is just a set of text strings, and quite legitimate (often system) executable files interpret these lines of the command to action. So, it is either rather trivial to bypass them, or practically impossible (but it will also be practically very difficult to work with them, at the same time).

If we consider sandboxes, then finding holes in those of them that have been on the market for quite some time is quite a trivial task. The task, feasible unless a professional hacker, whose time is quite expensive. The cost of bypassing a good sandbox can cost a customer thousands of dollars and a rather long waiting period. The cost of closing a similar hole on the developer side of the sandbox is a few tens of dollars, half an hour of time (well, with testing — well, a couple of hours at most). Moreover, since the old hole is already closed, to bypass the protection you need to look for a new one, which again requires a lot of money and time. Moreover, since all the obvious vulnerabilities are usually selected first, then the cost and time of finding new ones only increases.

It turns out that when using either solutions on white lists or sandboxes, the business on malicious software becomes less and less profitable, with each subsequent iteration the protection becomes stronger, and bypassing it becomes more expensive. And one day, the “point of no return” will be passed, when this way of earning money will become trivially unprofitable. And what is this, if not 100% protection against viruses and other malicious applications?

PS And this is the last article of the cycle.

Source: https://habr.com/ru/post/105094/

All Articles