Stuxnet, Aurora: Why AVs Fail? And Why We Still Need Them!

Operation Aurora, which attacked Google and other Fortune 1000’s last year, and the more recent Stuxnet worm targeting SCADA systems (nuclear and energy power plants), are here to remind us of the failure of traditional antiviruses to protect corporate systems against targeted and high level attacks.

In the case of Stuxnet, tens of thousands computers have been infected before antivirus company VirusBlokAda identified it and made it public last June. Numerous articles have been written describing the new methods and numerous zero-day Stuxnet exploits to propagate and bypass traditional security systems. Very few articles have been written explaining why AV companies failed to detect it. This is true about Stuxnet, but the same applies to Operation Aurora or to the many variants of the Zeus bot, TDSS, TDL3 and numerous others.

Why do AVs fail?
AVs fail simply because they are signature-based. Everybody agrees on that. AV companies need to have a sample of the malware to analyze it, create an identification signature and have it distributed across their customer base. This process requires time and highly skilled manpower. The number of new virus samples now averages 300,000 each day and that makes it practically impossible for AV companies to process them all. Virus writers are aware of this weakness and they prepare new versions of their malware in advance and release them as soon as AV companies have created a signature detecting the previous version.
Another weakness of AVs is their predictability. Most of them can be downloaded from the Internet for free for 30 days and cost less than 40$ a year to purchase. They can be analyzed, tested and reverse engineered at will at no cost for the attacker. In most cases, it is trivial to disable their signature update system or to simply uninstall them from the infected host.
This fight is unfair and the advantage is to the malware authors. Unfortunately, there is not much AV companies can do about it.
Nevertheless, this business model continues to thrive. McAfee and Symantec are worth billions of dollars and businesses and individuals still continue to rely on them for their protection.

So Why Do We Still Need Them?
Signature-based detection is great because its false positive rate is very low. If the AV tells you that virus ABC is on your system, you can trust it (except for some rare exceptions) and as a bonus, since the virus has been previously analyzed, the AV can usually safely remove it from the infected system.
For new viruses, this model works for the same reason flu shots work: because we accept the fact that some individuals will be sacrificed for the good of the community. When a new computer virus is released, thousands of systems will be infected before the AV vendors have time to analyze it and create a working signature. But once this is done, hundreds of million systems are immunized and will be effectively protected from infection.

In the end, it all boils down to probabilities and luck.

This is acceptable for most individuals or corporations that have little or nothing to lose to malware. Is this enough for high value targets like governments, military, critical infrastructure management, high stakes R&D companies, banks and numerous others? Of course not!
Is it normal that we rely on a publicly available 5$ software (average price of an AV for large accounts) to secure a 2000$ system holding hundreds of thousand dollars of data?

I think the question is the answer.