Tuesday 3 November 2015

Is anti-virus dead? Part 1

A recent article in Techworld asserted that antivirus is not dead, and cited the fact that the antivirus industry "still goes from strength to strength" as evidence.

Yes and no.

I won't deny that AV companies are flourishing. I won't deny that ESET (the company cited in that article) has 1100 employees, Kaspersky even more.

Viruses are no longer the issue; the article I'm quoting agrees with that. 20 years ago, viruses were the problem; self-replicating programs, programs that copy themselves and thereby spread. And viruses were interesting to analyse and kill - I spent years doing that, and it was never dull. And even then, I felt that it was right for an antivirus to deal with all forms of malicious software (malware). I was at a conference once where a corporate user put it rather well, "I don't care whether you call it a virus or a trojan, I don't want it on my systems".

ESET's Pavel Luka says “Of course anti-virus is dead. We found out 20 years ago”. I'd disagree with that, but only on the time-scale. In 1995, AV was very much alive, because 20 years ago, viruses were the main threat. But I won't quibble about exactly when that changed; the change would have been gradual. What's important is what's happening today (and in the future).

Today, I see three kinds of threat, and I see them several times per day. One kind is phishing, the second kind is scams, the third kind is emailed malware.

Phishing is like this:

From: PayPal Service <>
Subject: You just need to confirm your billing address.

Dear member,

You just need to confirm your billing address.

If you did not confirm it until 5th of November 2015, Your account will be deactivated.

The link leads to; it redirects to another URL, which redirects to another URL, which asks me for my username and password. I didn't fill in their form. This is called phishing, because clever hackers like to make up new words, and calling it "fishing" would be too easy.

But if I had filled in that form, then I would have just given away the key to my Paypal account, to someone who probably isn't going to do anything good with it.

The second type of email is a scam.

The commonest type tells you that some huge sum of money is waiting for you. Later on in the process, you are told that you need to send some small amount, perhaps $50, to release it. But then there's another issue, that requires another $79. And so on. 400 years ago, this scam was called "Spanish prisoner", today it's called "Advance fee fraud".

And the third type is malware sent via email.

Some samples, that arrived today:


Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide

Actually, it's a doc file. The doc file includes a macro, and that's the malware.

We are sorry, We have noticed an error activity on your wellsfargo online banking services. We advice you to verify your Wellsfargo account(s) now using the Wellsfargo Account Verification Page. To verify your Account Please Download Attachment and open in a browser to Continue. We value your privacy and your preferences. Failure to abide by these instructions may subject you to wellsfargo online restrictions or inactivity.

           Investment Products: Not FDIC Insured - No Bank Guarantee - May Lose Value

I don't have a Wells Fargo account. The "online verification tool" is an obfuscated javascript, and that's the malware.

It's time to renew your 1SYNC subscription!
Click here to view your invoice.

Please click here to view comments from retailers supporting data synchronization.

(Note: The Adobe Reader is required to view this invoice. Click here for a free download of The Adobe Reader if you don't already have it installed on your computer.)

If you are having trouble reading the attached PDF document, please download the latest version of Adobe Reader at

It isn't a pdf, it's a zip file contaning an exe file, and that's the malware.

Subject: Your eBay Invoice is Ready

PLEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.
Dear Customer,

Please open the attached file to view invoice.

Important: Please open the attached file using your temporary password. Your temporary password is: 491EVA527OIC

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader this is available at no cost from the Adobe Website

This one really is nice. The attachment is a zip file, and the zip file really is encrypted. That means that a scanner won't be able to scan inside the zip! But the user will be able to unzip it, using the supplied password.

Inside the zip, there's an exe file, and that's the malware.

In part 2 of this post, I'll talk about countermeasures.

No comments:

Post a Comment