Virus Stoppers

When a Signature Isn't Enough

At the beginning of the year, as hurricane-force winds roared across Europe, a storm of an entirely different kind battered computers around the globe. On January 18, the so-called Storm worm began arriving in the form of attachments to e-mail messages with subject lines such as '230 dead as storm batters europe'.

More than 42,000 distinct variants of the new malware spread over a 12-day period, according to security company Commtouch. The attackers intended for the onslaught to evade traditional signature-based virus detection, which must know about a specific piece of malware before it can catch it.

The Storm worm serves as a prominent example of how virus writers try to stay one step ahead of antivirus protection programs by churning out new variants of successful malware strains. The crooks also try to stay under the radar (and out of the signature database) by launching targeted attacks that send a small batch of malware to a single company or organization. Such attacks typically involve more social engineering than the average attack; for example, they may employ faked 'From:' addresses of actual company employees to send virus-laden e-mail.

In response, security companies are using proactive protection that doesn't need a full virus signature to be effective. Such protection is "a necessity," says Natalie Lambert, a senior security analyst with Forrester Research. "It's all about the unknown and targeted threats," Lambert says.

One proactive approach uses a method called heuristics to examine a virus's programming for suspect commands or segments of code. Often this method can catch a new variant of some existing malware--one of the many Storm worms, for example--by recognizing commonalities with previously analyzed variants.

The heuristics approach looks inside a potential piece of malware, but behavioral analysis, another proactive-protection technique, looks at it from the outside to see how it runs. If a file behaves suspiciously, such as by executing from a temp directory, antivirus programs may flag it as potential malware.

Some newer, advanced types of behavioral methods create what's called a sandbox, in which part or all of a suspect program can be analyzed in a protected virtual environment. The top two performers in our proactive tests, which subject PCs protected by month-old signatures to new malware to simulate future unknown threats, rely on the sandbox approach. Eset's NOD32 program intercepted 79 percent of malware, and BitDefender Antivirus 10 stopped 61 percent. On the other hand, Grisoft AVG finished last, at 34 percent, despite using a sandbox.

These numbers demonstrate that though proactive protections are important supplements, they are not yet ready to replace traditional signatures altogether. To see how effectively our tested programs handled proactive scanning, consult the "Proactive detection" line in our roundup's ranked chart.