Some may call it obvious but just having antivirus software installed isn’t going to help you much if hit by zero-day attacks. The New York Times had antivirus from Symantec (Norton) installed on the devices connected to their network, but that didn’t stop Chinese hackers from retrieving usernames and passwords of their reporters, among other things.
How did this happen? The Chinese hackers built a custom malware and The New York Times’ antivirus software missed 44 of the 45 pieces of malware installed by the attackers. Because the malware was basically brand-new (‘zero-day’), it wasn’t on Symantec’s list of forbidden software, which is why it managed to evade detection.
Interestingly enough, the reason why NYT was able to detect this attack is because they were already expecting it because of their investigations into Chinese Prime Minister Wen Jiabao’s family finances. It asked AT&T to monitor its networks, and AT&T was able to detect suspicious activity immediately.
Symantec has responded to the whole incident with this statement:
“Advanced attacks like the ones the New York Times described underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. Antivirus software alone is not enough.”
The key thing to note in Symantec’s response is they offer more advanced solutions than those deployed by the Times. While it is impossible to know exactly what Symantec means, I am going to venture out and say they are talking about security solutions like Intrusion Detection Systems and other behavior-analysis software. These type of security software are specifically designed to protect against zero-day attacks whereas regular antivirus typically only protect against known malware. (Note: Some antivirus programs have built-in behavior analysis. It isn’t entirely clear if the Norton product NYT had installed had behavior-analysis or not.)
Rohit Sethi, who is head of security firm SD Elements, says that it’s not difficult for attackers to learn how to evade detection due to the fact these commercially available solutions are available to anyone. The solution according to experts, says CNN, is to keep a close eye on what’s going on in your network. If you can’t stop them from entering your network, you can at least find out what they’re doing.
So, does this mean you should uninstall your antivirus? I’ll let Jindrich Kubec of Avast answer that for you:
Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired — say by a hired killer. Does it mean you will stop using airbags and seatbelts?
In other words, there is a major distinction between the malware consumers are faced with everyday and the targeted attack that the NYT suffered. So don’t think your antivirus is useless. It isn’t. It just isn’t effective in stopping particular attacks.