Elks and signature-based malware detection

Since the early days of computer viruses, signature based detection of malicious software has been a key component of many anti-malware solutions.
What do elks have to do with all of this? I’ll explain at the end.
Signature based malware detection identifies executables based on small numeric sequences generated by an arithmetic compression of the executable’s contents. These numeric sequences are termed hashes or message digests. Standard hashing algorithms used by anti-malware companies include MD5, and more recently SHA1 or SHA256. Even a single byte change to that executable, even though the new executable may perform exactly the same task, will result in a whole new and very different hash value; that’s how hashes are supposed to work.
Now let’s use an analogy to explore why hashes might be a deficient way to identify malware threats.
I am a shop owner and for years I have been plagued by occasional thieves.
So I’m sold an anti-thief detection system. The system takes a photo of each customer entering my shop and compares their face against a blacklist or rogue’s gallery of known thieves.
The gallery is supplied by the anti-thief detection company; they send me photos every month of any newly identified thieves, so I always have the latest protection.
If there’s an exact match against a known thief then I simply evict that customer; job done.
To begin with it all works pretty well, as there aren’t too many thieves in my part of London.
But after a few months criminality catches on; the same thieves come back into my shop but this time wearing false beards, hats and wigs. Unfortunately the anti-thief detection system now fails to recognise the same thieves, remember it’s looking for exact matches only.
I start losing a lot of stock so I complain to the company. They have a think and decide to update my rogue’s gallery more regularly and with a lot more photos; once a week and then just about every night. The rogue’s gallery quickly becomes huge as it includes every permutations of beard, moustache, hat, glasses and wigs that each thief has ever been seen wearing. Now there’s a huge number of different of outfits the average thief can wear, so the rogue’s gallery can only keep on growing. I can’t even cull old photos as they may reappear in an old outfit.
That in a nutshell is why signature-based malware detection is flawed.
A malware writer can change a single byte in an executable, perhaps hundreds of times a day and dynamically on an infected machine. Signature-based detection system will fail to detect the first, or zero-day appearance, of that malware.
As the NSA succinctly explain,
“Defending against these threats by blocking all known malware and unauthorized applications arriving via all possible means, a technique known as blacklisting, is a reactive technique that does not scale well and does not protect against unknown malware.”
Anti-malware companies also employ other techniques, such as behavioral based detection of the evasive activities employed by malware. A bit like seeing someone behave
suspiciously in my shop. But suspicion can be a bit subjective and I would argue, this approach isn’t easy to implement or anti-malware companies would have cracked it long ago.
So enterprises are increasingly considering application whitelisting to compliment traditional security software. With offerings such as Windows AppLocker from Microsoft allowing administrators to define limited bundles of software that their users are able to run within a corporate environment.
Finally what have elks to do with all this?
Well the very first computer virus that “made it into the wild”, is attributed to Rich Skrenta, who created Elk Cloner in Pennsylvania in 1982 at the age of 15; a boot sector virus that replicated itself on the Apple II PC. It was fairly harmless, printing out a short poem every fiftieth time the PC booted. But it high-lighted opportunities to exploit operating system vulnerabilities; an issue that has remained with us for over thirty years.