How? That's the principle that everyone's missing! Sure, you can change the code a bit, but the millions of copies of your worm out there already can't magically change themselves after AV vendors update their blacklist. Sure, you can make a polymorphic worm, but even after mutation, your worm still probably has common patterns that blacklist makers can catch.
I'm a fan of proactive, not reactive security --- but let's not pretend that what AV vendors are doing is completely bogus.
You also have to keep in mind that blacklists are behavior heuristics are more suited to a bygone age --- one of low-bandwidth, sporadic connections and floppy disks that could be infected with trojans. Nowadays, we're more worried about drive-by 0day flash exploits from ad networks than about infected, self-propagating executables.
I've always found it fascinating that the human immune system has both proactive and reactive security, just like our computers should. The innate immune system [1] is analogous to mandatory access control, OS file permissions, buffer hardening, and other non-specific security mechanisms. The adaptive immune system, on the other hand, works like a blacklist updated throughout your life (and propagated from mother to child!).
Both systems catch threats the other does not. There's still a lot to learn from biology.
How? That's the principle that everyone's missing! Sure, you can change the code a bit, but the millions of copies of your worm out there already can't magically change themselves after AV vendors update their blacklist. Sure, you can make a polymorphic worm, but even after mutation, your worm still probably has common patterns that blacklist makers can catch.
I'm a fan of proactive, not reactive security --- but let's not pretend that what AV vendors are doing is completely bogus.
You also have to keep in mind that blacklists are behavior heuristics are more suited to a bygone age --- one of low-bandwidth, sporadic connections and floppy disks that could be infected with trojans. Nowadays, we're more worried about drive-by 0day flash exploits from ad networks than about infected, self-propagating executables.
I've always found it fascinating that the human immune system has both proactive and reactive security, just like our computers should. The innate immune system [1] is analogous to mandatory access control, OS file permissions, buffer hardening, and other non-specific security mechanisms. The adaptive immune system, on the other hand, works like a blacklist updated throughout your life (and propagated from mother to child!).
Both systems catch threats the other does not. There's still a lot to learn from biology.
[1] https://en.wikipedia.org/wiki/Innate_immune_system [2] https://en.wikipedia.org/wiki/Adaptive_immune_system