Bicycle Tube Patch (image by morten_liebach)

Few things beat patching, yet on industrial control systems patching is often delayed and delayed and delayed until some event forces the owner’s hand. Antivirus is often used as a stop-gap measure to delay patching. This is often not a very good approach.

Recently we made the news when someone attempted to spearfish us (and no, they did not succeed). What was quite interesting about the malware was that only 7 out of 42 antivirus products used on VirusTotal initially recognized the attachment sent to us as malicious. More antivirus companies have joined the ranks, but still only 62% detect it.  The file that the email attachment downloads is still only recognized by 3 out of 42.  Notably, Symantec and McAfee still don’t recognize it as malicious.

Antivirus is incredibly easy to circumvent. Plenty of automated tools exist to change a program’s signature just enough to get around antivirus.

Access to source code shows just how easy it is.  I often use the tool netcat in network assessments. Netcat is recognized by most antivirus software as malicious and it is quickly quarantined if I need to use it on a system, for example during a penetration test. I compiled my own copy with nothing more than passing some optimization flags to a compiler.  My special netcat binary for Windows is recognized by 0 out of 42 vendors, and lets me maintain access for the pen-test.

So don’t forget to patch.  It may just save your control system network.