I work for Malwarebytes, although what I'm about to say is my own opinion. I have a few thoughts on this post-
* When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.
* The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
* HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
* Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
* Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
This field of technology is just like any other, in that it's constantly evolving. Old methods will get replaced by new, which will get replaced again soon after.
What do you think of Mikko's statement Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.?
It might not have been possible for an antivirus to detect Flame, because the people behind Flame likely tested it against all antivirus software before deploying it. They were very, very careful. It's how they escaped detection for so many years.
> HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
May I suggest you take a look at http://www.beefproject.com/ and see what can be done without escaping it's little sandbox. Also if the goal is compromising a host, there will generally be an exploit as part of the toolkit, not necessarily an easily detectable one. At CanSecWest earlier this year there was an interesting Chrome-based pwn2own from the guys at MWR.
> When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.
This is true, but I've spent a fair bit of time digging into how various AV engines work internally (including yours, if I remember correctly!) and have found a very high percentage of them to use little more than a flat hash for most signatures. I think in one case there was a 95% majority. Yes, there are many other detection methods, but you need to spend the time to actually come up with proper and functional signatures. I just haven't seen it happen yet - not that I've looked much in the year since I wrote the article.
> The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
Again, true, but it doesn't stop it from being a "new type" of attack model that is largely impossible to protect from, especially by automated mechanisms like AV. IDS / IPS helps, if you actually bother to review the damn logs, but most people (in my experience) don't.
> HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
Yup. Doesn't make the AVs any better at detecting it, though!
> Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
Unless it's HTTPS, or obfuscated. And since when can you tell the difference between a malicious obfuscated JavaScript payload, and a non-malicious one like minified jQuery?
> Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
Yet we see piles upon piles of malware written in VB6 or Delphi 7, most of which are crappy trojans and keyloggers. Are they the number one super massive threat? No. Are they something to be worried about? Yes. A crappy keylogger can still steal user credentials. A crappy trojan can still steal files and alter data. Rejecting the salary comparison because high-end malware writers wouldn't use 3rd world outsourcing is like rejecting normal gearboxes because all Lamborghinis use those flappy-paddle ones.
Just because current detection schemes are outdated, and the monopolies are perhaps resting on their laurels, it does not mean the anti-virus age is over. I think it's a technological battle which will always be fought. There will always be attackers and defenders. There are already people experimenting with detection through artificial intelligence and the like. Imagine if that technology finally makes it (at this rate it is guaranteed), what would the next step? Wouldn't it be "nearly impossible" for attackers then? Yet nobody will write that the age of the Virus is over.
Nobody wants AV to die faster than I do, but these complaints could just as easily have been written in 1995 as in 2013. Polymorphic malware, for instance, is older than many HN readers.
The forces that keep AV chugging along have more to do with how the market for AV software works than with anything fundamental about how effective AV is.
The anti-virus _never_ was anything but a high-pass filter (any illusion to the contrary is propagated by AV stakeholders): who needs to exploit machine-executable code when you can get the users to do it for you? Just promise them dancing hampsters, and voila.
There is no silver bullet, especially not when people are involved.
Well, they've certainly been trying to make it more than an HPF. Which is understandable- I bet there are big bucks to be made if one of the vendors starts reliably blocking even sophisticated exploits.
Anti-virus protection is a mediocre "solution", or a "decent component in a larger security system" at best. It's marketed as being a silver bullet; "all you need to stay 100% safe." Understandable--it makes it a much easier sell to people who aren't tech-savvy. It also makes it completely understandable that the AV industry is almost universally reviled among people who are.
The anti-virus industry has always been a bit of a con. It is probably hard for people who habitually use Windows to understand since their AV software has probably saved them a lot of times but it is actually a really hit and miss way to filter things and it gives a false sense of security with a big performance hit. In the Windows world it has been necessary but not sufficient for a very long time and people get confused about what you mean when you say this and push back. Proper security practices involve minimising your installed software, only installing from trusted sources, using signed software where supported or checksumming it otherwise, running apps in sandboxes, isolating machines you need to protect, monitoring your systems behaviour and a lot more.
As far as you know. Even the dumb malware writers don't write stuff that pops up floating skulls and "OwNEd by CyBeRKiLLeR" messages anymore. It's all about staying on the machine, and staying silent.
I hate this "I've been running without AV for ages, and I never saw any viruses" argument. Of course you didn't. Making you aware hasn't been the motive for a long, long time.
It's virtually impossible to run a Windows (or Linux, or Mac) installation with the usual suspects--Java, Flash, Adobe Reader, etc.--without being exposed to good old, non-targeted malware. Take into account that most of it is distributed from "good" sites, and "if I don't see it, it must mean there's nothing there" and "I never go to any risky sites" prove pretty silly.
I'm not saying that AV is the best solution, or even a good one--indeed it can even be what contains the vulnerabilities used to take over a machine--but there is a reason it exists. Let's not pretend that AV solves all ones problems, but let's also not pretend that it's completely ineffective. It's only ineffective if there really is no other (probable) way for things it detects to get through--which there is on most desktop operating systems unless you (manually) go to great lengths to isolate the different things you do. There are ways to make AV moot, but it rarely comes built-in or without user overhead/experience requirements. (Ironically, in Windows 8 anti-virus comes built-in.)
> It's virtually impossible to run a Windows (or Linux, or Mac) installation with the usual suspects--Java, Flash, Adobe Reader, etc.--without being exposed to good old, non-targeted malware. Take into account that most of it is distributed from "good" sites, and "if I don't see it, it must mean there's nothing there" and "I never go to any risky sites" prove pretty silly.
Do you have more information about this? I wasn't aware that malware was just "floating" out in the ether. I have been staunchly in the camp of, "If you know what you're doing you can remain safe." but you seem convinced otherwise. Why?
In my experience, compromised sites and insecure ad networks are by far the most common means of distributing malware through legitimate sites.
Even if you know what you are doing, you are very likely to come across sites running e.g. Wordpress, Drupal, etc. with shitty addons, e.g. timthumb, that have been compromised and are serving exploits through hidden iframes, redirecting you to bad pages, etc.
What percentage of those exploits are 0day? Part of "knowing what you're doing" involves keeping your software up to date, after all. Commodity malware isn't a large threat if it can't run.
for your 3rd paragraph: I'm not sure I'm following you - are you saying that virtually every machine is infected? How come?
btw I have been running without AVG for ages on all kinds of systems. Once in a while I'm checking if my habits are still ok and run a bunch of standalone scans. They never find a single thing. Does that mean they all suck hard and that my machines are infected by newer and more invisble things than they can find? (note this is an honest question. I have no clue.)
As I understand this, virtually every machine gets exposed to the garden-variety malware; whether it's vulnerable to the given exploit is a different matter (look at the obsolete Java and Flash plugins eeeverywhere). Moreover, it is also important whether the exploit has an appropriate payload for the given system (I have yet to see e.g. a browser-vector transmitted payload which would run on Linux - which says something about its marketshare, not necessarily about its security).
And of course "absence of evidence is not evidence of absence," so either the scans suck hard, or you're clean; but barring a more specific (and probably not fully-automated) inspection, there's no way to tell.
The Sysinternals Autoruns utility shows a full set of things that run at startup, it is not just the start menu and some 'run' reg keys.
It shows all services with their signature, all device drivers with their signature, etc. It validates the signatures too.
I'm sure I only run signed services and drivers.
Also, there's a rootkit detector Sysinternals utility. The page you linked describes how Mark Russinovich one of the writers of the Sysinternals utilities, discovered the Sony Rootkit.
> You don't care what happens in all the time that elapses from you're infected with something until you realize you are, if you realize it?
Of course I do, that's why I have the Sysinternals utilities at hand.
I think you're missing my point. You don't care what happens from the point you get affected until you find it in whatever utility--be it 5 seconds, 10 minutes, or 3 days? No matter how vigilantly you stare at procexp, you're not going to stop it from running.
> And I hate the "I can't imagine how to do this, so it's not possible" argument.
I can imagine how to do it. But I also know that 99.9% of people don't.
> > with the usual suspects--Java, Flash, Adobe Reader, etc...
> Nobody in my house runs those.
That's very unusual, and you'll have to agree.
Let's assume that you are really doing so much that AV is completely moot. You're still being reckless by giving people the impression that they can just uninstall it and continue doing what they were doing (i.e. using Java, Flash, Adobe Reader, etc.), and everything will be exactly the same.
Well, if you don't define what "if you know what you're doing" means, it could be anything from "running Chrome" to "using curl on an OpenBSD box and parsing the source manually." But I was referring to that and the general sentiment that "AV is shit and you can just uninstall it."
Literally anything could be possible "if you know what you're doing" if you leave it that ambiguous.
Earliest defense for making sure windows doesn't get infected - NAT, don't leave a windows machine on a public IP...
I actually miss the old versions of McAfee vscan and equivalents. Light weight, checked things over (yes, it wasn't active, might miss corrupting programs, etc...), but if you know what you are doing, like above mentions, you can be pretty safe on windows.
That said, I'm mostly a mac/'nix house hold these days.
> Earliest defense for making sure windows doesn't get infected - NAT, don't leave a windows machine on a public IP...
Yes, but a basic one. You'd prevent something running on port X from being exploited directly. Doesn't do anything against other methods, like getting you to open a shady PDF or SWF file.
> That said, I'm mostly a mac/'nix house hold these days.
If you're running a window manager, there's virtually no difference between them and recent versions of Windows. If anything, Windows has the upper hand on the non-headless side.
It's nice to be able to say "At least I'm not on Windows anymore", but it is no reason whatsoever to not be as vigilant.
The primary reason why you're not targeted as much on OS X or Linux is not that they have a much smaller attack surface than Windows (anymore.) It's that it doesn't make economic sense for an attacker to target Linux users if they are less than 2% of the desktop computer market share, and they generally consist of tech-savvy (e.g. more likely to use NoScript, or spot shady processes than normals).
Final line of article: "Now don’t get me wrong, AV still has its place in the security world ... However, it’s no longer much more than a filter for the most basic attacks."
Is the age of seatbelts also over? People die in car accidents by the thousands despite using seatbelts, so they must be useless.
The article almost could've been written in the nineties before the commercial malware arrived, but when polymorphic malware became the standard.
The age of AV is unfortunately anything but over as long as people wish to run software they want to, e.g. unlike the iOS. AV is a good filter for most of the malware that you might accidentally bump into, but that's it. You're silly if you don't have one, and you're silly if you think that you're totally safe with it.
I'm silly, then. :-) I'm on Windows 7 (and XP before that), I've never used anti-virus software, but I'm careful about what I download and run. Many of my friends, who do use anti-virus software, are constantly complaining of malware and the like. I realize this is just an anecdote and I could be caught out one day, but my approach is "don't install junk".
Back in the win98 and win2k years, we had a nice wired/wireless network. I had a shared server that served as a repository of all the movies, music, and games I collected.
I also taught my sister about piracy, emulation, and other things. She also had her own good machine, with unrestricted net access at 9 yrs old. The first game she had loaded on was duke nukem 3d. (yes, my dad was 'interesting')
Her big games were pokemon. And she owned the cartridges, bu waned to play with rom hacking and the like... So she looked for Pokemon yellow, and found one. Pokemon_yellow.zip. Inside was the rom and an exe. When she ran it, the virus hopped over to every executable that was on the shared server.
I'm pretty sure I could have fixed them, because it only seemed more of a bacteria than something nefarious. It just annoyed the hell out of me, because I had my games directory mounted via samba from this server.
If your computer is a bastion of alone-ness, you need not fear. But the second you include a trust net, you can be done in.
Now, I'm a killall wineserver away from refusing an 'infection'.
if you run antivirus software, how do you know you're not infected? many malwares now will partially paralyze your antivirus so that it seems all is well, but your computer is operated by someone else. TDSS would do this as long ago as 2008...
You can use services like VirusTotal to do a quick file check if you suspect anything. You can also check what services/program starts on boot (msconfig and services.msc). With that you can already have a good confidence level of not being infected without have an AV draining your computer performance.
This was written a year ago. Keep in mind that I'm not saying AV isn't useful - it is in some situations. However, I'm of the opinion that the "AV age", where AV companies battle it out to innovate and beat the competition, is pretty much over. It's not useful against any determined attacker, and it's ridiculously easy to bypass AV simply by changing a few bytes here or there, or by running it through whatever random packer you found on some forum.
Yes, general purpose computing does necessitate some form of filtering, but there are much better solutions than AV in most cases. Mobile platforms like iOS / Android can be locked down quite well - install what you want and then lock installations. Desktop OSes like Windows, Linux and OS X are harder to deal with, but there are still protective measures that can be taken, such as whitelisting, that are more effective than any AV.
Windows is full of exploits that are enabled by default. Plugging a usb stick into your computer could automatically install a virus. Or a bug in flash or java could expose your computer.
I started with an Apple II, then spent a bunch of time on Sun and IBM RT machines; then got to university and a Macintosh and a Next station; then Linux; then back to Macintosh where I've been for the last 15 years.
It's funny how you mention polymorphism in malware. Just recently I came across a modified version of a stock exploit kit which was serving Zeus with each signature being unique. I didn't look into it too much be it seems like there were several thousand precompiled version of the executable on the server and each unique copy was only being loaded for a few hosts to evade anti-virus detection.
There is even open source software that helps evade Antiviruses. If anybody's interested in further reading, I would definitely recommend:
A high percentage of security jobs in the U.S. are government positions. If you can't get a clearance, you can't get a job. It is far more difficult for a foreign national (especially from a place like India) to get a security clearance of any sort, let alone the Top Secret clearance that most security roles would demand.
That's not to say that it's impossible though.
Also, unless I'm mistaken, securitytube.net is owned by Indians. It's a great site and the instructors for their courses are indeed experts.
So are all computing security jobs tied to the U.S.? I can think of Avast in the Czech Republic and Kaspersky Lab in Russia off the top of my head, there's probably a lot more out there.
Obviously not all of them, but these companies you mention have no real interest in dealing with this kind of advanced malware. What they do is build a software product aimed at home/small business consumers. AV products can't do nothing to prevent sophisticated malware from being injected in the system through 0-day vulnerabilities. As I understand it the only interest in analyzing this kind of malware is merely for research purposes, maybe trying to find a way to detect similar patterns from various infections so as to try and develop some product for governmental organizations and high-stakes businesses.
Obviously not, but the article was written from the perspective of the western world, and so I answered the question in that context. There are security experts and security companies in most civilized nations.
Note that I wrote this article a year ago, when the lowest-possible-price outsourcing market was rampant in India. These days it's more common in China and Sri Lanka. Yes, security specialists can come from India, China, Sri Lanka, or any country for that matter, and I wouldn't suggest otherwise.
My point was that programmer salaries in India were significantly low enough at the time to make it at least ten-fold cheaper to hire developers over there. These days it's a different country (or set of countries) but the point still stands.
Even 3 years back, competent programmers, fresh out of college, capable of doing half as good as work required to develop exploits and attacks, get paid atleast 5-8 times as much. While I understand the point you are trying to make, your exaggeration makes me doubt the validity of your other points.
It's unsurprising that the kinds of threats that are most common nowadays are the ones that get around automated security, which is essentially what AV software is. That doesn't mean that automated security has no future. It just means that, barring some sort of strong AI, automated security needs to hand-in-hand with manual security efforts.
Recently i reinstalled Windows 7 on my gaming PC. It was only a week or 2 into my usage when i realised i forgot to install antivirus software. I don't even think i need it anymore.
I use Sandboxie for any potentially dodgy programs. I use Adblock (Chrome) so the chances of being infected by a rogue ad provider is reduced. I keep tabs on my incoming and outgoing network traffic using SMSniff (for curiosity) and i use Malwarebytes for the occasional scan to see if anything slipped by. I used to hear people facetiously saying "Common Sense" was the best antivirus, but i think they were right. As long as you stay away from dodgy files and sites (such as cracks and keygens from P2P groups) and sandbox any programs you don't trust much, you should be fine.
I highly recommend installing Microsoft Security Essentials (which was rolled into Windows Defender as a built-in component in Windows 8, but IIRC for Windows 7 is something you have to download).
It gives you basically the same amount of protection as commercial AV tools but is drastically smarter about resource usage and not getting in your way all the time. Unlike other AV tools that are constantly trying to upsell you (and thus have to appear to be 'doing something'), the only point of MSE/Windows Defender is to make Windows suck less.
What makes you think it is drastically smarter about resource usage? I've noticed it slows down a lot of things considerably. It also has a history of causing DCP latency problems on some hardware/drivers. I wouldn't say it is miles worse than anything else but not noticeably better than the other good ones.
I used to run MSE ever since it was released. It really was lightweight and had great detection rates and was generally well liked by me and people at AV Comparatives. However, i saw a new report a few months back which basically showed MSE with the most False Positives and worst detection (or thereabouts).
I switched back to Avira (i swap between MSE, Avira, Avast and Kaspersky, when i have a license) and that was that. I have a pretty crappy laptop that's showing its age (lagging on most new websites, reaching 90C on Youtube etc) and even MSE runs at inexplicable times even though i changed the scan time from the options.
Is anyone aware of any documented reports of well-known "reputable" antivirus/antimalware companies being involved in the development or spread of viruses, etc.? I've heard in the past reports (that make sense) about these companies making business for themselves by ensuring a threat exists to fight, but it is tough to believe that this could happen without it eventually coming to light.
Could John McAfee have known about this or even have been involved, and this is one of the reasons for some of his strange behavior (related guilt, involvement with criminals and criminal organizations)? Or is there no basis to any of that?
This has been argument since viruses became well known, they've Turing complete since the beginning:
"Much like an infection, a well-intended but badly designed program to stop viruses can run amok, knocking out thousands of computers or destroying vast amounts of data. Indeed, one program intended to defeat a known virus has destroyed data on personal computers used by businesses and the Government in the United States."
This is a aalient point but somewhat moot. Consider that as nation states deem they want to break into your computer then you are as likely to be able to prevent that as you would if they chose to occupy your home by force. Not many people can fend off a military attack on their residence.
But this does make clear that the future of secure computing will come from the crooks, not from software companies. They are after all just as likely to be penetrated as the next guy and so they will endeavor to build systems that can resist the sorts of threats that they themselves exploit against others.
A physical presence is far more difficult to conceal than a digital one, and furthermore the concealment of digital presences can be re-used across vast swaths of the world whereas physical presences require a great deal of man-power to duplicate. This is a key distinction that makes comparing physical security and digital security into a specious and pointless comparison.
Also, the realm of digital security is quite different in that vast swaths of the world have effectively no digital security.
Maybe, even with that, they wouldn't be persistent enough or would be too easily traceable to a source, or blockable? Or maybe js doesn't allow the level of access that flash or java might, so the ROI isn't worth it.
Although the case might be different for browser plugins (I don't know), it might be more effective to poison one of those than, say, run something directly in a browser.
The anti-virus age may be over, but if the supporting evidence is that host based signature products don't provide an effective defense against a variety of common security threats then the anti-virus age was over a long, long time ago. Like back to when things propagated for moths or years autonomously without any modifications to the main component - the stuff that actually matched the term "virus" that we now use as a synonym for malware.
The last time that such items were anything but an unusual novelty was something like 2003. The last time they were the most substantial threat was sometime in the 1990's. And while it typically wasn't viral, a variety of naive threats produced by amateurs continued to be a good portion of the threat landscape until around the middle of the last decade.
That isn't to say database driven signature systems never stop any attacks. They just provide such a small amount of defense and so consistently unable to identify well publicized threats months after their public use in the wild that there is little to any statistical difference in compromise between a well configured and patched system with an av engine and the same system without an av engine.
But while their product is ineffective, they are far from alone in the security industry. IDS systems are wildly ineffective in any configuration that isn't custom tuned for defending an extremely limited network that exclusively transports a few specific protocols in very predictable ways - mostly backend networks in datacenters. Typical edge firewalls defend against a threat primarily exists because they enable it - clients are so vulnerable on local networks that can't survive that way on open networks. But without them we'd have just reduced the attack surface like we;ve done with public facing servers. As nearly every compromise includes a service that's intentionally exposed or intentionally allowed through the edge, they at best are a limited crutch to avoid having to ensure each computer is as minimally exposed to start with. If your firewall allows you to be an extra soft target once an attacker has established a foothold inside it's arguable that you'd have been better off totally exposed so that you limit the number of additional systems that exist in radically insecure postures.
The only automated system that comes to mind that ive seen provide any real amount of value are the expensive and exclusive block list subscriptions that contain databases of actively operating C&C servers and similar active apt sources. But these would become worthless if any of them ever enjoyed widespread adoption, as they'd simply stop being lazy and using the same servers all the time.
ASLR, DEP and even managed code to a certain extent all are similarly ineffective in that while making exploits more complicated they've had no impact on the rate of compromise.
The simple fact is that offensive security has won for the forseeable future and defensive security has lost entirely, with no real hope of change without dramatic practice shifts.
For client security the only things that have provided clear and practical benefits have been a) reducing the attack surface by mass removal of services and features and b) building the system withe the expectation of regular compromise, and including an easy and reliable way to wipe and restore. Oh and forced automatic patching.
The ChromeOS team gets it. The windowsrt team gets it. ios gets it. Anyone producing a client OS that is feature rich, highly configurable strives for easy out of the box use should be considered systemically insecure at this point. Any motivator attacker will succeed against it 99%+ of the time.
But since there are really no other options for so many people and tasks, it's very uncomfortable to explain to someone that they are able to do little to nothing about it that won't involve draconian systems users would refuse to use, and that compromise is at some point essentially inevitable.
So you tell them to run anti-virus. It's like children hiding under their desks in the event of nuclear war. It helps avoid some amount of existential crisis.
That's why the anti-virus age won't be over for a long, long time. Because if you don't have a replacement that's actually good, and no one even has a clue what that would look like, you still need to tell people to use their AV. Just like you need to tell people there is heaven.
> an average software developer in India gets about 320,000 INR per year, which equates to roughly 5700 USD. Compare that to the price of a malware analyst or systems security analyst, which is 60,000 USD before insurance, pension and other benefit costs are tacked on. That means that for every analyst that an AV company hires, the bad guys can hire 10 developers.
I doubt an average developer from India is capable of writing a polymorphic virus. Or not from India.
Most developers I know only know a few technologies and stay within that bubble, and rarely do any side projects, or code for fun.
The bit about Indian developers is simply bizarre. Firstly, Indian developers are more expensive than they've ever been, so that notion made more sense a decade ago. Secondly, has anyone every heard of outsourced shops developing exploits using low-paid talent? I don't recall that ever being the case, and instead it's a small number of very skilled but unfortunately motivated developers.
Those inexpensive offshore developers can barely sling some Visual Basic together. They aren't developing clever NX circumvention exploits.
I wrote this about a year ago, when the average salary of an Indian developer was significantly less, and there was a huge market in low-quality low-cost development houses out there. These days you can replace "India" with Sri Lanka, China, or any of the other countries with a significant poor minority and an up-and-coming tech market.
My primary point was that there are people with a price-point way below that of your average US or UK worker, so the cost of production is much lower.
* When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.
* The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
* HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
* Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
* Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
This field of technology is just like any other, in that it's constantly evolving. Old methods will get replaced by new, which will get replaced again soon after.