In "The anti-virus age is over," Graham Sutherland argues that the targeted, hard-to-stop attacks used by government-level hackers and other "advanced persistent threats" are now so automatable that they have become the domain of everyday script-kiddie creeps. Normally, the advanced techniques are only used against specific, high-value targets -- they're so labor-intensive that it's not worth trying them on millions of people in order to get a few more machines for a spam-sending botnet, or to extract a few credit-card numbers and passwords with a key-logger.
But all attacks tend to migrate from the realm of hand-made, labor-intensive and high-skill techniques to automated techniques that can be deployed with little technical expertise against millions of random targets.
Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.
We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.