Malware Evolving Too Fast for Antivirus Apps
Bad guys use sophisticated testing to create malware that can evade even the best security programs.
Erik Larkin, PC World
Monday, December 31, 2007 08:00 AM PST
If you think that the latest security suites afford complete protection against malware attacks, think again. Today’s for-profit malware pushers use dedicated test labs and other increasingly professional techniques to improve their chances of infecting your computer. And the techniques they employ to outpace security software makers appear to be working.
Make no mistake–a good security program can go a long way toward keeping you in control of your system. But PC World’s recent tests of security suites found that new malware easily evaded the applications. In our tests of how well security software blocks unknown malicious programs, the best performer detected only one in four new malware samples. In contrast, February 2007 results from similar heuristics testing showed that the best utilities caught about half of new samples.
Window of Opportunity Open
“In this industry, unlike others, we have an antagonist we have to deal with, someone we’re constantly battling back and forth with,” says Hiep Dang, director of antimalware research with McAfee’s Avert Labs. “The bad guys have the element of surprise.”
Even just a 12-hour head start can translate into thousands of infected PCs, and malware authors have long tested their programs against antivirus applications to make sure they get that critical jump on the opposition. VirusTotal.com and similar Web sites, which allow security researchers and consumers to submit a questionable file and have it scanned by more than 30 different antivirus engines, have unfortunately made the testing easier for malware writers: Crooks can continue to tweak their new malware projects until VirusTotal or one of the other new multilanguage sites shows that the rogue application can slip past the majority of antivirus programs.
Good vs. Evil?
Bad guys’ use of sites such as VirusTotal can have a hidden benefit. After online thugs submit a sample, VirusTotal can sometimes share it with security companies, which can then update their programs to block the new malware. But the site permits users to opt out of having their samples submitted to antivirus vendors. VirusTotal says it offers the option so that people can scan sensitive files at the site without having them broadcast to companies.
Some well-organized criminal groups go a step farther and “maintain their own antivirus setups, almost like their own VirusTotal,” according to Don Jackson, senior security researcher with the security services firm SecureWorks.
Keep Your Guard Up
Jackson says the opportunities for prerelease testing make for harder-to-catch malware–and underscore why smart PC users should never assume that their machines are immune to attack. For example, almost every day, SecureWorks sees new variants of the PRG Trojan horse made with a particular kit. And when the new versions first appear, usually only 25 percent of antivirus scanners detect them, he says.
As bad as all of that might seem, don’t throw in the towel and resign yourself to the inevitability of infection. For one thing, antivirus programs can do very well once their creators learn about a new sample. When fully updated and pitted against PC World partner AV-Test’s “zoo” of 675,000 Trojan horses, keyloggers, and other malware, the best-performing security suites detected 98 percent of them.
And security companies are aware of the challenge they face in keeping pace with nimble online thieves. McAfee and Symantec are focusing on additional layers of security, including firewalls and behavioral scanners, which detect malicious software based on its behavior rather than on a signature match.
Join the Good Fight
Click to view full-size image.
Malware authors can exploit sites like VirusTotal to get a jump on antivirus vendors.
Multilayered security is important, but you are the most important component by far. AV-Test’s results (and other security analyses) show that no program can provide complete protection. Some malicious and creative entrepreneur will always discover a way around any particular security program.
Getting around you can be much harder for malware creators, however, if you follow basic precautions. Crooks are quick to pounce on fresh program vulnerabilities, so be sure to keep all of your applications–not just your Web browser and Windows–up-to-date to seal off entire avenues of attack. Also, the best social-engineering tactics often accompany the newest and hardest-to-detect malware. If you assume that every unexpected e-mail attachment is an attack, and ask for confirmation from the sender before opening any attachment, you’ll block another huge chunk of potential infections.
Malware authors may obtain a temporary lead over antivirus programs, but if you take sensible precautions in addition to running security tools, they won’t get a leg up on you.
Leave a comment
No comments yet.