Is it Malware? - You make the call.
New malware are a dime a dozen these days. With between 8,000 and 12,000 new unique detections every day, we are on a trajectory where the total number of malware pieces will eclipse the number of valid applications in use.
Malware tools like Mpack and Asprox make it easy for a malicious user to compromise systems. Mpack, for example, is a tool a script-kiddie can purchase to inject malicious code (like IFRAME attack) into a series of websites. Computers that access these web pages then become compromised and can be used as bots to attack other systems, send SPAM, or simply log end user key strokes and send that data to the attacker.
Here’s the kicker -- Mpack is available for $500-$1000, has a management console, a premium charge of $50-$100 for including new exploits in its monthly updates, and even offers technical support for this tool! This is truly an example of the underground economy at work. Perhaps they also have Sales, Marketing, and Product Management divisions.
Attackers spend a lot of time ensuring that the tools and malware look and behave like regular applications, which makes detection difficult. If you analyze the behavior of a program you may become suspicious if you saw a program that was connecting to a remote server. If you noticed the program downloading files, you would become very suspicious. If that program was uploading user information to the remote server, you would feel certain that the program was malware.
But it could also be iTunes. iTunes employs exactly the same behavior. What? You say that no serious security vendor should ever mistake iTunes for malware? You're right.
Yet, look what AVG recently did … news article
Furthermore, some malware use unique file packaging technology that causes the file fingerprint to change periodically, making malware detection a cat and mouse game between security vendors and malware writers. All of this brings us back to why we see thousands of unique malware samples every day. Vendors are finding it increasingly difficult to cope with the exponential increase in malware which results in the degradation of the quality of detection and an increase in false positives.
Symantec is known to have excellent detection technologies, but an important aspect that isn't discussed enough is the low false positive rates. A false positive occurs when a security solution wrongly detects a legitimate application as a virus and deletes/quarantines it. Vendors with inadequate resources or infrastructure end up with high number of false positives which can have a devastating impact on their customers with things like BOSD (Blue screen of deaths), systems failing to boot, etc.
Mcafee was recently plagued with a similar issue here
Symantec spends significant time and effort limiting false positives. This is evident from independent 3rd party tests. Since 2007 Symantec has ranked #1 67% of the time in independent 3rd party reviews for lowest false positives and #2 13% of the time. This is primarily due to Symantec’s investment in the Symantec Global Intelligence Network, with over 10,000 security professionals monitoring threats and security events from over 200 countries and 2+ million probes accounts around the globe.
Furthermore, Symantec maintains a massive database of clean and commonly used files to reduce false positives prior to releasing our definitions. So, sell with confidence and be sure to talk to your customers about how Symantec’s Global Intelligence Network provides unparalleled detection capabilities and low false positives.
By Nimesh Vakharia