Video Screencast Help
The Confident SMB

Is it Malware? - You make the call.

Created: 18 Jan 2010 • Updated: 26 Jan 2010 • 3 comments
Nimesh Vakharia's picture
+3 3 Votes
Login to vote

New malware are a dime a dozen these days. With between 8,000 and 12,000 new unique detections every day, we are on a trajectory where the total number of malware pieces will eclipse the number of valid applications in use.

Malware tools like Mpack and Asprox make it easy for a malicious user to compromise systems. Mpack, for example, is a tool a script-kiddie can purchase to inject malicious code (like IFRAME attack) into a series of websites. Computers that access these web pages then become compromised and can be used as bots to attack other systems, send SPAM, or simply log end user key strokes and send that data to the attacker.

Here’s the kicker -- Mpack is available for $500-$1000, has a management console, a premium charge of $50-$100 for including new exploits in its monthly updates, and even offers technical support for this tool! This is truly an example of the underground economy at work. Perhaps they also have Sales, Marketing, and Product Management divisions.

Attackers spend a lot of time ensuring that the tools and malware look and behave like regular applications, which makes detection difficult. If you analyze the behavior of a program you may become suspicious if you saw a program that was connecting to a remote server. If you noticed the program downloading files, you would become very suspicious. If that program was uploading user information to the remote server, you would feel certain that the program was malware.

But it could also be iTunes. iTunes employs exactly the same behavior. What? You say that no serious security vendor should ever mistake iTunes for malware? You're right.

Yet, look what AVG recently did … news article   

Furthermore, some malware use unique file packaging technology that causes the file fingerprint to change periodically, making malware detection a cat and mouse game between security vendors and malware writers. All of this brings us back to why we see thousands of unique malware samples every day. Vendors are finding it increasingly difficult to cope with the exponential increase in malware which results in the degradation of the quality of detection and an increase in false positives.

Symantec is known to have excellent detection technologies, but an important aspect that isn't discussed enough is the low false positive rates. A false positive occurs when a security solution wrongly detects a legitimate application as a virus and deletes/quarantines it. Vendors with inadequate resources or infrastructure end up with high number of false positives which can have a devastating impact on their customers with things like BOSD (Blue screen of deaths), systems failing to boot, etc.

Mcafee was recently plagued with a similar issue here

Symantec spends significant time and effort limiting false positives. This is evident from independent 3rd party tests. Since 2007 Symantec has ranked #1 67% of the time in independent 3rd party reviews for lowest false positives and #2 13% of the time. This is primarily due to Symantec’s investment in the Symantec Global Intelligence Network, with over 10,000 security professionals monitoring threats and security events from over 200 countries and 2+ million probes accounts around the globe.

Furthermore, Symantec maintains a massive database of clean and commonly used files to reduce false positives prior to releasing our definitions. So, sell with confidence and be sure to talk to your customers about how Symantec’s Global Intelligence Network provides unparalleled detection capabilities and low false positives.   

By Nimesh Vakharia

Comments 3 CommentsJump to latest comment's picture

 There's no doubt that malware detection is extremely difficult and this is one of the most honest articulations of a fact becoming more and more apparent: the AV companies are losing.  I'm not going to offer sympathy or try to articulate a solution in a comment on a blog. However, I will state that as a security professional I find it infuriating when I submit analyzed malware to major AV vendors. The submission is processed by automated systems or junior and foreign works and often not understood. None of the previous work is leveraged, and often the AV database isn't updated for weeks. I believe signatures are a losing battle, but ultimately you need to enable better information sharing between independent researchers and AV companies. 

Wikipedia has Symantec at 17500 employees and McAfee at 5600 and most large companies have at least one engineer dedicated to IDS/malware detection. You don't think those masses of people could be better leveraged? I'm not talking tight integration just that if someone delivers an analyzed malware sample it's used and put into your product.

Login to vote
UmDaMan's picture

Any way to raise a red flag if an application decides to attempt to change your IE Proxy settings ??  Many of these fake AV programs decide to put in fake proxy settings, which then disables your IE from getting onto the internet.

Just a thought.

Login to vote
noucktourno's picture

well worth the read. thank you very much for taking the time to share with those who are starting on the subject. greetings

Login to vote