Archive for February, 2008

29A Labs has left the building

February 27th, 2008 2 comments

One of the most famous international VX groups, 29A Labs, announced yesterday they are closing shop. Following is a note that VirusBuster, the last standing member of the now defunct 29A, posted on the group's website yesterday:

I tried to contact ValleZ for some time in order to take a decission together about the future of 29A with no luck therefore I decided to take the decission alone. And my decission is that 29A goes officially retired. I feel this is fair because I am kinda the alpha and the omega of the group. 29A was born in Dark Node,
my BBS, and I am the last active member of the group. My last words as
29A member are for all the people that worked hard to make of this
group the best one: Thank you very much! Regards, VirusBuster/29A.

Creators of infamous viruses (such as W32/Marburg, W32/HPS and WinCE/Dust, the first virus for PocketPC and Smartphones), this spanish born group has been known for researching leading edge techniques, such as per-process residency, metamorphism, entry-point obscuring, and protected-mode viruses.

Goodbye to you all, wherever you may roam!

Categories: News Tags:

2007 WildList Proactive Detection

February 18th, 2008 5 comments

Andreas Marx from AV-Test has just finished WildList Proactive Detection and Response Time Testing for Q4 2007. You might remember I published the Q3 2007 results, where we achieved a 94% detection rate of the new malware included in the WildList proactively (meaning that Panda customers were protected from the moment the malware appeared for the first time). I'm happy to report that our proactive detection rate of WildList malware has improved to 98% during Q4-2007, which means that we detected 60 out of 61 new additions to the WildList proactively, without requiring any signature updates.

So if we take the WildList Proactive Detection Rates from April to December 2007 this is what the results look like:

Some disclaimers about the data:

  • The testbed consists of new additions to the WildList, which is a collection of "in-the-wild" self-replicating viruses, worms and some trojans. The WildList does not include non-replicating malware such as spyware, adware, trojans, rootkits, etc. but that's another discussion we'll have someday.
  • As you can see there's a difference in the proactive detections of our BETA signatures and our REGULAR signatures. All our commercial products automatically download and use BETA signatures transparently between regular daily update intervals, so the protection rate shown as BETA is the one that actually applies to all our customers alike. EDIT: this applies only to certain products and BETA signatures.
  • The table does not show other AV vendors' BETA signatures as per request from AV-Test.
  • I've also separated results from endpoint engines and gateway engines as these are not comparable.

A couple of very important clarifications from AV-Test on how to read this data:
"Please note that term "proactive" doesn't necessarily indicate a heuristic or generic detection, but it will just say that a malware was detected *before* it was reported to the WildList of the specific month."

"A WildList malware could already be spreading in April 2007, for example, but when it was first added to the June 2007 WildList, we just checked for the proactive detections on June 1, 2007. So the values doesn't show the proactive detections from the time the malware first appeared "in the wild", but from the time the malware first appeared on the WildList. That's a big difference."

Categories: Heuristics, Stats Tags: