From HDMoore, too good to pass out:
One of the problems with automation of antivirus signature creation is that if a few AV vendors start detecting something as malicious, even with heuristics, "automagically" soon afterwards other AV vendors start doing the same without even checking if the file in question is in fact malicious or not, even going as far as creating specific signatures for it via automated systems.
An example of such a False Positive (FP) problem with automatic AV signature creation is the case of Fenomen Games (aka Gamecentersolution), by Legacy Interactive. Fenomen is a company that creates and distributes games. They do so via a bunch of "Game Downloaders" which basically allow users to choose and download different games on-the-fly. The problem is that these "Game Downloaders" have very similar characteristics to known "Trojan Downloaders", such as the runtime-packing and their behaviour (connecting to the Internet, downloading something, executing it and then exiting), so they naturally set off heuristic alarms like a christmas tree.
After manual analysis the only thing I found truly suspicious about it is the fact that we have over 200.000 different unique "Game Downloaders" from Fenomen Games in our Collective Intelligence database. The ones I checked are not malicious in any way nor do they do anything different than what they advertise (if you have evidence of the contrary please let me know). Fenomen seems pretty active from a partner/affiliate perspective and this could be the reason for the multitude of unique MD5's.
The problem with these detections are not the "heuristic" detections but the signature detections. Normally (traditionally that is) a signature detection signifies a "100% known malicious" program. However in today's world where signatures are created automatically based on other criteria, False Positives are amplified and rolled-over to other engines freely.
Some statistics of detections per engine based on the 200.000 Fenomen Games Download samples we have (names have been omitted to protect the "innocent"):
Scanner A 137.465 detections
Scanner B 101.061 detections
Scanner C 96.472 detections
Scanner D 68.264 detections
Scanner E 45.602 detections
Scanner F 38.027 detections
Scanner G 31.603 detections
Scanner H 28.152 detections
And so on…
These include both heuristic and signature detections. All of the latter are false positives by very well known AV engines!
The other problem created by these "FPs generated by automated signature systems" is that, once considered malicious, samples of these FPs are included in regular "collection sharing packages" amongst different AV labs and, more importantly, independent research and testing organizations. These type of organizations, which rely on multi-scanners to classify their testbeds, should take good care of not falling into the same mistake. So the next time you see detection rates based on AV signatures published in a magazine or website, you should be asking yourselves "what" is truly being tested.
All in all, automation at the lab is an absolute must for any AV vendor that wants to keep up with the large volume of new incoming malware. However it is critical that these systems are well supervised, finetuned and backed by engineers who oversee the signatures generated automatically to avoid creating "fenomenal" false positive problems.
DarkReading issued a note a few days ago titled "New Tests Show Rootkits Still Evade AV". These tests, originally performed by AV-Test.org, are becoming more important every day as malware is making use of advanced rootkit and hiding techniques to evade detection by security solutions. This, of course, is not news to anyone.
What is news is the effectiveness of rootkit-based malware. It really doesn't make much of a difference if solution XYZ detects the most amount of malware using traditional AV signatures if it can't even "see" the malware which is hidden by a rootkit. Modern security solutions need not only count with advanced heuristics and behavioral analysis and blocking but must also be able to dig deeper into the Operating System or else fail to protect users correctly.
The results of the test are very satisfactory for Panda products, thanks mostly to the technology incorporated into our products which has been tested thoroughly by Panda Anti-Rootkit, specially by regular readers of this blog.
In the online-scanner portion of the anti-rootkit test we did pretty well, with the highest scores in both detection and removal of malware hidden by rootkits:
In the Windows Vista test we did pretty good as well:
Three AV tools had perfect scores, catching all active and
inactive rootkits as well as removing all of them: Norton Antivirus
2008 126.96.36.199; Panda Security Antivirus 2008 3.00.00; and F-Secure
Anti-Virus 2008 6.80.2610.0.
The test is available here for those who want to take a deeper look (look for "Anti-Stealth Fighters: Testing for Rootkit Detection and Removal", Virus Bulletin 04/2008). Again many thanks to the people who've helped us test and improve our anti-rootkit technology.
EDIT: Updated link to Papers section of AV-Test Website and F-Secure detection and removal rations (26/23 vs. 23/26).
Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.
During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.
Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.
New Non-Replicating Trojans
Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.
An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.
The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).
** Malicious Packer
* Generic Malware
New Self-Replicating Virus & Worms
Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.
As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.
The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.
The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.
As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).
By Runtime Packers & Obfuscators
I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.
One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.
MEW 11 SE 7
PE Crypt 3