Sunday, April 01, 2007

Answer to My Antivirus Mystery Question and a "Fun" Story

Remember my blog post about testing the captured malware binaries via VirusTotal? What I asked there was this:

"So, let's suppose somebody who is involved with incident response at a typical US public University has collected a few recent malware samples from the compromised machines and then submitted all the samples to VirusTotal for scanning with pretty much ALL current anti-virus and anti-virus-like products.

What do you think the average detection rate (i.e. a malware sample was identified as "something bad") was?"

I wanted to hold off for a bit more but something happened.

First, let me give you the answer: it is 33%. In other words, an average detection rate of malware from these "solutions" was 33% with maximum at 50% and minimum at 2% (!). Keep this number in mind, that shiny anti-virus product you just bought might be protecting you from just 2% of currently active and common malware (not some esoteric and custom uber-haxor stuff)!

So, I have to conclude what many security "punditoids" were blabbing about for years: "mainstream" anti-virus is finally DEAD. Running it can be considered a weak excuse for defense-in-depth, but in about the same sense as wearing an extra shirt provides "another security layer" in a gun fight...

Second, what prompted my post at this time was that I had an ugly and very personal encounter with one of such owned boxes. Here is my account of the story, with some details changed to protect the innocent, who was smart enough to call me for help.

What we have here is a fully patched Windows XP SP2 system (with automatic updates set to daily)

a) freshly updated and functioning Symantec Anti-Virus Corporate Edition version 10.X, configured with all protections, including spyware/adware

b) freshly updated Windows Defender version 1.X (set for daily updates and scans), also configured with all protections, and

c) ZoneAlarm free edition version 6.X with a well-tuned outbound rules and, obviously, nothing allowed inbound.

The system was also hardened by removing a lot of the Microsoft protocols such as NetBIOS (just in case), killing many of the running services and configuring Internet Explorer (which was, I suspect, the weakest link still) to limit most of the "risky" stuff such as ActiveX, etc.

One sad day the user of the above system noticed a series of outbound connection attempts reported by ZoneAlarm. Being somewhat paranoid, the user tried to click "Deny" on a ZoneAlarm pop-up, but this button was grayed out (uh-oh...)The next thing this IT-savvy user did was to Google the name of the executable that tried to connect  ("uvcx.exe") and discovered this (another uh-oh!), at which point he wanked the eth cable right out of the box - whack! :-) - and then shut down the system.

When I arrived to the incident site, the system was still turned off so I booted it to investigate ...

To be continued.

Technorati tags: , , ,

Dr Anton Chuvakin