Remember my blog post about testing the captured malware binaries via VirusTotal? What I asked there was this:
"So, let's suppose somebody who is involved with incident response at a typical US public University has collected a few recent malware samples from the compromised machines and then submitted all the samples to VirusTotal for scanning with pretty much ALL current anti-virus and anti-virus-like products.
What do you think the average detection rate (i.e. a malware sample was identified as "something bad") was?"
I wanted to hold off for a bit more but something happened.
First, let me give you the answer: it is 33%. In other words, an average detection rate of malware from these "solutions" was 33% with maximum at 50% and minimum at 2% (!). Keep this number in mind, that shiny anti-virus product you just bought might be protecting you from just 2% of currently active and common malware (not some esoteric and custom uber-haxor stuff)!
So, I have to conclude what many security "punditoids" were blabbing about for years: "mainstream" anti-virus is finally DEAD. Running it can be considered a weak excuse for defense-in-depth, but in about the same sense as wearing an extra shirt provides "another security layer" in a gun fight...
Second, what prompted my post at this time was that I had an ugly and very personal encounter with one of such owned boxes. Here is my account of the story, with some details changed to protect the innocent, who was smart enough to call me for help.
What we have here is a fully patched Windows XP SP2 system (with automatic updates set to daily)
a) freshly updated and functioning Symantec Anti-Virus Corporate Edition version 10.X, configured with all protections, including spyware/adware
b) freshly updated Windows Defender version 1.X (set for daily updates and scans), also configured with all protections, and
c) ZoneAlarm free edition version 6.X with a well-tuned outbound rules and, obviously, nothing allowed inbound.
The system was also hardened by removing a lot of the Microsoft protocols such as NetBIOS (just in case), killing many of the running services and configuring Internet Explorer (which was, I suspect, the weakest link still) to limit most of the "risky" stuff such as ActiveX, etc.
One sad day the user of the above system noticed a series of outbound connection attempts reported by ZoneAlarm. Being somewhat paranoid, the user tried to click "Deny" on a ZoneAlarm pop-up, but this button was grayed out (uh-oh...). The next thing this IT-savvy user did was to Google the name of the executable that tried to connect ("uvcx.exe") and discovered this (another uh-oh!), at which point he wanked the eth cable right out of the box - whack! :-) - and then shut down the system.
When I arrived to the incident site, the system was still turned off so I booted it to investigate ...
To be continued.
10 comments:
Nice...
You need to publish your findings in a paper.
Have you found any viable alternatives to AV? We've been fairly successful with somewhat draconian filename filters on email attachments coupled with removing admin privileges for Joe User.
>You need to publish your findings in a paper.
I will certainly do so (in regard to my own experience with a compromised system)
I cannot publish the original AV study as it was privately shared with me.
Obvious results. There is an Oleg Zaytsev's research that demonstrate same results. So, I don't use anti-virus- HIPS only!
I noticed that only one of the links that Google returned was for an antivirus company (Sophos). But that entry was dated March 28th. Does this mean that other vendors STILL don't detect this? Scary.
Now they do; when I sent the file to the a bunch of AV tools, most detected this (about a month after); look at the whole paper linked from here somewhere...)
And you really need to make a VNC movie from the moment you let the pristine machine into the wild. Inevitibly, the user is doing something which compounds the problem.
Indeed, but this user's action was simply web browsing....
Where are the continuation of this story??
Basically, in these places:
http://chuvakin.blogspot.com/2007/04/more-on-anti-virus-and-anti-malware.html
http://chuvakin.blogspot.com/2007/04/original-anti-virus-test-paper-is-here.html
http://chuvakin.blogspot.com/2007/04/protected-but-owned-my-little.html
http://chuvakin.blogspot.com/2007/05/closure-kind-of-to-anti-virus.html
I had no idea that a free Antivirus Software program would be so good. I’ve downloaded many free anti-virus programs in the past and none of them were really that great. They all seemed to be missing something. I started using the one above though from eEye and to my surprise it does everything it’s supposed to do and then some.
Since I started using it I haven’t had any problems with malware and viruses on my computer have been a thing of the past. Pretty nice I must say. I keep a lot of my business information on my computer so the last thing I want to worry about is data file theft. I don’t worry about it though since I have Blink running in the background. If you want a solid program that does what its supposed to do check out this free one!
Post a Comment