Monday, April 07, 2008

What? You Are Releasing Untested Malware?

... What are you, some kind of amateur? :-)

Dancho Danchev reminds people how modern malware is tested here. A quote: "And when a popular piece of malware known as Shark introduced a built-in VirusTotal submission to verify the low detecting rate of the newly generated server, something really had to change - like it did."

So, imagine a malicious "clone" of VirusTotal that is launched by an enterprising criminal to provide "a valuable service" of malware testing to a cybercrime community? :-) : "A small fee for testing please. What, you are releasing an untested malware? Phooo... What are you, some kind of amateur? :-)"

Dancho then predicts: "One thing's for sure - malware will start getting benchmarked against each and every antivirus solution and firewall before the campaign gets launched, in a much more efficient and Q&A structured approach than it is for the time being."

Please tell me if this happens, it won't be the final nail in the "legacy"/"blacklist-only" AV coffin?

1 comment:

kurt wismer said...

it won't be the final nail in the coffin of traditional blacklists... if anything it will be a nail in the coffin of heuristics because the only part of a scanner that would have detected malware that new in the first place is the heuristic engine...

maybe it will help us kick the heuristic habit, but it won't be the end of blacklists... malware in that stage of it's lifecycle has always been and will always be a problem for blacklists - that's why blacklists need to be complemented with more malware-generic techniques... no technique is a panacea, perfect unto itself...

Dr Anton Chuvakin