AV-Test.org and Sunbelt Software are painting a troubling picture of antivirus software. It also is apparent that the bad folks are increasingly working together.
First, AV-Test tested what Dark Reading says is the latest version of 30 AV products. Then, Sunbelt Software -- apparently independently -- assigned letter grades to the results. Suffice it to say, kids coming home with report cards such as these would have their Nintendo Wiis taken away.
The testing covered "on-demand" detection of malware, adware and spyware (which can be surprisingly beautiful, though creepy); false positives per 100,000 files; detection speed; proactive detection of unknown and new malware; "response time to new and widespread malware"; detection of rootkits and remediation. The writer provides an overview of the results. The high level conclusion is that while different products did well in some categories, none did well across the board. Sophos, Norton Antivirus and McAfee generally fared well.
The poor results from the AV-Testing.org test may make the news that NovaShield has won a $500,000 grant from the National Science Foundation seem particularly welcome. The technology uses an advanced form of behavior-based monitoring. Part of the grant money will be used to commercialize the product, which is being developed by researchers at the University of Wisconsin.
The basic approach involves identifying botnets, Trojans, keyloggers and other Internet flotsam and jetsam by carefully watching interactions between the application and the operating system. This isn't new, but apparently takes the concept a bit further.
There may be a bit of bad news in this vnunet.com report, though the writer fails to provide the commentary necessary for a non-expert to decide. BitDefender is reported to have estimated that about 37 percent of the malware it detected last month used the same packing method. The writer explains that packing is the way in which viruses are prepared for delivery, and distributors try to decrease the virus size and increase the cost of analysis. What the writer doesn't say is whether the fact that one-third of viruses used the same method means that the bad guys are working more closely together or, conversely, that general approaches exist that are commonly used by malware writers who don't know each other.
The sobering idea that malware distributors are working more closely together is reinforced by two other stories. Security Park outlines some steps that users should take as the threat landscape changes. The piece says that teamwork may be emerging as the cracker community has moved from one dominated by lone wolves -- people out to show that they can do it or to prove a political point, for instance -- to the realm of organized crime. Dollar-driven crooks are smart, and far more likely to band together.
The other story relates PandaLab's assessment that hackers are working en masse to develop tools to replicate the scans of major antivirus vendors. The idea -- that such tools will make them less likely to be detected once they are released -- clearly is built on the idea that the malware community has accepted the idea of working closely together.