AV Vendors' Grades Sink as Malware Writers Band Together

Carl Weinschenk

AV-Test.org and Sunbelt Software are painting a troubling picture of antivirus software. It also is apparent that the bad folks are increasingly working together.


First, AV-Test tested what Dark Reading says is the latest version of 30 AV products. Then, Sunbelt Software -- apparently independently -- assigned letter grades to the results. Suffice it to say, kids coming home with report cards such as these would have their Nintendo Wiis taken away.


The testing covered "on-demand" detection of malware, adware and spyware (which can be surprisingly beautiful, though creepy); false positives per 100,000 files; detection speed; proactive detection of unknown and new malware; "response time to new and widespread malware"; detection of rootkits and remediation. The writer provides an overview of the results. The high level conclusion is that while different products did well in some categories, none did well across the board. Sophos, Norton Antivirus and McAfee generally fared well.


The poor results from the AV-Testing.org test may make the news that NovaShield has won a $500,000 grant from the National Science Foundation seem particularly welcome. The technology uses an advanced form of behavior-based monitoring. Part of the grant money will be used to commercialize the product, which is being developed by researchers at the University of Wisconsin.


The basic approach involves identifying botnets, Trojans, keyloggers and other Internet flotsam and jetsam by carefully watching interactions between the application and the operating system. This isn't new, but apparently takes the concept a bit further.


There may be a bit of bad news in this vnunet.com report, though the writer fails to provide the commentary necessary for a non-expert to decide. BitDefender is reported to have estimated that about 37 percent of the malware it detected last month used the same packing method. The writer explains that packing is the way in which viruses are prepared for delivery, and distributors try to decrease the virus size and increase the cost of analysis. What the writer doesn't say is whether the fact that one-third of viruses used the same method means that the bad guys are working more closely together or, conversely, that general approaches exist that are commonly used by malware writers who don't know each other.


The sobering idea that malware distributors are working more closely together is reinforced by two other stories. Security Park outlines some steps that users should take as the threat landscape changes. The piece says that teamwork may be emerging as the cracker community has moved from one dominated by lone wolves -- people out to show that they can do it or to prove a political point, for instance -- to the realm of organized crime. Dollar-driven crooks are smart, and far more likely to band together.


The other story relates PandaLab's assessment that hackers are working en masse to develop tools to replicate the scans of major antivirus vendors. The idea -- that such tools will make them less likely to be detected once they are released -- clearly is built on the idea that the malware community has accepted the idea of working closely together.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Mar 15, 2008 6:26 PM Doug Woodall Doug Woodall  says:
Sadly, educating the online user does not seem to be making a dent in the number of infections. Are there that many new users getting online that add up to the increasing number of attacks? Reply
Mar 17, 2008 5:33 PM Tom Tom  says:
I have recently blocked huge blocks of the Internet (both outbound and inbound) using a "xenophobic" stance against known hotbeds for malware such as Asia, Africa, and parts of Europe such as Russia. This prevents anyone in my home from visiting a webpage hosted in those regions as well as "dial home" connections from connecting to those regions.I am presently in the process of gleening IP ranges for websites we actually visit and will within a month, replace my blacklisting policy which has approximately 53 outbound and 3 inbound rules, with an explicit whitelisting policy which among other things will block port 80 to any website that has SSL capability.This isn't a complete solution, but it certainly bites the wild part of the internet in the leg.Linux with FF running noscript, showip, and adblock is also helpful for preventing malware infections.My most difficult project will be convincing my wife to coasterize XP and migrate to Linux, but it's a work in progress. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.