Anti-Virus Effectiveness Down from Last Year

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

smitFraud

[Freaky+Spook]

I've had a lot of people bring me infected PC's with smitFraud, that the big AV's have not even recognised or been able to properly remove, they have been pretty angry that the $90 or so they paid for a complete Internet Security product was not able to protect them.

It causes windows to pretty much choak and die as it just consumes so many resources and provides so much irritation, but major products like Trend or Symantec have not been able to successfully protect or remove them, I have had to use custom written tools that you get off the net for free. They really dropped the ball with that one.

Re:smitFraud

[Barny]

Been getting this one a lot, the fix is usually fine for older varients but new versions and revisions spring up that it just seems to miss. The system seems clean at first, but usually about a month later it is all back.

I usually tell customers this, and tell them they have two choices:
1 we can try smittfraud fix and who knows, it might be lucky, but if they have to bring it back in a month we will charge them again.
2 we can backup all their data, format, reinstall and remove any executable files from their backup.

The second always works, have never had a re-infection (well, have, but that is usually thanks to someone surfing porn regularly, proven to the customer by showing them the browse history) with it.

Best protection for it, firefox + no-script, which I tell the customer and offer to install for no extra cost of course :)

Only problem is, my boss kinda hates me, we don't get the same people bringing their machines in every 2 months anymore needing a software clean done :P

Just dont do it...

[Dishevel]

Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

Re:yeah, but..

[allcar]

You make an excellent point.
Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.

Why the drugs don't work anymore

[Opportunist]

It was prone to happen. Actually I'm amazed it's considered news.

The malware-antimalware war ain't a static one. Both sides are engaging in a quite impressive arms race. They start creating morphing trojans, we create ways to detect them, they create global trojan floods, we employ detection networks to catch them, they switch from mail distribution to infected webpages, we start sending out spiders, they start using targeted spam, we create fake personalities to be "interesting" for them, they ...

It's just the same with the detection and elimination routines. They use certain API calls, we start listening to those calls carefully, they switch the calls, we follow, they start using executable packers, we develop exec unpackers, we discover that malware PE headers have a certain format, they change the format and create "filler" sections to look normal...

It's just a chapter in that arms race. Give us 2 months and we're back on par.

Re:where are all the Linux server exploits ..

[GreggBz]

A user compromise on a Linux system would provide suitable functionality for today's typical malware.

On my defualt, fully security patched Mandriva workstation:

- I have full read write execute permission to my home directory.
- I can run wget to download anything, and put it as an executable anywhere in my home directory.
- I can use perl, awk, whois, grep, sed, whatever, to craft some pretty nasty scripts.
- I can use telnet and I could write an expect script to send spam with telnet.
- Or, I could just download a precrafted elf binary to run as a mini-mail server in my home directory.
- It's not to hard to imagine that I could pop something in /tmp or elsewhere that would persist on the system even after the user had been deleted.
- I could fire off a fork bomb that will crash the system instantly.

I does not take to much imagination to figure out some suitably bad stuff that you could do as any old user.

Of course, hiding yourself on the system and ensuring your survival could be difficult. It would be easy to find all the nasty services running as said user, since top, ps, etc.. would not have been compromised.