Godlike Productions - News: Botnets Can Trample Most Anti-Virus Programs

07:13 AM

News

Wednesday, January 7, 2009

Breaking News Back

Botnets Can Trample Most Anti-Virus Programs

PC World

2008-11-30

A new analysis of botnets has come up with a possible reason for their prodigious ability to infect PCs -- many anti-virus programs are near to useless in blocking the binaries used to spread them.

According to FireEye chief scientist Stuart Staniford, detection rates are so poor that, on average, only around 40 percent of security software can detect binaries during the period of greatest infectivity and danger, namely the first few days after a particular variant starts being used by botnet builders.

In a detailed blog, he describes how he uploaded a sample of 217 binaries culled from FireEye appliances in customer premises between September and November to the independent VirusTotal test website. This runs 36 anti-virus programs -- a representative sample of the security programs used by businesses and individuals -- giving researchers access to data on get statistics on how many malware binaries have already been uploaded to the site by other researchers, when they were uploaded and how many were detected by each program.

Roughly half of the binaries picked up by FireEye were unknown to VirusTotal, a result indicative of the core problem of detecting botnet malware -- speed.

Because malware often uses 'polymorphism' -- programs are constantly changed very slightly to evade binary pattern detection -- the problem of detecting and blocking malware quickly is huge. According to Staniford, this makes it important that anti-virus programs can spot malware in the first week of its use.

"The sample is likely to get discarded by the bad guys pretty soon after that," he notes.

During the first three days after initial detection by FireEye, only four in ten anti-virus programs could spot the offending code, which suggests that many bots would evade security software during attacks on real PCs in they happened during this same period.

"The conclusion is that AV works better and better on old stuff -- by the time something has been out for a couple of months, and is still in use, it's likely that 70-80 percent of products will detect it," says Staniford.

FireEye's appliances can be seen as an 'early warning' system because of the way they use behavioural analysis to spot malware in real time, in some cases days or weeks before a program has been formally identified and documented by security companies. By the time it has been spotted and a signature rolled out to anti-virus databases, however, it might already be too late.

Equally, many prominent security vendors will use similar techniques to spot malware as quickly as possible, making it surprising that so many anti-virus programs failed to spot FireEye's sample binaries. The reason might simply be the vast number of samples that appear in any given period.

What nobody doubts is the importance of botnets to the spread of malware and spam, as evidenced by the recent takedown of a US hosting company McColo, which had been accused of hosting botnet controllers. In the hours after the hoster's demise, spam levels were reported to have plummeted dramatically.

Email Article

Discuss in the Forum

Back

Vote For Godlike Productions!

Disclaimer:
This website exists for entertainment purposes only. The reader is responsible for discerning the validity, factuality or implications of information posted here, be it fictional or based on real events. Moderators on this forum make every effort to review the material posted on this site however, it is not realistically possible for our small staff to manually review each and every one of the more than 5000 posts GodlikeProductions gets on a daily basis. The content of posts
on this site, including but not limited to links to other web sites, are the expressed opinion of the original poster and are in no way representative of or endorsed by the owners or administration of this website. The posts on this website are the opinion of the specific author and are not statements of advice, opinion, or factual information on behalf of the owner or administration of GodlikeProductions. This site may contain adult content and if you feel you might be offended by such content, you should log off immediately.

Not all posts on this website are intended as truthful or factual assertion by their authors. Some users of this website are participating in internet role playing, with or without the use of an avatar. NO post on this website should be considered factual information on face value alone. Users are encouraged to USE DISCERNMENT and do their own follow up research while reading and posting on this website. Godlikeproductions.com reserves the right to make changes to, corrections and/or remove entirely at any time posts made on this website without notice. In addition, Godlikeproductions.com disclaims any and all liability for damages incurred directly or indirectly as a result of a post on this website.

This site is provided "as is" without warranty of any kind, either expressed or implied. You should not assume that this site is error-free or that it will be suitable for the particular purpose which you have in mind when using it. In no event shall Godlikeproductions.com be liable for any special, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not advised of the possibility of damage, and on any theory of liability, arising out of or in connection with the use or performance of this site or other documents which are referenced by or linked to this site.

Some events depicted in certain posting and threads on this website may be fictitious and any similarity to any person living or dead is merely coincidental. Some other articles may be based on actual events but which in certain cases incidents, characters and timelines have been changed for dramatic purposes. Certain characters may be composites, or entirely fictitious.

We do not discriminate against the mentally ill!

Fair Use Notice:
This site may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. Users may make such material available in an effort to advance awareness and understanding of issues relating to civil rights, economics, individual rights, international affairs, liberty, science & technology, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C.Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.
For more information please visit:
http://www.law.cornell.edu/uscode/17/107.shtml

This Disclaimer is subject to change at anytime.

Mail Webmaster with questions or comments about this site.

Page generated in 0.033s (1 queries)