What AV misses … and ECAT finds – Video

This is my inaugural blog post as part of the Silicium team. Coming from the AV industry, upon arriving here, I naturally wanted to defend the honour of AV vendors (in general) and my previous employer (in particular) against any insinuation that we, as an industry, and AV as a technology, just weren’t up to snuff. There has been plenty written already about the ‘death of AV’ and how we are in a post-AV world. Terms like ‘AV++’ and ‘signature-less AV’ have been bandied about, but the issue is more nuanced than that. As Pascal referenced in an earlier blog post, Stuxnet, Aurora, Why AVs fail and why we still need them AV is not going away. But, by its nature, and the nature of APT and other new threats, AV alone falls short in some critical areas. In particular, there is a ‘golden hour’ (really several hours, or even a couple of days) for threats, new or variants of existing ones, where if the malware authors can get their wares widely distributed during that window, they have a very good chance of evading detection by most AV vendors. Conversely, if the author is targeting just one specific organisation, they can stay under the radar and stand a good chance that their malware will not get reported to VirusTotal or directly to the AV vendor. Despite all the progress AV vendors have made on detection, without the sample there is still a good chance even with behavioural signatures that a well-crafted piece of malware will install and operate without causing so much as a flutter from the AV.

To see an example of this with Symantec (sorry Symantec, you’re not alone in missing this, we had to pick someone), check out this video:

Here we pull down from abuse.ch a recent Zeus binary. Zeus is a very common piece of malware, a banking trojan that has been in the wild in one form or another for several years. In general, AV vendors have very high detection rates for older flavours, but our hardworking colleagues on the dark side continually issue upgrades. Abuse.ch does an excellent job at tracking these latest variants, so we used  one for this test. Note that while the file download prompts a generic Windows warning that the file is not signed/verified, there is no warning from the AV. We then open up the ECAT console where we can see from a previous scan of the machine prior to the download that the machine is clean – the Suspect Level as determined by ECAT is 0. Re-scanning after the download, the Suspect Level shoots up to 73 (really not good). Oops! ECAT has now told us this machine is seriously infected. So we run a full scan with Symantec (SEP) again – which happily declares that 24,416 files have been scanned, and we’re all good to go, no problem! Well, except for one annoying tracking cookie…

The moral of this video? If there is one, it’s that sometimes what you don’t know can hurt you…

- Chad Loeven