Dailydave mailing list archives
Re: The Anti-Virus/IDS fantasy world
From: "val smith" <valsmith () offensivecomputing net>
Date: Sun, 17 Jun 2007 10:30:20 -0600
What I find interesting is the lack of insight into what AV companies actually do behind the scenes. Peter Szor's book was a great look into some things but AV's don't really publish what they actually do very often. How do they analyze samples? How do they deal with packers? I can make some educated guesses but I'm still very curious. We pretty much publish our techniques, but we're not an AV company so maybe that doesn't count. We've got many tens of thousands of samples both old and new that we've been through both automagically and manually. The common thing that I've seen is that malware sucks. Its not sophisticated, it uses dirt simple, often ancient techniques, and its slow to adopt new things. For example, Joanna, us, and others have released numerous techniques for VM detection. These techniques are multiple years old and not too difficult. What do I see most often in my collection for VM detection? Putting the output of "net start" into a text file and searching for "vmware". Where are all the awesome anti-analysis/anti-vmware samples out there? Why does malware suck? Because it still works. AV sucks at detecting it, users suck at avoiding it, so why bother making it sophisticated? However I would say don't underestimate malware authors just because the bulk of whats out there isn't very good. It has moved from the kid or "researcher" screwing around to a professional business. Occasionally we see "commercially" developed malware that IS very sophisticated. Rustock is a good example of this. Lots of the spyware out there is actually pretty good too. I would venture to say it takes some skill to release a "software product" to millions of users and have it work consistently. A lot of malware archives this one simple goal that occasionally even professional software vendors fail at. V. On 6/15/07, Paul Melson <pmelson () gmail com> wrote:
> I would suggest you are talking about different people. > The malware analysts at any AV company probably dig through more malware samples than you do on a > regular basis. I would hope so, seeing as it's at the top of their job description. But you know who's probably not elbow-deep in malware these days? Mark Harris. > Underestimating your opponents is a fatal mistake either way. The best malware analysts I know are well > aware of the skills of the authors. Likewise so are the authors I know aware of the skills of the > analysts. In fairness to Mark Harris, the malware submission that sparked his post 1) didn't run and 2) contained furry pr0n. Maybe he's not underestimating in this one case. PaulM _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- ****************************************** * Val Smith * CTO Offensive Computing, LLC * http://www.offensivecomputing.net *******************************************
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Anti-Virus/IDS fantasy world Dave Aitel (Jun 09)
- Re: The Anti-Virus/IDS fantasy world Kradorex Xeron (Jun 15)
- Re: The Anti-Virus/IDS fantasy world toby (Jun 15)
- Re: The Anti-Virus/IDS fantasy world Nathan Landon (Jun 16)
- Re: The Anti-Virus/IDS fantasy world Paul Melson (Jun 16)
- Re: The Anti-Virus/IDS fantasy world val smith (Jun 19)
- <Possible follow-ups>
- The Anti-Virus/IDS fantasy world No Body (Jun 15)
- Re: The Anti-Virus/IDS fantasy world El Nahual (Jun 16)