Re: The Anti-Virus/IDS fantasy world

["val smith" <valsmith () offensivecomputing net>]

What I find interesting is the lack of insight into what AV companies
actually do behind the scenes. Peter Szor's book was a great look into some
things but AV's don't really publish what they actually do very often. How
do they analyze samples? How do they deal with packers? I can make some
educated guesses but I'm still very curious. We pretty much publish our
techniques, but we're not an AV company so maybe that doesn't count.

We've got many tens of thousands of samples both old and new that we've been
through both automagically and manually. The common thing that I've seen is
that malware sucks. Its not sophisticated, it uses dirt simple, often
ancient techniques, and its slow to adopt new things. For example, Joanna,
us, and others have released numerous techniques for VM detection. These
techniques are multiple years old and not too difficult. What do I see most
often in my collection for VM detection? Putting the output of "net start"
into a text file and searching for "vmware". Where are all the awesome
anti-analysis/anti-vmware samples out there?

Why does malware suck? Because it still works. AV sucks at detecting it,
users suck at avoiding it, so why bother making it sophisticated? However I
would say don't underestimate malware authors just because the bulk of whats
out there isn't very good. It has moved from the kid or "researcher"
screwing around to a professional business. Occasionally we see
"commercially" developed malware that IS very sophisticated. Rustock is a
good example of this. Lots of the spyware out there is actually pretty good
too.

I would venture to say it takes some skill to release a "software product"
to millions of users and have it work consistently. A lot of malware
archives this one simple goal that occasionally even professional software
vendors fail at.

V.

On 6/15/07, Paul Melson <pmelson () gmail com> wrote:
> > I would suggest you are talking about different people.
> > The malware analysts at any AV company probably dig through more malware
> samples than you do on a
> > regular basis.
>
> I would hope so, seeing as it's at the top of their job description.  But
> you know who's probably not elbow-deep in malware these days?  Mark
> Harris.
>
>
> > Underestimating your opponents is a fatal mistake either way. The best
> malware analysts I know are well
> > aware of the skills of the authors. Likewise so are the authors I know
> aware of the skills of the
> > analysts.
>
> In fairness to Mark Harris, the malware submission that sparked his post
> 1)
> didn't run and 2) contained furry pr0n.  Maybe he's not underestimating in
> this one case.
>
> PaulM
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave



--
******************************************
* Val Smith
* CTO Offensive Computing, LLC
* http://www.offensivecomputing.net
*******************************************

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave