Re: Show me the Virii! (Pyrrhic heuristic)

[Feher Tamas <etomcat () freemail hu>]

Hello,

> > Does anyone have reliable reports of an antivirus system
> > firing off on a heuristic?
> >
> > I'm not aware of ever having seen one; always seems
> > to be a signature.
>
> As part of my job I regularly evaluate antivirus products.
> I have seen plenty of heuristic detections; all the engines
> have different heuristic capabilities, so some detect more
> new malware than others, and of course some also have
> more false positives than others.

Anti-Virus heuristics' job is not to catch unknown viruses, but to 
measure the amount of lazy factor in virus authors' blood.

The fully functional trial versions (usually 30-day limited) of all anti-virus 
packages by all vendors is available on the Web. You just download it, 
no hassle, anonimously. Obviously, AV companies need to sell their 
products and free trial versions are an effective way of convincing the 
would-be customers of the software's merits.

But there is a side effect: virus writers can also test their new creations 
in-house, for free. When they are finished coding, they test their 
executables against all those virus scanners and when one of them 
detects it using heuristics, they further tweak the malware code to 
avoid detection. When none of the major scanners can detect it any 
more with heuristics, they release their evil creature in the wild.

(Or send it to the AV companies sample address together with a small 
mail meant to boost their own ego. This is clearly better for the sake of 
the Internet).

To summarize: heuristic detection rate in diverse AV products 
represents three things:

-Diligence (or lack of) by virus writers to go through the above 
described testing & tweaking threadmill, which can be a time-
consuming task, considering there are a good dozen or so significant 
AV packages.

-The market share of a given AV product. If you are a big brand name in 
the AV market, your scanner's heuristics is more likely to be tested 
against by virus writers before they release their malware.

Is it not cost-efficient for virus writers to test an AV suite that protects 
a mere two or three hunder thousands Netizens overall. Antivirus 
software titles with tens of millions of people in installed user base are 
interesting enough.

-The willingness of the particular AV vendor to make its customers take 
the risks of false positives. Your AV product can alert on more entirely 
new viruses, if you define heuristic with looser conditions, obviously.

But it means more innocent files will get trapped, too. False positives 
can be almost as devastating as viruses. It is a fact of life that false 
positives do occur, but the frequency varies from vendor to vendor. I 
would hate to crucify a particular vendor here, cause this can happen to 
any one of us; but one major AV package did alert on the Installshield 
core executable in mid-2003 and millions of computers lost important 
software as a result. The cause of this was a faulty signature update.

I think heuristics has a limited future in the AV field. The AV companies 
are trying to release more exact detection updates instead. For 
example, Kaspersky Labs has just announced its intent to publish new 
AV signatures every 3 hours on every workdays (there was some 
media publicity about it).

BTW, antivirus firms never give samples to outsiders. They go so far 
that one of them even warns on its corporate webpage that if you send 
them a CD-ROM disk with a suspected new virus on it and they actually 
find it infected; they will not be able to give it back.

BTW, the plural for virus should be virii (with single R). But I'd say let's 
call it viruses, because it's simpler and it's IT, not Biology.

Sincerely: Tamas Feher.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html