Full Disclosure mailing list archives
Re: Show me the Virii! (Pyrrhic heuristic)
From: Feher Tamas <etomcat () freemail hu>
Date: Mon, 5 Jan 2004 11:55:35 +0100 (CET)
Hello,
Does anyone have reliable reports of an antivirus system firing off on a heuristic? I'm not aware of ever having seen one; always seems to be a signature.As part of my job I regularly evaluate antivirus products. I have seen plenty of heuristic detections; all the engines have different heuristic capabilities, so some detect more new malware than others, and of course some also have more false positives than others.
Anti-Virus heuristics' job is not to catch unknown viruses, but to measure the amount of lazy factor in virus authors' blood. The fully functional trial versions (usually 30-day limited) of all anti-virus packages by all vendors is available on the Web. You just download it, no hassle, anonimously. Obviously, AV companies need to sell their products and free trial versions are an effective way of convincing the would-be customers of the software's merits. But there is a side effect: virus writers can also test their new creations in-house, for free. When they are finished coding, they test their executables against all those virus scanners and when one of them detects it using heuristics, they further tweak the malware code to avoid detection. When none of the major scanners can detect it any more with heuristics, they release their evil creature in the wild. (Or send it to the AV companies sample address together with a small mail meant to boost their own ego. This is clearly better for the sake of the Internet). To summarize: heuristic detection rate in diverse AV products represents three things: -Diligence (or lack of) by virus writers to go through the above described testing & tweaking threadmill, which can be a time- consuming task, considering there are a good dozen or so significant AV packages. -The market share of a given AV product. If you are a big brand name in the AV market, your scanner's heuristics is more likely to be tested against by virus writers before they release their malware. Is it not cost-efficient for virus writers to test an AV suite that protects a mere two or three hunder thousands Netizens overall. Antivirus software titles with tens of millions of people in installed user base are interesting enough. -The willingness of the particular AV vendor to make its customers take the risks of false positives. Your AV product can alert on more entirely new viruses, if you define heuristic with looser conditions, obviously. But it means more innocent files will get trapped, too. False positives can be almost as devastating as viruses. It is a fact of life that false positives do occur, but the frequency varies from vendor to vendor. I would hate to crucify a particular vendor here, cause this can happen to any one of us; but one major AV package did alert on the Installshield core executable in mid-2003 and millions of computers lost important software as a result. The cause of this was a faulty signature update. I think heuristics has a limited future in the AV field. The AV companies are trying to release more exact detection updates instead. For example, Kaspersky Labs has just announced its intent to publish new AV signatures every 3 hours on every workdays (there was some media publicity about it). BTW, antivirus firms never give samples to outsiders. They go so far that one of them even warns on its corporate webpage that if you send them a CD-ROM disk with a suspected new virus on it and they actually find it infected; they will not be able to give it back. BTW, the plural for virus should be virii (with single R). But I'd say let's call it viruses, because it's simpler and it's IT, not Biology. Sincerely: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Show me the Virii! (Pyrrhic heuristic) Feher Tamas (Jan 05)
- Re: Show me the Virii! (Pyrrhic heuristic) starlabs (Jan 06)