Low VirusTotal detection rates for new malware, do they matter?

Posted by   Virus Bulletin on   Feb 3, 2015

It is not as important as is often suggested — and doesn't mean the malware is allowed to execute.

It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotal's multi-AV scanning service.

But do these low detection rates really say anything about the effectiveness of today's anti-virus products?

VirusTotal makes it pretty clear that its services should not be used to compare the performance of anti-virus products. Amongst other things, the company points out that the engines that it uses are command line versions, not the desktop versions that most people tend to use.

However, the command line version is also what is typically used when a product is integrated into a spam filter or a web security product. It would therefore be a very good thing for these command line versions to detect malware when it is used in a spam campaign or a drive-by download campaign, either because they have seen it before or because they detect its malicious nature heuristically.

Still, it should be noted that this is not the full picture. Not at all.

  VirusTotal detection of the EICAR test file

First, products scanning for malware at the gateway (such as spam filters or web security products) don't do this in a void. They take the context into consideration, such as the reputation of the site that serves the malware or the email that sends it. In the majority of cases, this is what results in the malware being blocked, even if the anti-virus scanner doesn't recognise the malware as such.

Secondly, what is served to command line anti-virus scanners is rarely the malicious content itself. Rather, it tends to be obfuscated by packers and hidden amongst garbage code.

A good example is the Vawtrak banking trojan (which we published an analysis of last month). Vawtrak's malicious payload is contained in a DLL file, which is dropped onto the machine where it maintains persistence.

However, this DLL is wrapped in no fewer than three executable layers, each of which contains plenty of anti-debugging code to frustrate the automatic analysis of the malware. It would be easy for malware authors to modify these layers to defeat heuristic anti-virus signatures.

  Vawtrak's layers have been compared with matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)

The same point was made by researcher Emeric Nasi in his paper 'Bypass Antivirus Dynamic Analysis' (pdf), which was published in August last year.

But that doesn't mean, as Emeric seems to suggest, that anti-virus is trivial to bypass. What ultimately matters is whether the malicious payload (the DLL in Vawtrak's case) is either blocked or prevented from performing its malicious activity.

It is easy for anti-virus to give users a false sense of security. Anti-virus doesn't provide 100% protection (in fact, no security product does, no matter how hard marketing people try to convince you that their product is the exception), and treating it as if it does can be rather dangerous.

It is also important to be critical of anti-virus products should they fail to live up to standards - whether that's because they fail to protect users, they block legitimate files, or there are vulnerabilities in the product itself.

However, the suggestion that anti-virus products block very few of the threats that are attempting to infect millions of users every day are not only wrong, they also give a false sense of insecurity. In the worst case, they may even encourage people not to bother installing such a product. For all but a handful of very experienced users, that would be a very bad choice.

Posted on 03 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.