Sunday, November 23, 2008

What your antivirus isn't telling you

Ever look at your antivirus logs or the antivirus logs of a compromised computer and found something like SillyFDC or Trojan.horse? These happen to be generic definitions provided by Symantec, but other vendors have generic detection signatures too. Generic detection is a common method of dealing with malware. While generic detection is generally fantastic, it's a big double edge sword.

Let me explain about the two types of malware above.

SillyFDC is a generic signature for removable media malware.

Trojan.horse has the following caption: Symantec antivirus programs use Trojan horse as a generic detection when detecting many individual but varied Trojan horse programs for which specific definitions have not been created.

So, using these signatures, we call things we don't have signatures for but exhibits trojan like properties a "trojan horse" and something that uses removable media as a spreading mechanism "SillyFDC". Ok, no problem right?

It is in fact a problem.

Antivirus now being the 40% solution against bots, it's likely to miss a recent variant of malware. Additionally, when your clients or users discovered a variant of these types of malware, how are they to know what to do? It's been detected generically. Symantec says that the malware is a low risk. Is it really? Again, how is an organization to know? What about how long it takes for an infection to be detected?

In a real world scenario, I first discovered a variant of removable media malware some 30 days before a definition was made available by Symantec. This malware, not only spread by removable media, but was a key stroke logger as well. Once Symantec generated a definition for it, it was labeled as trojan.horse.

Now, let's look at this from a sysadmin perspective. You run a managed antivirus environment and one day, after your server and clients grab the latest set of definitions, you get an alert for malware called trojan.horse. Great! you say to yourself. My antivirus has done its job. You move on about your day as if nothing happened, afterall your AV product detected and removed the threat. You never bother to look at the file, or the timestamps of the file, and you certainly don't bother to investigate. This is an all too common problem and scenario.

What's my point?

When an antivirus product fires an alert for a generic detection, it always bears investigation. It stands to reason that when something is generically detected, it's much more serious than it appears. Using Trojan.horse as the example, when no existing definition exists, it gets classified as trojan.horse so it can be detected and removed. That's fine, but you have no idea what that malware is actually capable of. An immediate threat assessment should take place, even if you simply submit the malware to an automated sandboxing web site.

What should you look at:
  • How long has the malware been on the system?
  • What capabilities does it have?
  • Has data been exfiltrated as a result of it?

Generic detection, while a good thing for the vendor, is a bad thing for the rest of us. It's misleading and provides no information whatsoever. Trojan.horse is a low threat level according to Symantec. I can think of no small amount of people that would consider a key logger a huge threat, especially one that was present on a system for 30 days before a definition was available.

*note I'm not picking on Symantec. This is an issue with all antivirus products*

5 comments:

Aa'ed Alqarta said...

I've been managing a big setup of SEP (Symantec Endpoint Protection) for around one year. I have to admit that many times I faced false-positive detection labeled as "Trojan Horse", Which appear later on that it's a false alarm. I've tested a lot of detected files by uploading them to VirusTotal, and got 0/36 !!!

My Advice, don't give 100% trust to generic signatures. Because there is a window for mistakes. Also, try to make the "Delete" Action as the second or third. Because you don't know when is the next support call will ring, due to the AV deleting an innocent system file by mistake.

http://extremesecurity.blogspot.com

Bernard Lim said...

Many companies are cutting down on resources and we just can't cope with malware assessment for every generic detection.

hogfly said...

Bernard,
You don't have to. You can submit the malware to one of many sites that do the analysis for you. It's better to spend the companies time and money doing that than it is putting them through a PCI audit, or security incident because IT "doesn't have enough resources", yet I find World of Warcraft on many IT computers, and IT workers can recite verbatim what's happening on FARK, Failblog, XKCD and many other entertainment websites.

Gary T. said...

Good stuff Hogfly. Where did you get the 40% detection rate figure? Is that just a ballpark based on your experience?

hogfly said...

Gary,
I built that stat from analyzing asprox related malware for a period of a few weeks. Fireeye also came up with that statistic in their blog recently.