Tuesday, August 12, 2008

Anti-Virus Products Still Fail on Fresh Viruses

Today was our monthly meeting of the Birmingham InfraGard. At the meeting we talked about our new InfraGard-wide initiative to investigate malware together. If you're an InfraGard member and want more details, please let me know.

Why is it worth focusing on new malware again? Because the truth is the criminals are innovating faster than the Anti-Virus vendors can keep up with. Its true that some of the AV companies have really fast signature cycles, but its also true that their methodology is to write new signatures for viruses that are encountered in the wild.

The problem with that, of course, is that once the virus is in the wild, their customers may encounter it before they do. Face it. Someone has to report that the thing exists!

Here's a few examples from today's spam at the UAB Spam Data Mine.

Example One: Colonial Bank Certificate Spam



The spam message comes in saying:


Colonial Bank Tech Support issued important security update for business accounts. Updated certificate packages that fix various security problems are now available in our Update Center>>

All Colonial Bank users should upgrade to this updated package, which contains ssl multi-protection.

Sincerely,
Colonial Bank Customer Service Department


The website, eg3x.com, hosted in the Ukraine, on IP address 83.170.242.174, which looks like this:



drops an .exe file to visitors, named "certificate_230943772836234.exe"

The malware has an MD5 value of 99c074f671f8e8af5c85ca908d106605 and is 30,208 bytes in size.

As of this timestamp, only FIVE OF THIRTY-SIX Anti-virus products provide protection from this virus. So, a user with current AV protection will be told "no virus found" if they check to see whether this malware is a virus before deciding if they should run it.



VirusTotal detection (5/36)

AVG = Win32/Heur
CAT-QuickHeal - DNAScan
eSafe = Suspicious File
Microsoft = VirTool:Win32/Obfuscator.BO
Webwasher-Gateway = Virus.Win32.FileInfector.gen (suspicious)

All others = No Virus Found

Example Two: UPS Tracking Malware



We've received several copies of this malware today, and several queries from fellow InfraGard members, who reported that their Anti-Virus product had not detected it. This malware arrives as an email attachment. It claims to be From: United Parcel Service, and it has a subject line intended to be a Tracking Number, such as "Tracking N_8513200376" or "Tracking N_ 0294544032".

The body of the email is:


Unfortunately we were not able to deliver postal package you sent on July the 21st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS


We've seen two attachment names so far:

WW_671282.zip ==> contains WW_671282.exe
and
WW2_ASH182.zip ==> contains WW2_ASH182.exe

While the former file was already detected by 22 of the 36 anti-virus engines at VirusTotal, the latter file was only detected by 7 of 36 when we first uploaded it, although at this timestamp the detection is now 8 of 36:



Example Three: CNN Alerts: Breaking News





Despite the fact that these spam messages have been going on for several days now, each day the malware which is being CURRENTLY SPAMMED is largely undetectable by most anti-virus products. And we're still seeing A LOT OF THIS SPAM. Look at the timestamps here:



In this case, we take as an example, the spammed URL:

http://us-spine.com/update.html

and let it give us a malware executable: adobe_flash.exe

The currently spammed version of this malware is undetectable by 22 anti-virus products including F-Prot, F-Secure, McAfee, Panda, Symantec, and Trend.



Bottom line: If you are in charge of anti-virus for your corporate environment, it is time to learn the Study of Malware and stop trusting anti-virus products. They are important. You should have them. You should update them regularly (at LEAST daily!) But you should not rely on them to tell you if an executable is "safe".

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!