Security Software Suites No Match for Custom Attacks - Security Fix
Security Fix
Subscribe to The Post
recent posts
Microsoft's Patch Tuesday Includes New Rating Index
Security Software Suites No Match for Custom Attacks
Microsoft Stock Price Routinely Dinged by Security Patches
Phishers, Virus Writers Exploit Global Financial Crisis
Apple, Opera Ship Security Updates
Stories by Category
Cyber Justice
Fraud
From the Bunker
Latest Warnings
Misc.
New Patches
Piracy
Safety Tips
U.S. Government
Web Fraud 2.0
Stories herpes virus outside the body By Date
Full Story Archive
related links
The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section
syndicate
RSS Feed
Brian Krebs on Computer Security
About This Blog | Archives | RSS Feed (What's RSS?)
Security Software Suites No Match for Custom Attacks
The all-in-one security software suites from the major anti-virus vendors fail spectacularly at detecting custom-made malware that exploits the latest software vulnerabilities, according to testing done by security analysis firm Secunia.
Secunia tested how well nearly a dozen security suites fared against malicious files and direct attacks that leveraged more than 150 known software flaws. All of the vulnerabilities used in the test are publicly documented -- details of them can be found in the Common Vulnerabilities and Exposures (CVE) database -- and most of the vulnerabilities can be fixed by applying a software update currently available from the program's maker.
Secunia says that out of the 300 test cases, 126 are particularly important because they affect very popular products and have either been discovered as zero-day threats or Secunia has developed working exploits. Secunia CTO Thomas Kristensen said all of the vulnerabilities used in the test merit a moderate security rating or higher, meaning they can be used virus removal protection to remotely install software on the victim's PC, with little or no help from the user aside from opening or viewing the malicious file.
The company found that nearly all of the security suites -- including those from McAfee, F-Secure, Microsoft and TrendMicro -- detected windows xp restore virus between just 1 percent and 3 percent of the attacks. Symantec's Norton Internet Security 2009, dramatically outperformed the rest, detecting more than 20 percent of all threats and more than 30 percent of the most dangerous threats, according to the results.
Still, that means in at least 7 out of 10 cases, the bad guys toni braxton virus using a targeted exploit will slip past Norton's defenses. That also suggests that the other products detect roughly 3 percent of targeted attacks.
At any rate, readers can find a detailed human papaloma virus definition breakdown of Secunia's test results what is an unconventional virus and interesting methodology here (PDF).
I emphasize the word "targeted" because most anti-virus products are still reactive, in that they focus on protecting customers by figuring out what melissa virus history people are getting attacked by and then creating custom "signatures" to detect that specific threat going saving virus definitions to disk forward. While most anti-virus companies claim Spyware Virus Checker to have incorporated free virus scan mac technology capable of detecting programs that exhibit suspicious behavior or that attack specific software vulnerabilities, it appears that Symantec is alone in making significant strides in this respect, at least as it relates to the latest, known vulnerabilities in widely-used software.
Secunia's study is useful, but it ignores the unfortunate reality of today's threats, which rely not on software vulnerabilities but mainly on tricking people into installing software. Interestingly, Symantec itself documents this fact in its Internet Security Threat Report, which found that in the second half of 2007, only 10 percent of the new malicious code threats affecting consumers used software flaws.
At the very least, Secunia's study is a stark reminder that structure of a virus having security software installed is no substitute for keeping the rest of the software you use up-to-date with the latest security patches. On this front, I've recommended Secunia's vulnerability scanners, infectious dose of monkeypox virus which work either anti virus through the company's Web site or a free, postcard virus installable program. Some readers have said they refuse to use Secunia's scanners because they require users to have Java installed, a program that needs frequent security updates itself and clutters the user's system with old, outdated versions of itself. My take on it is that 90 percent of the planet already has Java installed. What's more, anything that raises the average user's awareness on the need for regular patching is overall a good thing, Sun's clumsiness with its Java software notwithstanding.
Incidentally, if you're looking to see how well the products named in this study detect the latest threats that are actually in circulation, check out the stats released in September by AV-test.org(Microsoft Excel fly fisherman virus file). The group's battery of tests also examined how the software suites fared in terms of system memory usage, proactive malware detection, false positive rates and on-demand scanner performance.
By Brian Krebs | October 13, 2008; 4:44 PM ET Latest Warnings , Misc. , New Patches , Safety Tips
Previous: Microsoft Stock Price Routinely Dinged by Security Patches | Next: Microsoft's Patch Tuesday Includes New Rating Index
Comments
Please email us to buddy virus removal report offensive comments.
What's the most common method for targeted malware to be put into individual computers? Spam? Drive by from infected websites? Dedicated deceptive websites? Others?
Posted by: Kfritz | October 13, 2008 9:00 PM
Are we to therefore conclude that both BitDefender and Kaspersky did well in these test, i.e., did better than Norton Internet Security 2009?
Posted by: brucerealtor | October 13, 2008 9:15 PM
This points out the need for a multi-layered defense (defense in depth). Relying on just one layer such as security software is foolish. When that one layer is compromised, game over.
Instead, in a multi-layered defense, a system compromise may be averted human pampilona virus by another layer.
Typical layers of defense:
1. Hardware firewall - protects the system(s) from external intrusion should the software firewall need to be turned off or is inactive for any reason. Also, is much more difficult to hack past than a software firewall alone.
2. Software firewall - protects the system when used outside the confines of the hardware firewall and provides outbound filtering and possible indication of malicious system activity.
3. Non-admin rubella virus account - prevents system wide changes or free avg virus protect software installation whether intentional or not (including malicious code should it get past other defenses).
4. Patch all software - prevents system compromise via bugs (especially important for Internet facing software such as browsers, e-mail clients and media players).
5. Limit amount of software installed on a system - lowers system attack surface and reduces patching.
6. Backup data on a regular basis - protects data in the event of system compromise resulting in data loss.
7. Blocking hosts file human parvo b19 virus - blocks access to known malicious websites.
And finally,
8. The human layer (computer user) as they can override all the other layers.
Posted by: Olympic Torch Virus Found By Mcafee TJ | October 13, 2008 10:03 PM
TJ
Thank you for that very useful list.
For those of us who do not leave our systems on 24/7 [like that 'standby' option on XP, which I presume Vista also has] what is the advantage of a hardware firewall?
Some years back a friend of mine explained a hardware firewall by using the analogy to an incoming phone call, where the 'firewall' in effect 'takes a message' and then calls the supposed originating number back before allowing a call to connect, whereby IF the incoming call says its coming from number 202-123-4567, but when that number is called back and 'not at a working 202 exchange, the bogus communication from a phoney incoming number is prevented. We will ignore, for the purpose of this example, the ability to manipulate the number appearing on a caller ID device.
Posted by: BRUCEREALTOR | October 14, 2008 1:36 AM
I skimmed the 6-page PDF, and it seems that the "malware" that most of the suites failed to detect is actually in-house Proof-of-Concept malware code provided by Secunia, not actual "in the wild" malware. Testing anti-malware software against academic code isn't Norton Virus Subscribe a real-world test IMHO.
Posted by: Angus S-F | October 14, 2008 1:46 AM
"what is the advantage of a hardware firewall?"
Think of it as a fence around a fort protecting every building. Whereas a software firewall would protect only a single building assuming it's turned on (doors and windows locked). Even if you have only one building, it still provides another layer of protection, in particular if for some reason the doors or windows are left unlocked as would happen when you’re either installing a fresh copy of your operating system or troubleshooting a problem that requires disabling your software firewall. At least then, the hardware firewall would still protect your system from the outside world.
This provides more info:
http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp
Posted by: TJ | October 14, 2008 12:30 PM
TJ
Thanks
I guess my question is that if my machine is for whatever reason not online, that seems mona rona dlna virus certainly as effective as a hardware firewall, right.
I clicked on your link and thought I had hit gold under 'online' firewall testing services.
Alas, the definition of 'online' appeared. LOL
Posted by: brucerealtor | October 15, 2008 4:07 AM
kfritz - most common medium for malware attack are from "botnets". botnets are hoards of zombie computers (computers already at the mercy of malware) that push out all forms of spam, including phishing and other tactics. Another Virus Testing common one now is embedding malicious code within legitimate ads on otherwise legitimate websites. active x virus Can't trust anything these days can ya?
Posted by: Jay | October 15, 2008 10:49 AM
TJ, let's not forget Network Intrusion Prevention Systems (NIPS) and Host Intrusion Prevention Systems (HIPS) in our layered defense model.
Posted by: Intrusion Prevention | October 15, 2008 11:27 AM
Post a Comment
We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, free military virus protection air force blogs, reviews and multimedia features.
User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.
Name:
Comments:
Blog Archives
RSS Feed
Subscribe to The Post
© The Washington Post Company |
|