The ineffectiveness of AV

Over at ZDnet Ed Bott has a report on the ineffectiveness of anti-vrus tools against current malware where he notes that many AV vendors only detect it a day or two after it has been distributed and that by then a new variant that they don't detect has also been sent out. In the IT security space, this is not exactly new news. In fact here at ThreatSTOP, we've been using similar statistics in our sales pitch for about a year now and in fact the AV vendors themselves admit they have a problem. If you ask them in private that is.

The key thing to note is that most malware (his specimen is a good example) 'calls home' to a server owned (or PWN3d) by the crooks who distributed it in order to either download some more effective trojans or to inform the crooks of the juicy private data etc. it has found. It has to call home because without the call home it almost certainly can't make money for the people who set it up because they need the data or the CPU power to do whatever it is they want.

"Call Homes' are very rarely blocked because they generally look like regular web traffic. Sometimes it is unencrypted HTTP or IRC which a web-proxy or DPI device may be able to detect (though even that can be problematic - how do you tell the difference between a genuine sessionid in the GET url* (or cookie or AJAX like POST) and one that is encrypted personal data?) but these days it is quite likely to be encrypted HTTPS which they can't. As far as the DPI device goes one HTTPS session looks very like another except for one teeny little detail. That critical detail, however, is the end-point. If the end point has a bad IP reputation then it makes sense to simply block all the traffic to it.

The key thing that we do at ThreatSTOP is distill gigabytes of threat data from multiple sources into a list of bad stuff that is easy to deploy on a firewall, web filter or other security device. All these devices have the ability to block thousands of IP addresses and networks (even a low end home firewall can typically block at least 1000), they just need that list delivered to them in a form they can easily user and which is regularly updated. That's our trick and it works well everywhere it has been tried.

*Is a get for /story/SB10001424052702304563104576355623894502788-lMyQjAxMTAxMDMwMTEzNDEyWj.html?id=d1b07e586e12143b3a3f1d1a47e7d45a&ref=0971880107&nodeID=283155 genuine or your name, address and credit card details? What about an AJAX post?

Share this: