The recent massive attacks on web sites, dubbed and show that one of the primary weaknesses (if not the primary weakness) of information systems is the endpoint. Attackers have been using malware to steal the FTP credentials of web site maintainers and uploading malicious code that redirects site visitors to servers that attempt infect their machines. Leaving aside the fact that a small minority of people may have systems running no or outdated anti-malware software, how do these types of attacks continue to be so successful?
For one reason, most anti-virus software does a very poor job of detecting new, in the wild malware. This is the dirty little secret of the anti-virus industry. Most anti-virus companies tout 99% or greater detection rates and many independent organizations back this up in their testing. However, these tests are based on samples of known malware for which vendors have signatures. These tests often show numbers such as those found in this news article.
However, tests that focus on new malware, programs that are actively circulating on the Internet show a much different result. In this case, most vendors are lucky if they can detect 50% of the samples. SRI’s conducts daily tests of the major AV vendors’ products against active, in the wild malware and the average detection rate is typically below 60%. Thus, until a new malware is discovered by the AV vendors and a signature developed, it can infect large numbers of systems. Plus, most virus authors test their code against the major AV products to ensure it will spread unimpeded.
Anti-virus vendors have added additional technologies to try to improve their ability to detect malware that they do not have signatures for. One popular mechanism is to use cloud-based detection techniques. Essentially, this involves comparing a file or its fingerprint to a database of recently discovered malware, even before a signature has been created. McAfee is one such product that uses this type of technology. Vendors are also using more behavioral techniques to detect malware based on the way the application acts when running. And finally, whitelisting is growing in popularity. This involves specifying only those applications that are allowed to run. All others will be blocked.