Low VirusTotal detection rates for new malware, do they matter?

Posted by   Virus Bulletin on   Feb 3, 2015

It is not as important as is often suggested — and doesn't mean the malware is allowed to execute.

It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotal's multi-AV scanning service.

But do these low detection rates really say anything about the effectiveness of today's anti-virus products?

VirusTotal makes it pretty clear that its services should not be used to compare the performance of anti-virus products. Amongst other things, the company points out that the engines that it uses are command line versions, not the desktop versions that most people tend to use.

However, the command line version is also what is typically used when a product is integrated into a spam filter or a web security product. It would therefore be a very good thing for these command line versions to detect malware when it is used in a spam campaign or a drive-by download campaign, either because they have seen it before or because they detect its malicious nature heuristically.

Still, it should be noted that this is not the full picture. Not at all.

  VirusTotal detection of the EICAR test file

First, products scanning for malware at the gateway (such as spam filters or web security products) don't do this in a void. They take the context into consideration, such as the reputation of the site that serves the malware or the email that sends it. In the majority of cases, this is what results in the malware being blocked, even if the anti-virus scanner doesn't recognise the malware as such.

Secondly, what is served to command line anti-virus scanners is rarely the malicious content itself. Rather, it tends to be obfuscated by packers and hidden amongst garbage code.

A good example is the Vawtrak banking trojan (which we published an analysis of last month). Vawtrak's malicious payload is contained in a DLL file, which is dropped onto the machine where it maintains persistence.

However, this DLL is wrapped in no fewer than three executable layers, each of which contains plenty of anti-debugging code to frustrate the automatic analysis of the malware. It would be easy for malware authors to modify these layers to defeat heuristic anti-virus signatures.

  Vawtrak's layers have been compared with matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)

The same point was made by researcher Emeric Nasi in his paper 'Bypass Antivirus Dynamic Analysis' (pdf), which was published in August last year.

But that doesn't mean, as Emeric seems to suggest, that anti-virus is trivial to bypass. What ultimately matters is whether the malicious payload (the DLL in Vawtrak's case) is either blocked or prevented from performing its malicious activity.

It is easy for anti-virus to give users a false sense of security. Anti-virus doesn't provide 100% protection (in fact, no security product does, no matter how hard marketing people try to convince you that their product is the exception), and treating it as if it does can be rather dangerous.

It is also important to be critical of anti-virus products should they fail to live up to standards - whether that's because they fail to protect users, they block legitimate files, or there are vulnerabilities in the product itself.

However, the suggestion that anti-virus products block very few of the threats that are attempting to infect millions of users every day are not only wrong, they also give a false sense of insecurity. In the worst case, they may even encourage people not to bother installing such a product. For all but a handful of very experienced users, that would be a very bad choice.

Posted on 03 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Nominations opened for sixth Péter Szőr Award

Virus Bulletin is seeking nominations for the sixth annual Péter Szőr Award.

Haroon Meer and Adrian Sanabria to deliver VB2019 closing keynote

New additions to the VB2019 conference programme include a closing keynote address from Thinkst duo Haroon Meer and Adrian Sanabria and a talk on attacks against payment systems.

Free VB2019 tickets for students

Virus Bulletin is excited to announce that, thanks to generous sponsorship from Google Android, we are able to offer 20 free tickets to students who want to attend VB2019.

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.