Low VirusTotal detection rates for new malware, do they matter?

Posted by   Virus Bulletin on   Feb 3, 2015

It is not as important as is often suggested — and doesn't mean the malware is allowed to execute.

It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotal's multi-AV scanning service.

But do these low detection rates really say anything about the effectiveness of today's anti-virus products?

VirusTotal makes it pretty clear that its services should not be used to compare the performance of anti-virus products. Amongst other things, the company points out that the engines that it uses are command line versions, not the desktop versions that most people tend to use.

However, the command line version is also what is typically used when a product is integrated into a spam filter or a web security product. It would therefore be a very good thing for these command line versions to detect malware when it is used in a spam campaign or a drive-by download campaign, either because they have seen it before or because they detect its malicious nature heuristically.

Still, it should be noted that this is not the full picture. Not at all.

  VirusTotal detection of the EICAR test file

First, products scanning for malware at the gateway (such as spam filters or web security products) don't do this in a void. They take the context into consideration, such as the reputation of the site that serves the malware or the email that sends it. In the majority of cases, this is what results in the malware being blocked, even if the anti-virus scanner doesn't recognise the malware as such.

Secondly, what is served to command line anti-virus scanners is rarely the malicious content itself. Rather, it tends to be obfuscated by packers and hidden amongst garbage code.

A good example is the Vawtrak banking trojan (which we published an analysis of last month). Vawtrak's malicious payload is contained in a DLL file, which is dropped onto the machine where it maintains persistence.

However, this DLL is wrapped in no fewer than three executable layers, each of which contains plenty of anti-debugging code to frustrate the automatic analysis of the malware. It would be easy for malware authors to modify these layers to defeat heuristic anti-virus signatures.

  Vawtrak's layers have been compared with matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)

The same point was made by researcher Emeric Nasi in his paper 'Bypass Antivirus Dynamic Analysis' (pdf), which was published in August last year.

But that doesn't mean, as Emeric seems to suggest, that anti-virus is trivial to bypass. What ultimately matters is whether the malicious payload (the DLL in Vawtrak's case) is either blocked or prevented from performing its malicious activity.

It is easy for anti-virus to give users a false sense of security. Anti-virus doesn't provide 100% protection (in fact, no security product does, no matter how hard marketing people try to convince you that their product is the exception), and treating it as if it does can be rather dangerous.

It is also important to be critical of anti-virus products should they fail to live up to standards - whether that's because they fail to protect users, they block legitimate files, or there are vulnerabilities in the product itself.

However, the suggestion that anti-virus products block very few of the threats that are attempting to infect millions of users every day are not only wrong, they also give a false sense of insecurity. In the worst case, they may even encourage people not to bother installing such a product. For all but a handful of very experienced users, that would be a very bad choice.

Posted on 03 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2018 preview: Unpacking the packed unpacker: reversing an Android anti-analysis library

At VB2018, Google researcher Maddie Stone will present an analysis of the multi-layered 'WeddingCake' anti-analysis library used by many Android malware families.

VB2018 preview: From drive-by download to drive-by mining

At VB2018, Malwarebytes researcher Jérôme Segura will discuss the rise of drive-by cryptocurrency mining, explaining how it works and putting it in the broader context of changes in the cybercrime landscape.

Red Eyes threat group targets North Korean defectors

A research paper by AhnLab researcher Minseok Cha looks at the activities of the Red Eyes threat group (also known as Group 123 and APT 37), whose targets include North Korean defectors, as well as journalists and human rights defenders focused on…

VB announces Threat Intelligence Summit to take place during VB2018

We are very excited to announce a special summit, as part of VB2018, that will be dedicated to all aspects of threat intelligence.

VB2018 Small Talk: An industry approach for unwanted software criteria and clean requirements

An industry approach for defining and detecting unwanted software to be presented and discussed at the Virus Bulletin conference.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.