Low VirusTotal detection rates for new malware, do they matter?

Posted by   Virus Bulletin on   Feb 3, 2015

It is not as important as is often suggested — and doesn't mean the malware is allowed to execute.

It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotal's multi-AV scanning service.

But do these low detection rates really say anything about the effectiveness of today's anti-virus products?

VirusTotal makes it pretty clear that its services should not be used to compare the performance of anti-virus products. Amongst other things, the company points out that the engines that it uses are command line versions, not the desktop versions that most people tend to use.

However, the command line version is also what is typically used when a product is integrated into a spam filter or a web security product. It would therefore be a very good thing for these command line versions to detect malware when it is used in a spam campaign or a drive-by download campaign, either because they have seen it before or because they detect its malicious nature heuristically.

Still, it should be noted that this is not the full picture. Not at all.

  VirusTotal detection of the EICAR test file

First, products scanning for malware at the gateway (such as spam filters or web security products) don't do this in a void. They take the context into consideration, such as the reputation of the site that serves the malware or the email that sends it. In the majority of cases, this is what results in the malware being blocked, even if the anti-virus scanner doesn't recognise the malware as such.

Secondly, what is served to command line anti-virus scanners is rarely the malicious content itself. Rather, it tends to be obfuscated by packers and hidden amongst garbage code.

A good example is the Vawtrak banking trojan (which we published an analysis of last month). Vawtrak's malicious payload is contained in a DLL file, which is dropped onto the machine where it maintains persistence.

However, this DLL is wrapped in no fewer than three executable layers, each of which contains plenty of anti-debugging code to frustrate the automatic analysis of the malware. It would be easy for malware authors to modify these layers to defeat heuristic anti-virus signatures.

  Vawtrak's layers have been compared with matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)

The same point was made by researcher Emeric Nasi in his paper 'Bypass Antivirus Dynamic Analysis' (pdf), which was published in August last year.

But that doesn't mean, as Emeric seems to suggest, that anti-virus is trivial to bypass. What ultimately matters is whether the malicious payload (the DLL in Vawtrak's case) is either blocked or prevented from performing its malicious activity.

It is easy for anti-virus to give users a false sense of security. Anti-virus doesn't provide 100% protection (in fact, no security product does, no matter how hard marketing people try to convince you that their product is the exception), and treating it as if it does can be rather dangerous.

It is also important to be critical of anti-virus products should they fail to live up to standards - whether that's because they fail to protect users, they block legitimate files, or there are vulnerabilities in the product itself.

However, the suggestion that anti-virus products block very few of the threats that are attempting to infect millions of users every day are not only wrong, they also give a false sense of insecurity. In the worst case, they may even encourage people not to bother installing such a product. For all but a handful of very experienced users, that would be a very bad choice.

Posted on 03 February 2015 by Martijn Grooten



Latest posts:

What kind of people attend Virus Bulletin conferences?

If you are considering submitting a proposal for a talk to VB2018 and you're not familiar with the event, you may find it useful to know what kind of people attend the conference.

Olympic Games target of malware, again

An unattributed malware attack has disrupted some computer systems of the 2018 Winter Olympics. In 1994, a computer virus also targeted the Winter Olympics.

There are lessons to be learned from government websites serving cryptocurrency miners

Thousands of websites, including many sites of government organisations in the UK, the US and Sweden, were recently found to have been serving a cryptocurrency miner. More interesting than the incident itself, though, are the lessons that can be…

We need to continue the debate on the ethics and perils of publishing security research

An article by security researcher Collin Anderson reopens the debate on whether publishing threat analyses is always in the public interest.

WordPress users urged to manually update to fix bug that prevents automatic updating

Users of the popular WordPress content management system are urged to manually update their installation to version 4.9.4, as a bug in the previous version broke the ability to automatically install updates.