Low VirusTotal detection rates for new malware, do they matter?

Posted by   Virus Bulletin on   Feb 3, 2015

It is not as important as is often suggested — and doesn't mean the malware is allowed to execute.

It is fairly common these days for security researchers to write about new malware attacks and point to low anti-virus detection rates when the affected sample is uploaded to VirusTotal's multi-AV scanning service.

But do these low detection rates really say anything about the effectiveness of today's anti-virus products?

VirusTotal makes it pretty clear that its services should not be used to compare the performance of anti-virus products. Amongst other things, the company points out that the engines that it uses are command line versions, not the desktop versions that most people tend to use.

However, the command line version is also what is typically used when a product is integrated into a spam filter or a web security product. It would therefore be a very good thing for these command line versions to detect malware when it is used in a spam campaign or a drive-by download campaign, either because they have seen it before or because they detect its malicious nature heuristically.

Still, it should be noted that this is not the full picture. Not at all.

  VirusTotal detection of the EICAR test file

First, products scanning for malware at the gateway (such as spam filters or web security products) don't do this in a void. They take the context into consideration, such as the reputation of the site that serves the malware or the email that sends it. In the majority of cases, this is what results in the malware being blocked, even if the anti-virus scanner doesn't recognise the malware as such.

Secondly, what is served to command line anti-virus scanners is rarely the malicious content itself. Rather, it tends to be obfuscated by packers and hidden amongst garbage code.

A good example is the Vawtrak banking trojan (which we published an analysis of last month). Vawtrak's malicious payload is contained in a DLL file, which is dropped onto the machine where it maintains persistence.

However, this DLL is wrapped in no fewer than three executable layers, each of which contains plenty of anti-debugging code to frustrate the automatic analysis of the malware. It would be easy for malware authors to modify these layers to defeat heuristic anti-virus signatures.

  Vawtrak's layers have been compared with matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)

The same point was made by researcher Emeric Nasi in his paper 'Bypass Antivirus Dynamic Analysis' (pdf), which was published in August last year.

But that doesn't mean, as Emeric seems to suggest, that anti-virus is trivial to bypass. What ultimately matters is whether the malicious payload (the DLL in Vawtrak's case) is either blocked or prevented from performing its malicious activity.

It is easy for anti-virus to give users a false sense of security. Anti-virus doesn't provide 100% protection (in fact, no security product does, no matter how hard marketing people try to convince you that their product is the exception), and treating it as if it does can be rather dangerous.

It is also important to be critical of anti-virus products should they fail to live up to standards - whether that's because they fail to protect users, they block legitimate files, or there are vulnerabilities in the product itself.

However, the suggestion that anti-virus products block very few of the threats that are attempting to infect millions of users every day are not only wrong, they also give a false sense of insecurity. In the worst case, they may even encourage people not to bother installing such a product. For all but a handful of very experienced users, that would be a very bad choice.

Posted on 03 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.