Boris Lau Sophos
download slides (PDF)
DEFCON 2008 proposes to challenge AV vendors by modifying malware samples to avoid detection by anti-virus scanners (http://www.racetozero.net/). However, we have already been observing these activities in the wild as malware authors attempt to systematically break detection with various online scanners using existing AV detection.
Observing malware authors using their tricks gives us a unique opportunity to understand their working processes. Analysing this information allows the AV industry to stay ahead in the fight against malware.
At SophosLabs we have a database of samples submitted to the labs which provide statistics that enable us to correlate samples from various sources and establish a picture of the workflow of malware authors. In this presentation I will use recent case studies based on data taken from our database to show the efforts malware authors put into evading detection.