Waves of New Trojans Overwhelming AV
The recent torrent of more sophisticated Trojan threats is producing a large volume of attacks that cannot be detected by traditional AV systems, security researchers contend. According to a new paper published by message and Web filtering specialist Commtouch, millions of Trojans easily evaded signature-based AV technologies during Q2 2009 alone. Recent Trojan outbreaks sent malware volumes soaring in general with higher levels of attacks circumventing defensive controls than seen by the company over the previous six quarters. AV systems have improved their capabilities are doing a better job in general, but the proliferation of new Trojan variants immune to generic signature detection has proven problematic, Commtouch CTO Amir Lev said in a report summary. The vendor's trend report is based on its analysis of billions of email messages and Internet transactions channeled through its Web-based detection centers. The mere outbreak of several extremely "aggressive" variants of existing Trojans, notably those tied to the Waledac botnet, that utilize newer signature evasion techniques led to the takeoff in attacks, Commtouch reports. The use of generic signatures became popular among AV providers as a foil to trends such as server side polymorphism, through which millions of variants of the same attack are distributed, versus larger batches of the same threats which are easier for AV firms to fingerprint and block. "As demonstrated by this massive growth, the generic signatures have not proven to work against the recent variants," the report said. The most popular Trojan attacks defeating AV systems between May and June included Mal/WaledPak-A, Mal/FakeVirPk-A andTroj/Agent-KBE. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com. |
Comments (1)
This is one of the reasons that security vendors have adopted more of a layered approach to system and information defence, and why it is increasingly difficult for the traditional 'AV-only' firms to keep up.
A lot of testers (people like Commtouch) will use systems like VirusTotal, etc - to determine effective detection. So-called 'generic' detection is a big improvement over single variant identities, but this doesn't represent the capabilities of most Security solutions.
Examples include:
Secure web gateways - block known bad URLs, do real time scanning for malicious content, catch iFrame and Javascript redirection attacks before it has a chance to reach the endpoint
Browser security - stop many common web delivered attacks
HIPS - host based intrusion prevention security will prevent many forms of polymorphic attack without the need for a specific or even generic identity
Buffer Overflow protection - prevents exploit code from overflowing the browser, Microsoft services, plug-ins, etc.
Client firewall technology - in addition to stopping inbound attacks, can also stop malware that has made it onto the machine from calling home and leaking your confidential information.
So while traditional AV continues to be an important component of security, it is only a small part of the arsenal that modern security vendors bring to bear against these threats.
Michael
Posted by Michael Argast | July 17, 2009 7:20 AM