The crime ring behind the latest Storm Worm-related malware attack (Techmeme discussion) is using new tactics to slip malicious executables past anti-virus defenses, serving up another black eye to an industry that already uses questionable tactics to find new customers.
Arbor Networks researcher Jose Nazario flagged the poor anti-virus detections of the Storm Worm Trojan in a blog entry that noted the use of password-protected ZIP files to hide .EXE attachments.
Anti-virus software will stop .EXE extensions and, in some scenarios, will even strip ZIP files from incoming e-mails. However, in this case, when the .EXEs were being spammed through ZIP files in password-protected bodies, fully updated anti-virus software failed to nab the malicious files.
At the height of the spam run, several new payloads and tactics were being used, further exposing the inability of anti-virus software to react swiftly to emerging threats.
Standalone, signature-based anti-virus protection has been dead, replaced by an anti-everything approach that includes heuristics, behavior-blocking and herd intelligence but, during every malware outbreak, the thing that always stands out is the poor detection rates, even from the big boys (Symantec, McAfee and Trend Micro).
I spent the last month on a project that looked at detection rates and response times of several big-name consumer anti-virus programs and was blown away by the ridiculously poor performance around heuristic detections. The best performing product captured less than 80 percent of unknown malware samples. At best, they were missing one-fifth of the most virulent virus variants.
Desktop software protection is a necessity, especially for consumers with poor computer usage habits. But, despite glowing press releases boasting about new zero-day protection technologies, anti-virus software still can't keep pace with variants of old malware samples.
Storm Worm is just another example of this.