Why malware networks are beating antivirus software

Why malware networks are beating antivirus software

Summary: This week I'm watching a gang of malware distributors preying on Windows users. How are traditional antivirus programs doing against this particular threat? The case study shows why signatures and scans offer imperfect protection.


The most consistent thing about the malware business is that it’s constantly changing. The field is dominated by gangs that use hit-and-run tactics. A new report by Blue Coat Systems, a security company that specializes in cloud-based services, provides some interesting (and rare) details about how the malware business ebbs and flows.

Between February and May 2011, for example, Blue Coat had 395 unique malware networks under observation. On any given day, their data show, "the number of unique malware networks … ranged from just under 100 ... to fewer than 25 in operation.” The report specifically noted “a drop-off in mid-May as networks relocated and consolidated.”

Back in May, I observed the Mac Defender gang carefully. Lately, I’ve been watching a new round of attacks from a different network. Their product is a Trojan, aimed at Windows users. It arrives via e-mail, as a file attachment called RefundForm, in Zip format. It appears to be from a hotel. The subject line indicates it’s about a “wrong transaction” and the message body says the hotel overcharged the recipient’s credit card and says they need to fill out a claim form (attached) to get the money back

Now, this is terrible social engineering. The message is poorly written, and probably won’t fool a native English speaker. But it might be good enough to fool an unsophisticated Windows user whose English is less than perfect. Because the attached file is inside a Zip file, it can get past mail gateways that block executable files as attachments. The compressed attachment contains a Windows executable file, of course, not an Excel form, as the file icon tries to fool the recipient into thinking:

I first noticed this attack last week, on July 27, when several of these messages showed up in the Junk folder of an account I use for monitoring spam. (It’s from a domain I own but is redirected to a Hotmail server.) I saw multiple copies over the course of several days, including (in a remarkable coincidence) one that included the name of a resort I had actually visited earlier this year.

The copy shown in the screen above arrived Tuesday morning at 11:02AM. I copied the file attachment to my local hard drive and did some basic analysis.

First step: I uploaded a copy of the suspicious file to VirusTotal, which reported that I wasn't the first to report this variant; 6 of 30 antivirus engines had detected it as malware when it was first submitted two hours earlier. When I asked for a reanalysis, it showed that the detection rate had gone up to 13 of 43 engines, presumably based on signatures that had been updated during that brief interval. (After 24 hours, 25 out of 43 engines said it was malware, although they couldn't agree at all on what it is.)

Second step: I went to ThreatExpert and uploaded a copy of the suspicious file. It wasn’t able to identify the sample as a known threat, but a detailed report that arrived via e-mail a few minutes later contained suspicious details:

  • File system modifications: Running the file created a new executable, Dxdiag.exe, in the Startup folder. This is the same name as a Windows system tool and is a major red flag.
  • Memory modifications: Svchost.exe, a Windows system file that hosts system services, was modified, with new memory pages created in its address space. This is not something a legitimate program does.
  • Network access: The program attempted to make a connection to a remote host over port 80 and tried to run a pair of scripts from a server in Russia. It is most likely that these were attempts to download and install additional software, this time in the background.

These are all telltale signs of particularly aggressive malware. Indeed, Microsoft's security team identified it as TrojanDownloader:Win32/Dofoil.G. Trust me, you do not want this thing running on any PC you own.

As a test, I kept the file attachment in a local folder and began checking it every few hours using the on-demand scanning tools in two current, high-end consumer antivirus programs running on Windows 7 desktop systems in my office. Before each check, I downloaded and installed the latest updates for each program. What happened?

See also:

Page 2: AV scanners miss the threat -->

<-- Previous page

Trend Micro Titanium Maximum Security gave the malicious file a clean bill of health for nearly 24 hours. After I installed a definition file that was time-stamped at 9:18AM Wednesday, this file was detected and removed.

Norton Internet Security 2011 offered at least a half-dozen updates in the 24 hours after this message arrived, including one that required a restart. Still, a full day after I downloaded this file, it still wasn’t recognized as dangerous. Norton gave it this green-is-good checkmark.

And here’s the even worse news. Wednesday morning at 3:39AM, another copy of this particular Trojan arrived. It’s at least the eighth distinct variant I’ve seen personally. (Researchers at the University of Alabama Birmingham have confirmed that there are many variants of this threat.) ThreatExpert confirms that it is functionally identical to the previous versions I saw.

Roughly 10 hours after it appeared here, it was recognized as malware by only 7 of 41 engines on VirusTotal. The Trend Micro online service, House Call, flags it as hostile, but my local Trend Micro software waved it through, as did Norton Internet Security.

On my system, at least, the good news is that Tuesday's threat was blocked by a separate security layer. Hotmail’s filters moved the message to the Junk folder, where a recipient is likely to be much more suspicious and where downloads of file attachments are not allowed without extra steps. All formatting is stripped away, making logos and other social engineering tricks ineffective. Within four hours after that variant arrived, Hotmail had blocked the file attachment from even being downloaded, much less opened. Although the message was still in my Inbox, trying to download it resulted in this message:

The fact that I am using a cloud-based service rather than downloading all my mail locally turns out to be a useful security measure, in that these hostile attachments are much less likely to end up on my PC.

On a separate system, accessing the same account using Microsoft Outlook, every copy of the suspicious file was blocked from opening upon arrival.

The point of all this is to establish a simple fact: In the war between malware distributors and conventional signature-based security software, the bad guys have the upper hand. They can morph their software very quickly and basically give themselves a free head start of hours or even days against even aggressively updated security programs.

Don’t get me wrong: scanning is useful. It can block some threats, and it’s effective at cleaning up some malicious downloads. But it’s not a panacea and it shouldn’t be considered the primary layer of protection.

Despite Norton’s slow response in this example, it’s my current favorite overall, precisely because it does more than just scan. In particular, its reputation-based analyses are exemplary. In a follow-up post, I’ll have more on what Symantec is doing and why other AV vendors should follow their lead.

See also:

Topics: Security, Malware, Networking, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Why malware networks are beating antivirus software

    These products prioritise updates that destroy active malware. You cannot judge the effectiveness of a security program by how it deals with benign, unexecuted files.
    • Benign?


      This was not a "benign" file. If you read the ThreatExpert analysis you would see that it was exactly the opposite. In fact, I suspect one of the first programs it downloaded would have attempted to disable any running AV software.
      Ed Bott
      • Message has been deleted.

    • RE: Why malware networks are beating antivirus software

      What? I'd much rather have a product that prevents the malware becoming active rather than tell the user it is "green is good". So yes, you can judge a programs effectiveness by how it deals with unexecuted files.
      • All AV software is reactive, none of it is proactive...


        Freezing a PC (via something like Faronics Deep Freeze) or white listing are the only proactive protections you can get with a Windows PC. With all AV SW you are at their mercy for reactive updates and protection (generally a few days late).

        The problem with white listing and freezing is that they require more work and planning (But are well worth it). Security and productivity have always resided on opposite ends of a balance, one goes up and the other goes down.

        Malware writers are paid on commission, they have financial motivation to work and they have small windows of opportunity to get that work done. In other words, they are highly motivated and no one is going to beat them with silly reactive protections.

        Nothing from the AV world is going to prevent a current exploit from becoming active. White listing will, but that also requires an intelligent user.

        Malware networks will always beat antivirus software, they win every time. The epitome of stupidity is thinking that somehow, a reactive protection will someday win... That is never gonna happen and offers no security.
      • Re: All AV software is reactive...blah, blah

        Guess you have never heard of heurisitcs? Also, better AV
        packages at least are able to add definitions for newly discovered malware within 24 hours. Ed Bott's experience
        with Symantec should sound warning bells in his office...
        I gave up on Symantec, as well as McAfee, a number of years
        ago. Avira, AVG, F-Prot, heck even MSE score higher than
        Norton or McAfee in recent tests.
        Why, I remember the old Dr Solomon's antivirus that would
        innoculate your executables to prevent changes...that's
      • RE: Why malware networks are beating antivirus software

        @wizard57m@... Some products use sandbox technology or heuristics (Comodo, Eset) to identify unknown threats.
    • RE: Why malware networks are beating antivirus software

      @ShanOw That's kind of silly. Why would you let a spy into your base in the first place? :v
      Years ago (Windows 98), I downloaded a .zip file containing an EXE (it was a no-CD crack for my copy of FF7-PC), and my AV software at the time screamed at me for the suspected threat before I ever unzipped or ran the EXE. While it was safe and from a trusted source, the point is my AV checked the file for me before I even had a chance to mess with it.
    • What? Their goal is to prevent them becoming active

      The signature model is wrong, impossible to keep up fast enough and for targeted attacks.

      Good article Ed. Very informative.
      Richard Flude
    • RE: Why malware networks are beating antivirus software

      You shouldn't consider something that attempts disguising itself as an important system file a benign file :|
    • RE: Why malware networks are beating antivirus software

      @ShanOw a Trojan exe is still a Trojan.
  • RE: Why malware networks are beating antivirus software

    Good article Ed ... maybe now some of the folks that get cavalier about their behaviour because "they use XYZ anti-virus" will get the message.
    • RE: Why malware networks are beating antivirus software

      @BrentRBrian Maybe some folks will stop crying "You're a shill for Microsoft!" because he mentions Apple malware.
      • RE: Why malware networks are beating antivirus software

        LOL :D
      • RE: Why malware networks are beating antivirus software

        @jgm@... Although what makes me cringe was his insistence that Mac users were clueless because they didn't run AntiVirus (which, as he notes here, is utterly ineffective!)
    • RE: Why malware networks are beating antivirus software

      @BrentRBrian: Anyone fool enough to think just having an AV makes them secure is not one to catch on quickly. Few of them are likely to read this, anyway.<br><br>No decent AV relies just on signatures anymore, but even the best heuristics catch only about 60% of unknown malware; most catch less than 50%.<br><br>I use AV, anti-spyware, and HIPS; and I use NoScript in Firefox for browsing (all free programs, and together they don't come close to using the resources Norton does). I think I'm pretty well protected, but I still use a great deal of caution (the most important component in security).

      My AV is Avast, by the way; AVG is a pig, and less effective. Avira is better yet, but its updates are huge and I don't have a fast connection.
  • AV Software

    We switch from Symantec to Sophos this year at work and it has made a world of difference! Also based on our experience i was not surprised to see Sophos as one of the first couple that detected this.
  • RE: Why malware networks are beating antivirus software

    As long as the misconception continues that users ONLY need anti-virus, malware will be prevalent. I have worked in IT for over 20 years and have studied a lot of malware myself. Most anti-virus do not detect a few out of the following steps.<br>The most common malware attacks are browser related. Exploiting a hole in the browser and most commonly IE. The hole allows a dropper file to be injected into the filesystem that is not detected by nearly any anti-virus. The dropper file does not contain any viral code hence it evades anti-virus. The next step is usually several attacks from the dropper's payload. Often disabeling anti-virus, inserting keys into the registry, hiding component files in /users/<yourname>/application data/local or /roaming. Some even go as far as locking out features of windows like Taskmanager, regedit and even blocking executable names for cleaners like malware byte's Anti-malware (which happens to be the best from a tech's point of view). It's very easy to bypass some of the locks placed on the machine after a severe malware infection and most of the time you can defeat them by just changing the name of the installer for your cleaner to something like 001.exe or 001.com allowing you to defeat the malware and clean it out. <br>I must tell you though, Vundo is nasty and is not detected by a lot of antivirus or antimalware apps and the TDL rootkits are undetectable by all antivirus and nearly all anti-malware (except combofix and the TDL scanners). Machines infected with the TDL rootkits will run like garbage and have several types of rogue anti-virus installed along with garbage registry cleaners, optomizers and other junk that's useless. Removal and reboot starts immediate reinfection due to the TDL rootkit.<br>The community writes these while testing them on all commercial anti-virus to ensure detection evasion.<br>My final note, If any of you think AVG is adequate, think again. If you have AVG installed you might as well have nothing at all installed, it's about the same difference. Humor me, If you have AVG installed then remove it and try Avira. I can pretty much guarantee that it will find numerous things AVG didn't even see.
    • RE: Why malware networks are beating antivirus software

      @Nate_K I have to laugh at these people who use AVG. They all swear that it works great for them. You can't convince them otherwise. Then they ask you why their computer is running slow and sending out strange emails all by itself.

      I had one "friend" who actually threw out her computer because she swore it was broken. (I use quotes because I only hear from her when something is acting up.) Her hardware was fine. She was just infected with a ton of malware. Since she wouldn't pay for anything, I installed MS Security Essentials. As soon as she got the machine back, she took it out and reinstalled AVG.

      Yup, the free AV sure saved her a lot of money.

      You can't argue with those people. I have given up on them.
  • This is why I don't bother with A/V software.

    It's ineffective.

    [i]But it?s not a panacea and it shouldn?t be considered the primary layer of protection.[/i]

    Yet this is exactly what security "experts" do.

    [i]Despite Norton?s slow response in this example, it?s my current favorite overall, precisely because [b]it does more than just scan.[/b][/i]

    Precisely why it should be avoided.