'Storm Worm' surge exposes AV deficiencies

'Storm Worm' surge exposes AV deficiencies

Summary: The crime ring behind the latest Storm Worm-related malware attack (Techmeme discussion) is using new tactics to slip malicious executables past anti-virus defenses, serving up another black eye to an industry that already uses questionable tactics to find new customers.Arbor Networks researcher Jose Nazario flagged the poor anti-virus detections of the Storm Worm Trojan in a blog entry that noted the use of password-protected ZIP files to hide .

SHARE:
TOPICS: Malware, Software
8

The crime ring behind the latest Storm Worm-related malware attack (Techmeme discussion) is using new tactics to slip malicious executables past anti-virus defenses, serving up another black eye to an industry that already uses questionable tactics to find new customers.

Arbor Networks researcher Jose Nazario flagged the poor anti-virus detections of the Storm Worm Trojan in a blog entry that noted the use of password-protected ZIP files to hide .EXE attachments.

Anti-virus software will stop .EXE extensions and, in some scenarios, will even strip ZIP files from incoming e-mails.  However, in this case, when the .EXEs were being spammed through ZIP files in password-protected bodies, fully updated anti-virus software failed to nab the malicious files. 

At the height of the spam run, several new payloads and tactics were being used, further exposing the inability of anti-virus software to react swiftly to emerging threats.

Standalone, signature-based anti-virus protection has been dead, replaced by an anti-everything approach that includes heuristics, behavior-blocking and herd intelligence but, during every malware outbreak, the thing that always stands out is the poor detection rates, even from the big boys (Symantec, McAfee and Trend Micro).

I spent the last month on a project that looked at detection rates and response times of several big-name consumer anti-virus programs and was blown away by the ridiculously poor performance around heuristic detections.  The best performing product captured less than 80 percent of unknown malware samples.  At best, they were missing one-fifth of the most virulent virus variants.

Desktop software protection is a necessity, especially for consumers with poor computer usage habits.  But, despite glowing press releases boasting about new zero-day protection technologies, anti-virus software still can't keep pace with variants of old malware samples.

Storm Worm is just another example of this.

Topics: Malware, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • My AVG caught it and

    quarrentined it immediately. You are obviously using the wrong and an inferior AV program.
    bjbrock
  • How come...

    Windows?
    This never happens with Linux. ;)
    D T Schmitz
    • (nt)Because no one uses linux

      ;)
      toadlife
    • Exactly. Viruses are WINDOWS viruses

      Instead of saying "Viruses", could ALL the ZDNet bloggers please start describing them as "Windows Viruses" - a more accurate description.

      If you want to use Windows, that's great. Seriously. But NEVER, EVER let it go online. Surf on Linux. You might hate Linux because you feel Linux users are too religious. But you will admit (simply because it's true) that the safest surfing is on Linux as a user. Even for a novice, Linux surfing is bullet-proof - as long as you don't answer a phishing e-mail. But that's not the fault of the OS.
      Don Collins
      • As nice as that would be..

        ..I don't know much people who care enough to do that. Plus how do you intend for them to use linux, dual boot? emulate their copy of windows? General public don't care. The mention of anything computer related is always followed by the "Aw man", but their good at complaining once they get a virus.

        I am not sure how this storm worm works, I really hope it doesn't require user interaction (to where they actually have to unzip and enter the password), if thats the case then lord they deserve it. But back to the point. People are lazy, they don't like work when their off work (go figure). So its hard to spread the movement, but I am proud to say I am on the wave. I love linux.
        Brandon Dixon
  • it all go's back to it's the operator dummy

    an OS any OS is only as secure as the person operating it i love how people whine and cry and say windows is crap i got a virus..

    but you ask them.... do you have you ant-virus definitions up-to date? no... when was the last time windows was updated? i don't know i turned off auto updates because my friend said it will mess up my computer....

    what kind of websites do you go to? i like going to free software sites or porn sites or crack sites...

    when you get emails and they have an attachment do you open it or download it and then open it? sometimes

    and then i say there ya go it's not windows it's the moron running it
    SO.CAL Guy
    • Hye So. Cal guy.....

      Glad to hear about ZA! I commented last week on the difference between a moron and a idiot? A moron is someone who is born with a problem and can't help him/herself. Whereas a idiot is someone who does the same thing over and over and expects a different outcome! I like to call 'em: ID10Terrors!
      fredfarkwater@...
  • ZoneAlarm Internet Security Suite caught it. NT

    NT
    SO.CAL Guy