Detecting New Threats? Time Is Important!

[ritchie58]

In this connected world, time is of the essence. The bad guys are counting on releasing their malicious programs and infecting machines before security companies have time to analyze those samples and provide detection signatures to block the threat.

Although antivirus companies have evolved their technologies and can now provide proactive heuristic detections (essentially this means being able to detect new malware without having seen it before), cyber criminals thwart these by first testing their creations against each major security vendor to make sure they aren’t detected. If they are, they simply alter their code enough to bypass detection, at least temporarily. So much for all these fancy algorithmic engines…

This is an arms race and the bad guys always have the head start. If they can infect a few thousand computers in a couple of hours before getting detected, they have achieved their goal. And even in the case of the antivirus software later detecting the threat, it is already too late as many pieces of malware disable the security products installed on a machine therefore rending them useless.

 

Case in point, checking your email is something people do quite regularly. Chances are you will open an email within a few hours of it being received. This is exactly what the bad guys are counting on.

Here is an example of a recent phishing scam for UPS:

This is a classic case of printing an invoice or checking documents you have scanned. The file attached is compressed as a ZIP file (almost no email program out there ever lets you attach executable files directly anymore). As you can see, this email has made it to my inbox without being blocked at all by regular anti-spam filters.

The second layer of security is an actual scan of the attachment by one of the leading antivirus products on the market, which by the way I am not picking on at all (as you will later see):

This scan was performed a few hours after the email was received and unfortunately the attachment was not detected as malicious. I wish there were still some sort of notice letting the user know that even though the file appeared to be clean, you should still apply caution before opening it.

As said above, this is not about pointing the finger at one AV product in particular. In fact, right at the same time, most vendors were totally blind to this threat.

One may wonder why security vendors fail so miserably at detecting new threats in a timely fashion. Well, as stated above, despite smart detection engines capable of detecting never-before-seen threats, the bad guys still test their malware and tweak it until it evades detection. This battle has been fought for years and always lost.

So if technology is not the answer, then what is? It is the ability to counter a threat within minutes of its release. Sure the bad guys can bypass your engine detection but they can’t do anything about you being extremely reactive and agile. The idea is simple:

Sample is released in the wild -> Sample is caught, analyzed and blocked within minutes -> end user wakes up to check their email -> sample is blocked.

Although this sounds simple in principle, it actually is hard to implement, especially for larger security companies. For starters, AV companies are flooded with new malware samples every day. How do you know which ones to prioritize? Or are they all equally as important? Secondly, companies have to go through so many processes before they can release an update to their customer base. This includes various testing cycles that at the end of the day delay the time sensitive release of a new malware definition.

Although those Quality Assurance tests are important, they need to be streamlined. Some large AV companies are conservative (and for good reason!) before they release an update. And yet, it has not prevented ‘accidents’ such as major false positives which always make big headlines and ridicule your company. In large parts, such incidents happen because everything is so automated and people learn to trust these automated processes to be flawless (or at least less error prone than humans). While this is true, the human factor should not be taken out of the equation. In almost all cases of a major false positive (such as an AV engine detecting itself) it would have been spotted easily by a human tester. Article by: Jerome Segura - Malwarebytes Company News My comment: I use the free version of Malwarebytes (no real-time protection or automatic updates with the free version) as an additional on-demand scanning engine/malware remover. That said, even if you use the free version of Immunet not only are you getting active heuristic detection (ETHOS) that can thwart as yet unseen malware but you also have the protection of the "Immunet Cloud" on your side. That means once a genuine threat is recgonized you will not have to wait hours or even days to be protected from this new threat as with traditional signature based antivirus programs. Rather, the threat is neturalized in almost real time! If the ClamAV mdoule is enabled you get the benefit of off-line scanning capibilties and an additional detection engine using the ClamAV team's vast signature based malware defination database. Also, with Immunet Plus you also get the benefit of complex root-kit detection (TETRA) and email attachment scanning. Plus or Free this makes Immunet a great real-time detection tool to have in your antimalware arsenal! I'm also currently beta testing a brand new app called ExploitShield Browser Edition 0.7 beta by ZeroVulnerabilityLabs http://www.zerovulne...rowser-edition/ which, according to the creators and the name implies, will protect you from Zero Day Vulnerabilities. http://en.wikipedia....Zero_day_attack Something even the best antivirus products have dificulity in detecting & reacting to. It's still in beta so some minor bugs have already been reported and need to be ironed out as of this writing. I would not urge any inexperienced computer user to download and try any beta software as unexpected behavior or complications can occur. Regards, Ritchie...

[spywar.]

Hi ritchie58,

 

I read what you told us and I agree with you, that's completly true.

I am "spywar" from Comodo's forum and part of the Malware Research Group.

If I reply here, this is because I am using Comodo Internet Security since it started with AV component (2008/9...) and I really like how they work to keep they users safe (since v4, and improved a lot in v5 because of the cloud).

Default Deny System ... Really simple, do not allow what is not trusted by Comodo

Every unknown apps are sandboxed analyzed online by CAMAS to have a quick response and block "zero-day" threats and they are then submitted to Comodo AV analysts ... If they are found safe after analysis they add the SHA-1 of the submitted file to the global whitelist which is cloud based and vice versa if it is found to be malware. Imagine one day, Comodo's servers are down and users are not up to date against latest threats .. This is not a problem D+ with its components come in action to continue and keep them safe.

I follow Immunet since it has started, it is in the good way IMO, it differs from others ... I do not know what are their plans for V4 as we are not very far from it but it would be very great to have a sandbox! Simple, Immunet detects a "suspicious" app, it launchs it inside the sandbox and cloud does its job ... If found to be malware then all users are protected. Maybe they have other plans but anyway I continue my support for this software as it is very powerfull. Personally, I don't use it (CIS is enough) but I known many french people using it alongside their own AV. A really good combination would be (Comodo Firewall V6 + Immunet).

 

Best wishes,

spywar...

[ritchie58]

Hi spywar, I do use Comodo Internet Security (Firewall & Defense+ only). I too like the H.I.P.S. like features of Defense+ as an added layer of protection. Generally it works quite well at analyzing unseen apps and blocking or sandboxing them if Comodo research hasn't yet approved them as safe. There are false positives sometimes of course which can make installing new software difficult at times. For instance, I run Immunet Free along side of Panda Cloud Pro (been using Panda Cloud since the first public beta was introduced) and there seems to be a serious conflict with Panda's bootstrapper installers. I found out the hard way that in order to update Panda to a new version I first must completely disable not only Defense+ but the firewall as well. The conflict occurs when Defense+ starts sandboxing the RarSFX installer files and the firewall continuously throws up allow popups which also interferes with the install process. I also have run into problems updating Adobe Flash Player with Comodo. These conflicts are "rare" however and wouldn't think of permanently disabling the D+ feature because of that. I have contacted Comodo Support about these installer issues. As far as Immunet adding a sandboxing feature as well? That is an interesting idea as that would give Immunet users an additional layer of protection against zero day threats! As long as it didn't decrease system performance to any unwelcome degree that would be ok with me. The ExploitShield Browser Edition app looks quite promising as well! The browser edition will be freeware and there will be a paid business edition with more features too once it's out of beta testing. Regards, Ritchie...