There’s been some media interest in an alert from WebSense about something they call Nine Ball (he, said, trying to keep his sense of humour in check). It has some pretty interesting characteristics. I’d like to pick up, though, one point that the reports I’ve seen have rather overstated.
This industry is divided on whether detection purely on packer signature is a good idea. Some vendors flag almost all packed malware as malicious, packed or suspicious: this is because malware distributors use packers, obfuscators and protectors to make it more difficult for security software to recognize code that would otherwise be identified as known malicious code.
The problem is that a fair number of developers use the same tools (in some cases tools specifically developed for malicious purposes) to protect legitimate applications from disassembly and so on, as a Digital Rights Management (DRM) strategy. Well, that’s what they tell us. For this reason, some vendors don’t automatically detect packed apps as malicious, for the benefit of those to whom avoiding false positives may be as important as high detection rates. (Strangely enough, some organizations find FPs a very signific;ant problem. Of course, all companies do if an innocent and widely used file such as a Windows system file is misidentified as malicious.)
Note, however, that high detection rates and low false positive rates aren’t mutually incompatible. Products that don’t generally detect packers as automatically malicious (we don’t, with some exceptions) may well detect packed code anyway, using custom unpackers and other techniques such as emulation. So where’s the problem with VirusTotal? Well actually, the problem isn’t with VirusTotal (or rather with Hispasec, who provide the free VirusTotal service), but with the way that it’s used.