Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 18 June 2009

Nine Ball: Juggling with VirusTotal

There’s been some media interest in an alert from WebSense about something they call Nine Ball (he, said, trying to keep his sense of humour in check). It has some pretty interesting characteristics. I’d like to pick up, though, one point that the reports I’ve seen have rather overstated.

WebSense mentioned that vendor detection is low on a Trojan Loader and a malicious PDF. This is true, or was at one point in time, in the sense that a PDF sample submitted to VirusTotal resulted in a report indicating that only three vendors identified it as malicious. Well, actually, even that isn’t quite accurate: two of those hits seem to be a generic packer/javascript detections rather than identification of the file as malicious in its own right. (Similarly, most of the Trojan Downloader detections are generic, and one simply says "suspicious".)

This industry is divided on whether detection purely on packer signature is a good idea. Some vendors flag almost all packed malware as malicious, packed or suspicious: this is because malware distributors use packers, obfuscators and protectors to make it more difficult for security software to recognize code that would otherwise be identified as known malicious code.

The problem is that a fair number of developers use the same tools (in some cases tools specifically developed for malicious purposes) to protect legitimate applications from disassembly and so on, as a Digital Rights Management (DRM) strategy. Well, that’s what they tell us. For this reason, some vendors don’t automatically detect packed apps as malicious, for the benefit of those to whom avoiding false positives may be as important as high detection rates. (Strangely enough, some organizations find FPs a very signific;ant problem. Of course, all companies do if an innocent and widely used file such as a Windows system file is misidentified as malicious.)

Note, however, that high detection rates and low false positive rates aren’t mutually incompatible. Products that don’t generally detect packers as automatically malicious (we don’t, with some exceptions) may well detect packed code anyway, using custom unpackers and other techniques such as emulation. So where’s the problem with VirusTotal? Well actually, the problem isn’t with VirusTotal (or rather with Hispasec, who provide the free VirusTotal service), but with the way that it’s used.

Additional references:

No comments: