Network News

X My Profile
View More Activity

Security Software Suites No Match for Custom Attacks

The all-in-one security software suites from the major anti-virus vendors fail spectacularly at detecting custom-made malware that exploits the latest software vulnerabilities, according to testing done by security analysis firm Secunia.

Secunia tested how well nearly a dozen security suites fared against malicious files and direct attacks that leveraged more than 150 known software flaws. All of the vulnerabilities used in the test are publicly documented -- details of them can be found in the Common Vulnerabilities and Exposures (CVE) database -- and most of the vulnerabilities can be fixed by applying a software update currently available from the program's maker.

Secunia says that out of the 300 test cases, 126 are particularly important because they affect very popular products and have either been discovered as zero-day threats or Secunia has developed working exploits. Secunia CTO Thomas Kristensen said all of the vulnerabilities used in the test merit a moderate security rating or higher, meaning they can be used to remotely install software on the victim's PC, with little or no help from the user aside from opening or viewing the malicious file.

The company found that nearly all of the security suites -- including those from McAfee, F-Secure, Microsoft and TrendMicro -- detected between just 1 percent and 3 percent of the attacks. Symantec's Norton Internet Security 2009, dramatically outperformed the rest, detecting more than 20 percent of all threats and more than 30 percent of the most dangerous threats, according to the results.

Still, that means in at least 7 out of 10 cases, the bad guys using a targeted exploit will slip past Norton's defenses. That also suggests that the other products detect roughly 3 percent of targeted attacks.

At any rate, readers can find a detailed breakdown of Secunia's test results and interesting methodology here (PDF).

I emphasize the word "targeted" because most anti-virus products are still reactive, in that they focus on protecting customers by figuring out what people are getting attacked by and then creating custom "signatures" to detect that specific threat going forward. While most anti-virus companies claim to have incorporated technology capable of detecting programs that exhibit suspicious behavior or that attack specific software vulnerabilities, it appears that Symantec is alone in making significant strides in this respect, at least as it relates to the latest, known vulnerabilities in widely-used software.

Secunia's study is useful, but it ignores the unfortunate reality of today's threats, which rely not on software vulnerabilities but mainly on tricking people into installing software. Interestingly, Symantec itself documents this fact in its Internet Security Threat Report, which found that in the second half of 2007, only 10 percent of the new malicious code threats affecting consumers used software flaws.

At the very least, Secunia's study is a stark reminder that having security software installed is no substitute for keeping the rest of the software you use up-to-date with the latest security patches. On this front, I've recommended Secunia's vulnerability scanners, which work either through the company's Web site or a free, installable program. Some readers have said they refuse to use Secunia's scanners because they require users to have Java installed, a program that needs frequent security updates itself and clutters the user's system with old, outdated versions of itself. My take on it is that 90 percent of the planet already has Java installed. What's more, anything that raises the average user's awareness on the need for regular patching is overall a good thing, Sun's clumsiness with its Java software notwithstanding.

Incidentally, if you're looking to see how well the products named in this study detect the latest threats that are actually in circulation, check out the stats released in September by AV-test.org(Microsoft Excel file). The group's battery of tests also examined how the software suites fared in terms of system memory usage, proactive malware detection, false positive rates and on-demand scanner performance.

By Brian Krebs  |  October 13, 2008; 4:44 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Stock Price Routinely Dinged by Security Patches
Next: Microsoft's Patch Tuesday Includes New Rating Index

Comments

What's the most common method for targeted malware to be put into individual computers? Spam? Drive by from infected websites? Dedicated deceptive websites? Others?

Posted by: Kfritz | October 13, 2008 9:00 PM | Report abuse

Are we to therefore conclude that both BitDefender and Kaspersky did well in these test, i.e., did better than Norton Internet Security 2009?

Posted by: brucerealtor | October 13, 2008 9:15 PM | Report abuse

This points out the need for a multi-layered defense (defense in depth). Relying on just one layer such as security software is foolish. When that one layer is compromised, game over.

Instead, in a multi-layered defense, a system compromise may be averted by another layer.

Typical layers of defense:
1. Hardware firewall - protects the system(s) from external intrusion should the software firewall need to be turned off or is inactive for any reason. Also, is much more difficult to hack past than a software firewall alone.
2. Software firewall - protects the system when used outside the confines of the hardware firewall and provides outbound filtering and possible indication of malicious system activity.
3. Non-admin account - prevents system wide changes or software installation whether intentional or not (including malicious code should it get past other defenses).
4. Patch all software - prevents system compromise via bugs (especially important for Internet facing software such as browsers, e-mail clients and media players).
5. Limit amount of software installed on a system - lowers system attack surface and reduces patching.
6. Backup data on a regular basis - protects data in the event of system compromise resulting in data loss.
7. Blocking hosts file - blocks access to known malicious websites.

And finally,

8. The human layer (computer user) as they can override all the other layers.

Posted by: TJ | October 13, 2008 10:03 PM | Report abuse

TJ

Thank you for that very useful list.

For those of us who do not leave our systems on 24/7 [like that 'standby' option on XP, which I presume Vista also has] what is the advantage of a hardware firewall?

Some years back a friend of mine explained a hardware firewall by using the analogy to an incoming phone call, where the 'firewall' in effect 'takes a message' and then calls the supposed originating number back before allowing a call to connect, whereby IF the incoming call says its coming from number 202-123-4567, but when that number is called back and 'not at a working 202 exchange, the bogus communication from a phoney incoming number is prevented. We will ignore, for the purpose of this example, the ability to manipulate the number appearing on a caller ID device.

Posted by: BRUCEREALTOR | October 14, 2008 1:36 AM | Report abuse

I skimmed the 6-page PDF, and it seems that the "malware" that most of the suites failed to detect is actually in-house Proof-of-Concept malware code provided by Secunia, not actual "in the wild" malware. Testing anti-malware software against academic code isn't a real-world test IMHO.

Posted by: Angus S-F | October 14, 2008 1:46 AM | Report abuse

"what is the advantage of a hardware firewall?"

Think of it as a fence around a fort protecting every building. Whereas a software firewall would protect only a single building assuming it's turned on (doors and windows locked). Even if you have only one building, it still provides another layer of protection, in particular if for some reason the doors or windows are left unlocked as would happen when you’re either installing a fresh copy of your operating system or troubleshooting a problem that requires disabling your software firewall. At least then, the hardware firewall would still protect your system from the outside world.

This provides more info:
http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

Posted by: TJ | October 14, 2008 12:30 PM | Report abuse

TJ

Thanks

I guess my question is that if my machine is for whatever reason not online, that seems certainly as effective as a hardware firewall, right.

I clicked on your link and thought I had hit gold under 'online' firewall testing services.

Alas, the definition of 'online' appeared. LOL

Posted by: brucerealtor | October 15, 2008 4:07 AM | Report abuse

kfritz - most common medium for malware attack are from "botnets". botnets are hoards of zombie computers (computers already at the mercy of malware) that push out all forms of spam, including phishing and other tactics. Another common one now is embedding malicious code within legitimate ads on otherwise legitimate websites. Can't trust anything these days can ya?

Posted by: Jay | October 15, 2008 10:49 AM | Report abuse

TJ, let's not forget Network Intrusion Prevention Systems (NIPS) and Host Intrusion Prevention Systems (HIPS) in our layered defense model.

Posted by: Intrusion Prevention | October 15, 2008 11:27 AM | Report abuse

indeed latest security seems failing their
test to fight against malware.
AS compared to other anti virus gaints norton was
much upto to the mark but still not 100 %..
i think still antivirus companies need to
get through it
and a warning alarm from virus world..


regards..

Posted by: http://www.eradicatespyware.net/blog | October 16, 2008 5:11 AM | Report abuse

indeed latest security seems failing their
test to fight against malware.
AS compared to other anti virus gaints norton was
much upto to the mark but still not 100 %..
i think still antivirus companies need to
get through it
and a warning alarm from virus world..


regards..

Posted by: http://www.eradicatespyware.net/blog | October 16, 2008 5:13 AM | Report abuse

Hi!

There are three things that Secunia is highlighted:
1. All the anti-viruses are sucks.
2. Patch management is critical.
3. Use HIPS solutions instead of anti-viruses, this will allow you to significantly low down consequences in case of vulnerability exploitation. Sandboxes are the most effective here.

Posted by: Ilya Rabinovich | October 17, 2008 7:51 AM | Report abuse

Network Intrusion Prevention Systems (NIPS) and Host Intrusion Prevention Systems (HIPS) are important, but are designed primarily for business/corporate networks and not easily setup or even applicable for home users.

The list of layered defenses I posted were geared more toward home users although just as applicable to business. The point is: DON'T rely on just one defense such as security software.

Posted by: TJ | October 17, 2008 9:52 AM | Report abuse

@brucerealtor

Check out Shields Up for testing your firewall at https://www.grc.com/x/ne.dll?bh0bkyd2

I prefer Shields Up because it does not require installing any software such as ActiveX controls.

Also, turning off your computer is something of a defense, but it's much more important what defenses you have when it's on as that's when you are most at risk. Since I use a hardware and software firewall, I leave my system on most of the time to allow it to automatically download the latest Antivirus updates, which by the way it another VERY important layer of protection. Leaving the system on also allows it to self optimize and it's most convenient as I use it frequently (don't have to wait for it to boot up). Of course, I use power save features to turn off the display and hard drive.

Posted by: TJ | October 17, 2008 10:11 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company