File scanning – a game of hide and seek?

VirusQA (quality assurance) is a critical step in the creation of new software. It tests the code to ensure that it does what is supposed to do. Now, for the creators of malware, one of their critical QA steps is to test their code against the leading security products, to see if it can go ‘undetected’ and therefore be successful in being executed on the target system. Brian Krebs, in his blog, has brought to our attention an new underground service that lets the malware writers check their work.  There are already a few legitimate file-scanning services that have been in operation for some time. They allow users to upload a suspicious files and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers, so that those vendors can incorporate detection for the newly discovered malware into their products.

Now, what Brian Krebs has reported on, are a new generation of file-scanning services that do not share their results or the malware with the anti-virus community. The malware authors have to pay for this service, but what it allows them to do is to quickly test and check their software against the leading security products. However, the results of these tests and the files themselves, remain hidden. It would appear that in offering, a service such as this, hands the advantage to the malware creators. Or does it?

The ability for the malware authors to test their files against security products has always been a dynamic in our industry. Every time we bring out a new release of our products, they move quickly, to test and assess what this means for their software. They would always appear to have an advantage in this regard. However, we have always been aware that what the malware guys want to do, is in effect, try to ‘fly below the radar’ of detection. What I mean by this is, that they want to go unnoticed and undetected. The best way to do this,  is to control and limit the number and distribution of their files or binaries, so as to not attract the attention of the security community. Hence, when a file is submitted to one of the file-scanning services, it is then really known to the whole security community.  This is where Reputation based security technology really comes into its own.

With this approach, we look at all new files and binaries and when we find a new file, we assess its reputation to understand if it is to be trusted or not. In doing so, reputation based security turns the advantage of anonymity and relative low distribution of a file against the malware authors. It is a very powerful approach and effective defence. We implemented reputation based security into the Norton 2010 products. We also created a video that explains how all this works. Hence, whilst the arrival of this new generation of malicious file-scanning services is bothersome, it is not necessarily ceding the advantage to the malware authors.

January 5, 2010 | Filed Under Security 

comments

Leave a Reply