Wednesday, September 27, 2017

It's time for a new emphasis on testing styles, kids.

So, anyway, I've been looking at a particular piece of malware for the last four or five days, and I've noticed something interesting. They change it _every_ day. It's not server-side polymorphism, but they deliberately change it every day. It still does about the same thing, which is to take you to some place to try to get you to install a fake Flash player, or tells you that your computer has a virus, and you must call this 800 number immediately, etc. Nothing fancy. The first time I search its MD5 on VirusTotal, I get ten or twelve detections. I tend to do that late in the day, and I suspect that if I checked when it was first released, I'd get even fewer detections. The next day, if I search the same MD5, I get twenty to twenty-five detections, and the next day, I get forty or forty-five detections. This makes sense, as this is a natural consequence of samples being shared among vendors, but, guess what? That sample doesn't exist any more, but every day, there is a new one, with low detections, doing the same thing. Oh, and with just a little looking around, I found a different sample doing the same thing. This probably means there are lots more. Put another way, when you have something of the order of a million new and unique samples each day, there are probably lots of samples being missed by signature scanners, some because of deliberate tricky stuff, and others, just because of the sheer numbers. Given a few days, or a couple of weeks, most will be added, but in the mean time, the world is exposed, and if the malware is a worm, or Nation-state stuff, you don't want to be missing these things. The good news is that all antimalware products have multiple ways of detecting bad things, aside from signature scanners, but someone has to test them, to see how effective, or otherwise, they are. What I propose to do is to find new, or poorly detected malware, and test them by executing them against products, and see if they are caught... or not. To start with, I just have half a dozen of the main products, and not many brand new samples, but I expect both will grow. Watch this space.

No comments: