Malware evolving too fast for antivirus apps

IDG News Service - If you think that the latest security suites afford complete protection against malware attacks, think again. Today's for-profit malware pushers use dedicated test labs and other increasingly professional techniques to improve their chances of infecting your computer. And the techniques they employ to outpace security software makers appear to be working.

Make no mistake -- a good security program can go a long way toward keeping you in control of your system. But PC World's recent tests of security suites found that new malware easily evaded the applications. In our tests of how well security software blocks unknown malicious programs, the best performer detected only one in four new malware samples. In contrast, February 2007 results from similar heuristics testing showed that the best utilities caught about half of new samples.

Window of opportunity open

"In this industry, unlike others, we have an antagonist we have to deal with, someone we're constantly battling back and forth with," says Hiep Dang, director of antimalware research with McAfee's Avert Labs. "The bad guys have the element of surprise."

Even just a 12-hour head start can translate into thousands of infected PCs, and malware authors have long tested their programs against antivirus applications to make sure they get that critical jump on the opposition. VirusTotal.com and similar Web sites, which allow security researchers and consumers to submit a questionable file and have it scanned by more than 30 different antivirus engines, have unfortunately made the testing easier for malware writers: Crooks can continue to tweak their new malware projects until VirusTotal or one of the other new multilanguage sites shows that the rogue application can slip past the majority of antivirus programs.

Good vs. evil?

Bad guys' use of sites such as VirusTotal can have a hidden benefit. After online thugs submit a sample, VirusTotal can sometimes share it with security companies, which can then update their programs to block the new malware. But the site permits users to opt out of having their samples submitted to antivirus vendors. VirusTotal says it offers the option so that people can scan sensitive files at the site without having them broadcast to companies.

Some well-organized criminal groups go a step farther and "maintain their own antivirus setups, almost like their own VirusTotal," according to Don Jackson, senior security researcher with the security services firm SecureWorks.

Keep your guard up

Jackson says the opportunities for prerelease testing make for harder-to-catch malware--and underscore why smart PC users should never assume that their machines are immune to attack. For example, almost every day, SecureWorks sees new variants of the PRG Trojan horse made with a particular kit. And when the new versions first appear, usually only 25 percent of antivirus scanners detect them, he says.