I was at a government agency recently doing an on-line audit of a portion of their network – almost 655 pcs. They had quite a bit of security measures in place including updated resident software, multiple firewalls, limited user privileges and did regular anti-spyware scans with a program that was specialized for this.
Needless to say, they were pretty shocked when I found keyloggers, screenloggers, a rootkit and downloader Trojans. They were also saturated with high danger level adware that made their network vulnerable to additional malware downloads. Almost 100 workstations out of the 655 scanned were infected.
While I was there doing the malware audit, they were hit by a massive spam attack. The email offered a free Microsoft product download. About a quarter of their 6000 pcs received the spam. Some of the users on the network were savvy enough to think “maybe this is suspicious” and reported it to their help desk but, unfortunately, over a dozen employees did click on the links to find out what great deal they could get.
The resident antivirus software installed on the network workstations did not detect that there was a Trojan embedded in a link in the email. The Trojan embedded is one that is known to download additional malware, often a keylogger.
The IT security professionals who took care of this government agency network were concerned that this spam was a targeted attack at their state government so I sent the information to PandaLabs to check out. It turned out that the Trojan was a general attack and that it has actually been a known malicious code since 2004 but was not included in the signature files of their resident antivirus software.
You might wonder, like they did, how could a major antivirus software package miss this kind of malicious code?
In several ways.
Every antivirus software program has a capacity of how large a signature file it can handle. It’s in the architectural design of the application. Sometimes older signatures have to be purged to make room for newer signatures.
Also, due to the vast volume of malicious code that’s in the wild now (PandaLabs receives more than 3000 unique suspicious samples every day) many of the antivirus labs are overwhelmed and just do not have the manpower to process and create vaccines for all the variations. So what happens is a definite percent of malware never gets analyzed and no vaccines are created to detect or disinfect them.
Current certification programs of antivirus software test the effectiveness of the software against a “wild list” of known viruses. The testing is rigorous, however, the certification requires that the software is able to detect and clean only several hundred thousand virus samples (usually between 200,000 to 300,000). As a comparison, the collective intelligence at PandaLabs has over 1.5 million signatures of viruses.
Welcome to the real world! Are you really protected? Prehapes not.