Malware Knows Where You Hide the Door Key

A security flaw is too valuable a resource to exploit in just one way, according to a new malware report from a security product testing company.

Though NSS Labs doesn't phrase it this way in its study of malware behavior, malicious applets behave more like persistent burglars than like the neighbor's greedy, larcenous cat.

They don't just come up on the porch, check to see whether you remembered to seal the pet flap in the front door, and then move on to the next house on the block, in search of another pet's food to steal.

Instead, they try the flap, the knob, the windows, the other doors, and the other windows; and they might even pile up the yard furniture and scale it to see whether you left any upper-story windows open.

The neighbor's cat might be inclined to attempt these things, but it is hindered by its limited foresight and its lack of opposable thumbs.

In contrast, malware reflects considerable foresight, according to NSS Labs, a security testing company whose most recent quarterly malware report raises the problem of malware that attacks one point of vulnerability from several different angles.

Viruses that an antivirus program or other endpoint security product might catch if they arrived in a download through a browser may be able to sneak in if they use an infected USB flash drive or MP3 player as their conduit, or if a user launches an infected file stored on a network file server.

In NSS's tests, few security products automatically scanned or eliminated viruses in e-mail messages before the messages were downloaded, though most did scan e-mail after it arrived on the PC.

The 10 anti-malware products that NSS tested missed between 10 percent and 60 percent of the alternative entry points typically used by malware writers, according to a release from NSS. Most did a better job of isolating the malware once it had been stored on the victim's PC, though this approach is much riskier than eliminating the would-be invader before it gets in the door.

Fewer than a third of the products tested were able to identify malware that is live only when stored in memory, such as when it arrives masquerading as a DLL or other system file that should be allowed to run. NSS describes as "a significant evasion gap in their products."

"IT organizations worldwide have a false sense of security in part due to tests that have been too easy," according to a quote in the release from Vik Phatak, CTO of NSS Labs. "Our test results point towards the need for more realistic testing based on what cybercriminals are actually doing to breach corporate defenses."

In an August report on endpoint security, NSS found that most antivirus products also don't identify attacks or exploits, even after knowledge of them has been public for weeks or months.

Typically the vendor adds a patch to identify the first appearance of a virus or exploit, but fails to follow up with virus signatures that would make it possible to identify variants or alternate attack routes for the flaw, the report said.

Here's the list of products tested:

  • AVG Internet Security Business Edition
  • ESET Smart Security Enterprise
  • F-Secure Client Security for Business
  • Kaspersky Business Space Security with Internet Security
  • McAfee Total Protection for Endpoint
  • Norman Endpoint Protection
  • Panda Internet Security (Enterprise)
  • Sophos Endpoint Security and Control
  • Symantec Endpoint Protection
  • Trend Micro OfficeScan Plus IDF Plug-in.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty .

Subscribe to the Security Watch Newsletter

Comments