Virus Silent Threats

/ First published in 2008 /

Concept of Malware

You can get completely mad trying to understand which antivirus product to choose if you read countless reviews and tests. Results often contradict one another even coming from independent sources. Let’s try to understand why it is happening and what measures of common sense we could apply to protect ourselves from viruses and from lousy security products.

Concept of Malware in 2009

The public misconception of viruses makes people think that if nothing suspicious happens, they are fine (the opposite of that can be very exhausting, to the extreme when after any noticeable slowdown people blame a virus and reinstall the system from scratch!). A modern virus is far different from a virus 10-15 years ago. It used to be done for fun—deleting files, making computer unusable, irritating user with offensive messaged, and so on. Infection in most cases was obvious and virus creators were like warriors of the underground world, looking for fame and glory. Not anymore. Malware writing is a big business now. That big business wants to be in the shadow, because it is mostly criminal. Infected computers connected to the internet are organized in botnets. Number of bots (remotely controlled workstations) connected can be up to few hundred thousands (!), commanded by only one masterbot. That power can be used to generate spam, DOS attacks (“denial of service” when massive number of requests can completely disrupt a web-server (website) operation), brute-force cracking, illegal/secret information exchange and storage, fake ad hits generation and so on. Botnets are available for rent in the underground.

Another threat is stealing data: personal, banking, trade secrets, whatever has a value.

Trojan horses comprise around 90% of all malware nowadays.

Main source of infection is visiting infected websites.

Methods of masquerading are being constantly improved. Often viruses encrypt themselves and use different modules (loader, server, etc. which can destroy each other once task is complete). Some sneaky viruses never put themselves on a hard drive, they only live in operating memory (RAM). Some advances viruses “sit” above the network, manipulating legitimate data packets on the run, so firewall may become useless. Some use zero-day exploits that have no known cure.

In short, malware these days wants to stay quiet and invisible. You may never know your computer is infected. Antivirus companies are chasing the viruses. Sometimes it is not even possible to get a live sample: remember story with Rustock.C? Read this www.eset.com/threat-center/blog/?p=127 to understand the depths of the problem.

How can we protect?

Use caution when clicking links coming from unclear sources. Don’t trust any financial information in the emails and check links in the emails before clicking. Use alternative web browsers like Firefox or Opera with latest updates and fishing filters on (also for IE). If you use Internet Explorer, always apply security patches on time. Patch your OS on time as well.

Do not store sensitive data without protection, like keeping credit card number and bank login in a text file. Encrypt them instead and use password managers like SplashID (www.splashid.com).

It is better not to have a computer connected to any network at all (including LANs) if you have something really secret on it to keep. That situation would be difficult to imagine, of course, nowadays even your coffee machine can be networked.

You can read tests from www.av-comparatives.org and understand that some antiviruses seem to be better than the others. In other sources there could be other opinions. Plus prepaid advertisement. Plus user opinions in forums. All may eventually influence you decision.

www.Av-comparatives.org produces badly designed reviews with bunch of data to consider. Yet there are some useful conclusions to draw from their reports. For instance, number of false positives (i.e. when a harmless file is thought to be a virus) might be a sign of big confusion among antivirus technology—I hope not.

I tried to combine their results with other sources and here’s my view on effectiveness of some antiviruses today:

Advanced Antivirus Products (order of appearance has no meaning): Eset, Kaspersky, McAfee, Dr.Web, Norton

Mid-class Antivirus Products (order of appearance has no meaning): Avast!, AVG, Microsoft, F-Secure

Do you know why results of those tests often contradict each other? Because of basically two reasons. One is that tests are prepaid and serve as a hidden advertisement. The other one is that the conditions of the tests are always up to the tester. The virus samples are coming from nowhere. Besides, samples will never represent a real danger because it is easy to cheat an antivirus. For example, you can pack most samples with plain AsPack  http://www.aspack.com/ — “an advanced Win32 executable file compressor.” This program will compress the executables leaving their functions intact. So, if the executable is a virus, the virus will act in exactly the same way being packed. Good antivirus is supposed to use advanced emulators to see through packers, as some packers hide the true code very well. So, guess what? You would be surprised as there will be number of cases when ASPack simple modification could make the virus “clean” for detection. It seems any antivirus can be cheated by manipulating either the source code of a virus, or the executable itself. Of course, when you actually RUN a virus, it will be unpacked and most probably detected, but the other part of the story (run prevention and cleaning) is very difficult to test, so you will not find reviews on that. One thing is to detect, another one is to protect and clean. Therefore all those tests are just pretentious scientific fog, which covers the truth. Truth is that one undetected virus is enough to make things really bad for you.

There are some dark horses avoiding spot light for some reason —I can not really say much about them: TrendMicro, K7 Computing, Quick Heal, Vision Power.

Security applications make us suffer for them being too annoying, too intrusive, and too resource-greedy (well, so am I). In this regard, I would never use any of them.

If you have any concern on any file you have, you can use a great online service www.virustotal.com to check that sample with most popular antivirus engines at once!

It is a very good tool, must have for every cautious user. Just remember that there is no silver bullet for fighting malware. Do not rely on single solution when you know you can be exposed.

Leave a Reply