Malware innovation outpacing security defences, eThreatz testing shows

eThreatz roundup

Figures suggest that 2011 was the worst year in history for malware attacks, with more than 12 million unique samples discovered in the first half of 2011 alone – a 22 percent increase over 2010. This high volume of attacks has taken its toll: extensive eThreatz testing by Enex TestLab over the past six months has confirmed that many malware detection platforms – including those from top brand-name vendors – have been unable to detect a sizeable proportion of new malware infections.

eThreatz testing uses an extensive set of standardised malware tests to evaluate various security software’s ability to detect a range of malware infections from a significant collection of new and old strains. Every month, Enex TestLab runs eight major malware-detection packages against a random sample of 33 different malware threats, then measures their rates of false negatives, false positives, and successful malware detection.

Market leaders McAfee and Symantec were showing strong results in October 2011, when they both turned in perfect malware detection rates that put them ahead of rivals ESET, Sophos, Kaspersky Labs, Microsoft, Trend Micro, and Panda Security. Those platforms all turned in false-negative rates ranging from 3 per cent to 15 per cent of items scanned.

By the following month, however, the numbers had gotten worse across the board: McAfee, Symantec and ESET turned in a 3 per cent false negative rate, while Panda Security missed 24 per cent of tested malware infections. November saw, for example, continuing awareness of the Duqu Trojan and the emergence of Mac-based malware such as the Flashfake Trojan, which disguises itself as an update to Adobe Flash. IFrame-based attacks also spiked in November, more than doubling as a share of all malware according to figures from Kaspersky Labs.

Vendors reacted to the numbers by redoubling their efforts to boost detection rates, and December’s figures confirmed their success. In December, five platforms – ESET, Kaspersky, McAfee, Sophos, and Symantec – were able to detect all malware thrown at them. This confirmed that the November numbers had resulted in a flurry of updates that had paid off handsomely by December. The numbers reflect the continuing nature of the cat-and-mouse game that malware authors are playing with security vendors, who continue to be caught unawares by new attacks but quickly rush to update their software once those attacks are identified.

Throughout this period, new transmission vectors confirmed that the threat from malware continues unabated. An explosion in malware targeting Google’s Android mobile operating system has confirmed the exposure of smartphones and tablets running both Android and, to a lesser extent, Apple’s competing iOS.

In December 2011, Sophos published the results of an audit of USB sticks that had been lost on CityRail trains in Sydney. Fully two-thirds of the sticks contained malware, with the 62 infected files across 50 USB sticks and the most-infected USB memory stick containing four separate variants of malware.

New forms of malware attack continued to test scanning engines into 2012, with only one company – Microsoft – successfully identifying all malware. ESET, Kaspersky, Sophos, Symantec, and Trend Micro each turned in 3 per cent false-negative scores in eThreatz testing, while McAfee plummeted out of the top-tier solutions with a 21 per cent false-negative rate.

Malware explosion. Even this was nothing compared with the results of eThreatz testing in February, when false-negative rates skyrocketed in the wake of a malware environment that came into the spotlight on the back of new malware attacks.

One detected attack, for example, embedded malicious JavaScript code that was designed to look like Google Analytics code, referring to a malware-laden google domain instead of the correct google domain. February also saw the rise of attacks like the IFramer Trojan and script-based Trojan downloaders, as well as remote access-based infections such as the Chinese-originated RootSmart.

February also saw hacker group Anonymous launch a barrage of attacks in response to an international police crackdown that saw the arrests of 25 suspected hackers; judging by the spike in eThreatz false-negative reports, it’s entirely possible that a flurry of new malware attacks was part of the co-ordinated response.

By March, the security vendors had generally caught up: ESET, Kaspersky, and McAfee had no false-negatives in eThreatz testing, while Microsoft, Sophos, and Trend Micro missed just 3 per cent of malware and even bottom-ranked Panda missed just 9 per cent.

Regular fluctuations in eThreatz testing highlight the ever-changing nature of the global malware environment, and all security vendors continue to work tirelessly to keep up. In the six months to March 2012, however, Enex TestLab eThreatz testing showed that ESET’s anti-malware efforts had proved most effective, with a cumulative 6 per cent false-negative rate. Symantec (7 per cent), Sophos (8 per cent), Kaspersky (9 per cent), McAfee (10 per cent) and Trend Micro (11 per cent) took up the rear while Microsoft and Panda trailed the pack overall.

Matt Tett, Managing Director, Enex TestLab says “The aggregated results over the past six months of the public CSO Magazine Enex TestLab eThreatz AV testing clearly demonstrates that there is a requirement for ongoing rigorous independent testing in this industry. This clearly demonstrates the AV vendors product capabilities on a month-to-month basis and also allows aggregation and analysis of their historical detection performance, rather than the traditional point-in-time once off “snap-shots” that one sees released from time-to-time.”

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsAppleEnex TestLabGoogleKasperksy LabsKasperskyKasperskyMcAfee AustraliaMicrosoftPandaPanda SecuritySmartSophosSymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place