Malware innovation outpacing security defences, eThreatz testing shows

eThreatz roundup

Figures suggest that 2011 was the worst year in history for malware attacks, with more than 12 million unique samples discovered in the first half of 2011 alone – a 22 percent increase over 2010. This high volume of attacks has taken its toll: extensive eThreatz testing by Enex TestLab over the past six months has confirmed that many malware detection platforms – including those from top brand-name vendors – have been unable to detect a sizeable proportion of new malware infections.

eThreatz testing uses an extensive set of standardised malware tests to evaluate various security software’s ability to detect a range of malware infections from a significant collection of new and old strains. Every month, Enex TestLab runs eight major malware-detection packages against a random sample of 33 different malware threats, then measures their rates of false negatives, false positives, and successful malware detection.

Market leaders McAfee and Symantec were showing strong results in October 2011, when they both turned in perfect malware detection rates that put them ahead of rivals ESET, Sophos, Kaspersky Labs, Microsoft, Trend Micro, and Panda Security. Those platforms all turned in false-negative rates ranging from 3 per cent to 15 per cent of items scanned.

By the following month, however, the numbers had gotten worse across the board: McAfee, Symantec and ESET turned in a 3 per cent false negative rate, while Panda Security missed 24 per cent of tested malware infections. November saw, for example, continuing awareness of the Duqu Trojan and the emergence of Mac-based malware such as the Flashfake Trojan, which disguises itself as an update to Adobe Flash. IFrame-based attacks also spiked in November, more than doubling as a share of all malware according to figures from Kaspersky Labs.

Vendors reacted to the numbers by redoubling their efforts to boost detection rates, and December’s figures confirmed their success. In December, five platforms – ESET, Kaspersky, McAfee, Sophos, and Symantec – were able to detect all malware thrown at them. This confirmed that the November numbers had resulted in a flurry of updates that had paid off handsomely by December. The numbers reflect the continuing nature of the cat-and-mouse game that malware authors are playing with security vendors, who continue to be caught unawares by new attacks but quickly rush to update their software once those attacks are identified.

Throughout this period, new transmission vectors confirmed that the threat from malware continues unabated. An explosion in malware targeting Google’s Android mobile operating system has confirmed the exposure of smartphones and tablets running both Android and, to a lesser extent, Apple’s competing iOS.

In December 2011, Sophos published the results of an audit of USB sticks that had been lost on CityRail trains in Sydney. Fully two-thirds of the sticks contained malware, with the 62 infected files across 50 USB sticks and the most-infected USB memory stick containing four separate variants of malware.

New forms of malware attack continued to test scanning engines into 2012, with only one company – Microsoft – successfully identifying all malware. ESET, Kaspersky, Sophos, Symantec, and Trend Micro each turned in 3 per cent false-negative scores in eThreatz testing, while McAfee plummeted out of the top-tier solutions with a 21 per cent false-negative rate.

Malware explosion. Even this was nothing compared with the results of eThreatz testing in February, when false-negative rates skyrocketed in the wake of a malware environment that came into the spotlight on the back of new malware attacks.

One detected attack, for example, embedded malicious JavaScript code that was designed to look like Google Analytics code, referring to a malware-laden google domain instead of the correct google domain. February also saw the rise of attacks like the IFramer Trojan and script-based Trojan downloaders, as well as remote access-based infections such as the Chinese-originated RootSmart.

February also saw hacker group Anonymous launch a barrage of attacks in response to an international police crackdown that saw the arrests of 25 suspected hackers; judging by the spike in eThreatz false-negative reports, it’s entirely possible that a flurry of new malware attacks was part of the co-ordinated response.

By March, the security vendors had generally caught up: ESET, Kaspersky, and McAfee had no false-negatives in eThreatz testing, while Microsoft, Sophos, and Trend Micro missed just 3 per cent of malware and even bottom-ranked Panda missed just 9 per cent.

Regular fluctuations in eThreatz testing highlight the ever-changing nature of the global malware environment, and all security vendors continue to work tirelessly to keep up. In the six months to March 2012, however, Enex TestLab eThreatz testing showed that ESET’s anti-malware efforts had proved most effective, with a cumulative 6 per cent false-negative rate. Symantec (7 per cent), Sophos (8 per cent), Kaspersky (9 per cent), McAfee (10 per cent) and Trend Micro (11 per cent) took up the rear while Microsoft and Panda trailed the pack overall.

Matt Tett, Managing Director, Enex TestLab says “The aggregated results over the past six months of the public CSO Magazine Enex TestLab eThreatz AV testing clearly demonstrates that there is a requirement for ongoing rigorous independent testing in this industry. This clearly demonstrates the AV vendors product capabilities on a month-to-month basis and also allows aggregation and analysis of their historical detection performance, rather than the traditional point-in-time once off “snap-shots” that one sees released from time-to-time.”

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Adobe SystemsAppleEnex TestLabGoogleKasperskyKasperskyKaspersky LabMcAfee AustraliaMicrosoftPandaPanda SecuritySmartSophosSymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts