Anti-virus no defence against botnets, says vendor

Roughly half of the binaries picked up by FireEye were unknown to VirusTotal, a result indicative of the core problem of detecting botnet malware - speed.

A new analysis of botnets has come up with a possible reason for their prodigious ability to infect PCs - many anti-virus programs are near to useless in blocking the binaries used to spread them.

According to FireEye chief scientist Stuart Staniford, detection rates are so poor that, on average, only around 40 percent of security software can detect binaries during the period of greatest infectivity and danger, namely the first few days after a particular variant starts being used by botnet builders.

In a detailed blog, he describes how he uploaded a sample of 217 binaries culled from FireEye appliances in customer premises between September and November to the independent VirusTotal test website. This runs 36 anti-virus programs - a representative sample of the security programs used by businesses and individuals - giving researchers access to data on get statistics on how many malware binaries have already been uploaded to the site by other researchers, when they were uploaded and how many were detected by each program.

Roughly half of the binaries picked up by FireEye were unknown to VirusTotal, a result indicative of the core problem of detecting botnet malware - speed.

Because malware often uses 'polymorphism' - programs are constantly changed very slightly to evade binary pattern detection - the problem of detecting and blocking malware quickly is huge. According to Staniford, this makes it important that anti-virus programs can spot malware in the first week of its use.

"The sample is likely to get discarded by the bad guys pretty soon after that," he notes.

During the first three days after initial detection by FireEye, only four in ten anti-virus programs could spot the offending code, which suggests that many bots would evade security software during attacks on real PCs in they happened during this same period.

"The conclusion is that AV works better and better on old stuff - by the time something has been out for a couple of months, and is still in use, it's likely that 70-80 percent of products will detect it," says Staniford.

FireEye's appliances can be seen as an 'early warning' system because of the way they use behavioural analysis to spot malware in real time, in some cases days or weeks before a program has been formally identified and documented by security companies. By the time it has been spotted and a signature rolled out to anti-virus databases, however, it might already be too late.

Equally, many prominent security vendors will use similar techniques to spot malware as quickly as possible, making it surprising that so many anti-virus programs failed to spot FireEye's sample binaries. The reason might simply be the vast number of samples that appear in any given period.

What nobody doubts is the importance of botnets to the spread of malware and spam, as evidenced by the recent takedown of a US hosting company McColo, which had been accused of hosting botnet controllers. In the hours after the hoster's demise, spam levels were reported to have plummeted dramatically.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags botnetsantivirusFireEye

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E. Dunn

Techworld
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?