McAfee’s newest weapon in the fight against malware
Monday November 6, 2006 at 1:47 pm CST
Posted by Joel Spurlock
The threat landscape is constantly changing, and our technology must adapt and change as well. Long gone are the days when malware authors were primarily novice coders (or script kiddies). Today we see evidence of the rise of organized crime in malware creation, where development teams are creating malicious software, testing it, automating its production and release. Sophisticated techniques such as polymorphism, the recurrence of parasitic infectors, rootkits, and automated systems with cycling encryption releasing new builds constantly are becoming more prevalent. Furthermore, it is difficult to remember the last time I worked on a sample that was not packed or encrypted, or obfuscated in some attempt to disguise its nefarious purpose. There are many examples, but some stand out in my mind: w32/Stration, w32/Bacalid, and w32/Polip.
The increase in sophistication signals an acceleration of the ongoing arms race between malware authors and security research organizations. IT Organizations must constantly upgrade, patch and deploy the latest software and fixes to keep their networks secure. The release of the 5100 AV Engine by McAfee is a major weapon in the arsenal of McAfee customers for fighting malware. The 5100 engine has upgraded capabilities which allow Avert Labs researchers to more effectively detect new malware generically, or old malware that has been obfuscated. Our internal testing data indicates that the 5100 engine may provide as much as 30% improved detection performance over the 4400 engine. This 30% is provided by the 5100 engine’s capability to deobfuscate the malicious code.
This is proactive detection, provided by McAfee’s newest weapon in the fight against malware.
Avert strongly recommends anyone using McAfee AntiVirus or AntiSpyware products to upgrade to the latest engine.
November 6th, 2006 at 15:45
[...] Trackback Within the last month we’ve seen a spike of new W32/HLLP.Philis variants being posted primarily on Chinese sites. This goes to further underscore the point in our last blog about the importance placed in the malware authoring community of frequent new variants and the recurrence of parasitic infectors. [...]
November 10th, 2006 at 13:42
A pity no attempt was made to let users know in advance of this update. In the past, engine updates have been released with deleterious results in complex environments, such as our Accounting and Consulting firm. Though I am on the Avert mailing list, I got no such information.
Having been burned before, I have learned the value of testing before rolling new sofwtare out in a production environment.
This time we were lucky – so far, no one has reported any anomalies of which I am aware.
However, in self-defense, I have now disabled the auto-update on all stations for anything except the DAT files.
I’d rather be late to the party than crash because McAfee chose not to tell me road had been changed!