• Catch Me if You Can: Antivirus Poor at Detecting Web-Malware

    AV Engines are not very effective at spotting web-based malware

    AV Engines are not very effective at spotting web-based malware

    There is every indication from sources internal to StopTheHacker.com and external sources comprised of web hosting companies, administrators, security companies and government organizations that the threat from web based malware is looming large and is only going to intensify in the coming years.

    Website owners, and administrators, even website hosting companies are the directly affected ones. However, it is me and you, the web surfer, who visits supposedly benign sites which have been compromised by malicious individuals who are at great risk.

    To protect the client, i.e. you, security experts rightly recommend antivirus (AV). These AVs are good at detecting pieces of code which have been classified and adhere to well known malicious behavior.  Consumers need to know that most of these AV engines are not tuned to detect web-based malware threats.

    Below we present a small test we performed consisting of 159 unique pieces of web-based malware captured during the last few weeks by our detection systems. We compared four popular AV engines and found that none of them are very effective at detecting malware from compromised websites.

    Note that all AV engines used were at the latest version available for our systems and were updates with the latest virus definitions. All samples used Javascript to execute their malicious content.

      Brief highlights:

    1. AV engines used: AVG, ClamAV, F-prot, Avast
    2. None of the AV engines detected more than 11% of the malicious samples
    3. AVG detected: 6.92%, ClamAV detected: 10.69%, F-prot detected: 10.06%, Avast detected: 2.52% of the samples respectively
    4. Only one sample was detected by all four AV engines. This sample was extremely similar to a POC exploit code from milw0rm.com

    This limited experiment shows that traditional AV engines have a long way to go when it comes to detecting web-based malware. Jaal uses proprietary detection technology which is based on artificial intelligence and machine learning algorithms which can understand how malicious pieces of code behave and profile and classify them with high accuracy and recall.

    The SHA1 hashes of the samples used to test are presented below.

    816633098ae005d8dbc7a25993da84d4035d03fa
    9b19e082e4f96ba904a96b91521ea965423fdf78
    390c6ee940db43d1916b8d5d35d6e26ee820adc6
    1eff7745d4fdcd5454ce35cefaaf9fdcd992c7d2
    2e546e478a2e7782f71e57aba2db4c39618a6ea0
    e20e4102bb3fe18d1bacb1cbd9decb3df231b54f
    6911103499818938e1f4ad589382f78555e5c3d5
    f635909927c4605f382e4206472ed2eb319c7fe7
    b87996d1842c3fa7656f2923e4ca9d984f67e927
    ba507a2ddf54868038d2a233824d954e76e7de7d
    5b145e8e1379513ee7fdcc254052aa63401bfbb2
    47b99826d6beedd4eafd90a6b1f6bfc58037516f
    25a5b980a32f02115ae6b39ba23233d3395cc8be
    d5e44799006af551a6ed428fbbf5c719fde9f0d2
    16169f2bc458bbcfbe440bf6e144072440437b8f
    fac205896b1d8caa027493ff347b1283a8a5ea9a
    26efc96af2f3c4f40de0122e2a17a96e179dae10
    1ceda4089f55b0ae00e5f68c1fc168854262ba0a
    107069c13e14f8ae02764420f7b73abc3b12b9ec
    000e94d6f8569152b4f722b534c3446b33e80edb
    a26b7469375e87ed511813753690621b7c1c59cb
    c618cee125d8f03f2e389259dc4fb64c817c8cae
    169df559a4489f4ebd968a54a7e985bd59996f44
    79afd6b751faaa5030bdc9b6f8ac63e58e19f8bd
    f5788e9ca15f873b571a30cf549c2cf96e81d4e9
    af8308df0d38052a1f2b2a1e9e4ce20a508d5029
    9d6a35ed08772fb824a3c2804f03418fb317b316
    9ad9673f55a0013d4065c4139777ca681e0cea0b
    58afa0e9fa175f8cec1c6ca37261adb7fbe71080
    68a1f2a03397b5c36a29c118d85b6da7de37d69c
    92962ff677a0f41e36c6279fea8c3c1bf6cffeb7
    f4024a56993ca0e38f4095a2f9cf0e6f111dc1
    854cdc64aa29d3b4073ba4827eff8c6976189eff
    ee4054c22e26a9e7da91927f8b423309db3c37ce
    b07bef2b0d7b10ca7054f9450a78ae4cc616282a
    430f69f19ec142eb443a3003ece46ee3fe02d316
    70333f39c08c02fb468dd7f305034fe8e69438a4
    e77b9cff1b75f4cbaeedfd59c925a4b4a0bbf253
    28846dd8ba590b9c7cca6a8061c35446ddf4b9ba
    9c8671398aed3b785bea22f51afe66485bbcac42
    cfe3e42c266064cda45fd11e5c0e3dc7504134ed
    35cfebaee69b89e2cabba05f130071d18a3d0632
    51a2dd0515ec5d7cf9bf55e7226c800f3ab34b01
    9fbae2b1d97783782b6c22a8eacf9b408dfa7622
    5da9312edbc420750839d98a62b4db3fcf37e79e
    2fd92d853236eec5030c2b2e68519e338fbae703
    9e522249da94e5361f4b1b76d028325c963d2f8f
    c1fffcc3872a0c5b198ce0b0e2b6c48122afbfe3
    a085342ffddeb129b4d503d769337254f12128ab
    b0cc0131e64e3cc6be595244cb6d06459415fd86
    f5788e9ca15f873b571a30cf549c2cf96e81d4e9
    5d5acfbfaeb0964a90afdc34027d31dd8c087b72
    d83b73c795242984efe288a4131f10898cee4726
    230bd24350242a1fcc48d304bb6a0b41e11e56bd
    236526ddf3243ecc869e2dc496e5e123836c1139
    9de098b4ca80fde754a6d0779eda2230c304dda2
    ba5bc790b05eef01db9c80b44b0478ad29637117
    9dab8e1b7e6c38ff4034e702215b43a83f503845
    abfd93aca22ee2475952ed145394d9edf270ec97
    9e1e1a1efd527ea05f43dbd3c74fcd235603ae25
    d929e444c10d08f427fe3136fda94c9459ec8a90
    a7c8cd2edf0fbae0e2747ebba3b0347e21d82f83
    1f3b5c82f9077896ded6ad0417840108660bdb6f
    6d8eb97d34acd9fe3c54bdfefc3b4eec38187a7e
    1bb8371b3dad51c8cfa2fcf2430174954b65490c
    70f55d55796b58e906359fc7ec2b71ee2f6b475f
    64df75a0a427cc74397cd831c5dae977b960319b
    060b75af1239a7e882c75600f05cd4a29981cf63
    9611d0eabd35cad386b6e55377e13862300753d0
    f61dfa94e8d26143541ffa8556001addc9043233
    9c6859961beaff0d0e2c8254fd0d9170f17764c4
    f7e902c1653c596672e3ef9dff5be8ce9dbacc04
    6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
    e4bd561881cbe8692cef393519fa9d3feb94e4
    4493e82d5648ef18bffe0cf577dfff977c4c2b61
    2914adab79ace690911928734d71f41e0eaf3deb
    a209fce0c7e8d7de6f1667f8855b441ad9199479
    fe97812acb6005bc730df70a02949f85791ccc26
    6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
    f7e902c1653c596672e3ef9dff5be8ce9dbacc04
    9d26667c6ada57160863dbd8fc0f906facd26a31
    6d1cf3bb7c692cf79b496971082d63c4fe6f9d3b
    f61dfa94e8d26143541ffa8556001addc9043233
    9d9bc778aa7dd0c6aaebce544038afb72ca89a3b
    eb870d52963b9dfffa1418206d9fd2248105e7d5
    b5b975f530907b3cc8a06cc544ee59af1c65c0ad
    f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
    13337e99806ec2d9b0cc65130b276d212b66c6ef
    d4f883d6fca63206aaa5773d21bd391aafd6b69b
    89b092cf10887728965e92a1743b211981e2c509
    93e32b1813e8f62bc48afb34435c27922dd15854
    9170e68703b30d9653c1afc2e2367ef9e3e857d1
    7f927ce60b92fcada6d0029f05372bcc55e76061
    ff1e5838891686428ee55e651ae7ae4af8f54833
    ac79dfd852843af7de7b5b9c0312d281b2584c46
    04c5946fd347bc61a2276567bd00a8140a3792f7
    21bf2da8630e8bbbe80fb18ca8b5d6cf1ad1801a
    62127899a333ded181e82fd6b6194fb55cc45f1b
    47dd8eb5a532965ac85140ed50b491e9a79827d4
    50db943eb42397bd9391bba998cb75f2d6a27abd
    f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
    f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
    1921c236990bf3d282d85c7f73929f179d77bbbe
    1921c236990bf3d282d85c7f73929f179d77bbbe
    f4b6889f98fff03fe1a452c872046560c5b7b2b6
    c3655fd13f4f020100106d33c7ed8b64a5b697b5
    f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
    13337e99806ec2d9b0cc65130b276d212b66c6ef
    37fb254190ef250ec17c51af8a8ce9492f229045
    5cf6b5e79088c31adebd9239b6a0fe85dae4bdc8
    4b68192c2a1d56c933b0b4d3a511d20f5ab5109a
    2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
    816633098ae005d8dbc7a25993da84d4035d03fa
    a938feaee3f8088ca09fa55547e7d32f3eeb2342
    5872a0f83149116751c99204af687a0d9fd2d013
    6c3a63406e834212ee21150ed9dae027916c9aba
    61bd5b21316aebe72d9eb0fbec86aa54eeaef41e
    974ab3a4840c3036494e1b5ff44149addc352c09
    f995e8fe220bb5734a12a3181da0891ae2102eee
    974ab3a4840c3036494e1b5ff44149addc352c09
    2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
    816633098ae005d8dbc7a25993da84d4035d03fa
    d9a413e9eaf045c80a7a3a3b220425e0ae10f36a
    a938feaee3f8088ca09fa55547e7d32f3eeb2342
    3dfd2d40357887f5c43fa33c064d8ee5f4aee03b
    b9328bb760b294fa524830a8920a0a90a2e33eac
    169df559a4489f4ebd968a54a7e985bd59996f44
    584fbb7d467834132bd9e28db43e5fcbcefc24e8
    768709cbc7ffd499cc26be93e2558ba80059793a
    ffb3394a91961dfb67a4e16eab998c225baf93e0
    12a594de0c4c0351387c40275db09ef4b2e4025b
    4a7afd95db6923e4220a65040357bfbbf2b55077
    6a9ab50dafae402bf230879471206b6479c33692
    6a9ab50dafae402bf230879471206b6479c33692
    c3655fd13f4f020100106d33c7ed8b64a5b697b5
    3e6944e6957b8d09759328bb6e4b1d40ed61a94d
    77b5099de69d17088f47991543ac952748f51318
    a448b4b7df37d40db78a61123379424884957e5f
    9dace6f32725175bafd0a09de6d6bb822d116250
    4d03ef449ef5eaa2ed4504b926af218fcd49af66
    e026b0f4b1c412fd98efaae3741d7d137647f07e
    681f9c9d1ca13424dbb3328e8e7f4cd9404e93fc
    8fa128f2e88f51486dd6e14f6394066c52cd6d30
    7dba6533187fd7df6a6b7654841d7de41c8ec3bc
    e72f7680b93ca124077ab5fe6f78daf8df24db2f
    c662974ce089e0979811db9752601ba0deb56ca5
    14cb17f7f0379a81cf6cd0a0bcb58d3ccca848a3
    b36ef96e09c30b195ac291fa5a3dae8fc89960f2
    74c204f8dc182949217be29d36d7d38ea3ba9f7b
    2642a2c2cce3cea5a175cae5d021272d87d94908
    1be051d87ace905c7c16d08545f13395362c0feb
    276f5f4b144e86d07d76fbeecf2e39250c9d65e5
    c66dc101b4aeb6a0416be21e5c9ed09dc162f338
    8c40b59bbbfc9dd02725ce8c891e4d9fa0f5ce26
    efaef489856ac430f2fc8a2c2437a61922e2c877
    93ddf8b9b206e6ae88c75ac7ca28991be19d63ac
    c26e2cf8e848deb09ca72d5e692809fbbd21e07c
    5e920705466955c69dd1c4474d3022489de8e3bc
    e7149aaed102653f45e17afcb3d0d426a8cf11d
    
    • […] experiment featured in the article, “Catch Me if You Can: Antivirus Poor at Detecting Web-Malware,” shows just that – even today’s popular AV engines aren’t very effective at detecting […]

      Posted by Web-based malware breaking traditional AV model — CoreTrace WhiteSpace on December 15th

    • […] Catch Me if You Can: Antivirus Poor at Detecting Web-Malware – stopthehacker.com – Jaal, LLC Published September 7, 2010 Uncategorized Leave a Comment via stopthehacker.com […]

      Posted by Catch Me if You Can: Antivirus Poor at Detecting Web-Malware – stopthehacker.com – Jaal, LLC « Top Rated Anti-Malware Blog on September 7th

    • […] Website owners should take advantage of new emerging, website “Health Monitoring” solutions. This kind of new technology can scan websites with minimum interruptions, is totally SaaS based and uses advanced artificial intelligence mechanisms to catch never-before-seen malware. This is a significant break from the way most traditional anti-virus software work. Simply scanning for signatures is not enough to detect thousands of new variants of malware. Consider for example that current anti-virus engines cannot detect web-based malware effectively. […]

      Posted by Malware posing as Jquery – stopthehacker.com – Jaal, LLC on January 14th

    • […] Anti-virus engines are woefully inadequate at hunting down web-malware. We present below screenshots to depict the really poor detection capabilities of Anti-virus […]

      Posted by prw1.co.cc Malware Alert – stopthehacker.com – Jaal, LLC on April 25th