More bad news on malware: it knows where you hide the door key

Anti-virus products miss malware attacking via alternate routes

A security flaw is too valuable a resource to exploit in just one way, according to a new malware report form a security product testing company.

Though NSS Labs doesn't phrase it this way in its study of malware behavior, malicious applets behave more like persistent burglars than like the neighbor's supernaturally powerful demon-cat.

They don't just come up on the porch, check to see if you remembered to seal the pet flap, then wander off to look for another pet's food to steal.

They try the flap, the knob, the windows, the other doors, the other windows, and might even pile up the yard furniture to see if you left any upper-story windows open.

The cat would probably do the same, if it had the foresight, and opposable thumbs.

Malware is designed with both, according to NSS Labs, a security testing company whose most recent quarterly report said it's becoming far more common to see malware attack more than one flaw, or attack one point of vulnerability from several different angles.

Viruses that are stopped by anti-virus then they come in through a browser might slip through the net when they come in through an infected USB drive or MP3 player, or after a user launches an infected file stored on a network file server.

The 10 products NSS tested missed between 10 percent and 60 percent of the alternative entrypoints typically used by malware writers, according to a release from NSS. Most did a better job of isolating the malware once it had been stored on the victim's PC, which is much riskier than eliminating it before it can get in the door.

Fewer than a third of the products tested were able to identify malware that is live only when stored in memory, such as when it arrives masquerading as a DLL or othe system file that should be allowed to run. NSS describes as "a significant evasion gap in their products."

“IT organizations worldwide have a false sense of security in part due to tests that have been too easy,” according to a quote in the release from Vik Phatak, CTO, NSS Labs. “Our test results point towards the need for more realistic testing based on what cybercriminals are actually doing to breach corporate defenses.”

In an August report on endpoint security, NSS found that most anti-virus products also don't identify attacks or exploits even after knowledge of them has been public for weeks or months.

Typically that means the vendor will add a patch to identify the first appearance of a virus or exploit, but fails to follow up with virus signatures that make it possible to identify variants or alternate attack routes for that flaw, the report said.

Here's the list of products tested:

  • AVG Internet Security Business Edition
  • ESET Smart Security Enterprise
  • F-Secure Client Security for Business
  • Kaspersky Business Space Security with Internet Security
  • McAfee Total Protection for Endpoint
  • Norman Endpoint Protection
  • Panda Internet Security (Enterprise)
  • Sophos Endpoint Security and Control
  • Symantec Endpoint Protection
  • Trend Micro OfficeScan Plus IDF Plug-in.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon