The other day, I was reading some reviews of anti-virus (AV) products, and looking at some of the claims their marketing makes. In particular, most vendors claim a 100% success rate with a test against a set of known viruses. While, at first glance, this may seem like a good thing, the problem is that you really want your AV system to stop the “new” viruses. It seems kind of obvious, and a relatively easy thing to do, to stop “old” viruses. So, when an outbreak happens, how well do current AV systems do?
Nowadays, the vast majority of virus attacks come through email systems. On Monday, I happened to be in the right place at the right time for a new “zero day” release of a virus. The virus had all the hallmarks of a variant of the Brepibot trojan, and all the signs indicated a fairly significant attack, with more and more appearing on our radar. Within a few hours, the virus had blasted its way to the top of our “recent activity” chart, and had gained second place in the longer term (30 days) rankings. All in all, a pretty significant outbreak.
The following graph shows how the attack developed - plotting the percentage received against time, in hours, from the outbreak.
The whole outbreak happened within the space of a day. This is quite typical of a Brepibot outbreak: A new variant is created, heavily seeded using the usual ‘bot methods, then the attack finishes. We can see that the outbreak was over after about 15 hours - with 70% of the viruses having been received after four hours.
The first conclusion to draw is that if you only update your AV signatures on a daily basis (which is quite common), you will not be protected against this sort of attack.
The next question to ask is, even if you have updated your signatures, are they any good? For the purposes of this investigation, we used the service provided by http://www.virustotal.com to test a cross section of AV products against this new virus.
0 Hour. The picture is bleak
We received nearly 10% of the total outbreak in the first hour. No vendor has signatures for this virus at this time, only NOD32 and Panda even come close to spotting that it is a virus using their heuristic methods.
1 Hour. Still pretty grim
An hour later, and not a lot has changed. Clamav is the first out with signatures - but as we had reported the virus to the Clam team, as we normally do, this isn’t too surprising - although it does show what an excellent job the ClamAV project does.
4 Hours. Signs of Life
After four hours, there are some signs that vendors are starting to get signatures out. Of course, the period at which virustotal refreshes the signatures is an unknown, but they certainly keep up to date with the ClamAV signatures, so there is no reason to suppose that they are any worse with those of the other vendors.
However, we are now 70% of the way through the outbreak. So the hit rate is still pretty poor.
12 hours. Coverage is still patchy
Twelve hours have passed, and detection rates are improving. But by now we are into the fag end of the outbreak - with just a few more to come.
24 hours. Too little, Too late
A new dawn, and the some improvement. But by now, Brepibot-U is but a fading memory, with no activity in the wild.
72 hours. Aftermath
Three days later, brepibot-U is ancient history. If your AV isn’t picking it up by now, you should be shopping around for something else. Although don’t do it online, as your credit card details will probably be winging their way to the back bedroom of some carding kiddie.
Conclusions
AV systems don’t cut the mustard, at least when it comes to email protection. So:
- Don’t rely on AV to stop viruses.
- Use a different AV system on your mail gateway, servers and desktops: strength in depth.
- Where possible, update signatures more frequently than once a day.
- Use tight policies on your perimeter devices - especially outbound access to mitigate the effects of any trojans that do get through.
- Longer term, get a bit of bio-diversity into your systems.
Of course, if you are using Internet Defence Network Email Protection, you can just let us worry about the problem.