What I find interesting is the lack of insight into what AV companies actually do behind the scenes. Peter Szor's book was a great look into some things but AV's don't really publish what they actually do very often. How do they analyze samples? How do they deal with packers? I can make some educated guesses but I'm still very curious. We pretty much publish our techniques, but we're not an AV company so maybe that doesn't count.
<br><br>We've got many tens of thousands of samples both old and new that we've been through both automagically and manually. The common thing that I've seen is that malware sucks. Its not sophisticated, it uses dirt simple, often ancient techniques, and its slow to adopt new things. For example, Joanna, us, and others have released numerous techniques for VM detection. These techniques are multiple years old and not too difficult. What do I see most often in my collection for VM detection? Putting the output of "net start" into a text file and searching for "vmware". Where are all the awesome anti-analysis/anti-vmware samples out there?
<br><br>Why does malware suck? Because it still works. AV sucks at detecting it, users suck at avoiding it, so why bother making it sophisticated? However I would say don't underestimate malware authors just because the bulk of whats out there isn't very good. It has moved from the kid or "researcher" screwing around to a professional business. Occasionally we see "commercially" developed malware that IS very sophisticated. Rustock is a good example of this. Lots of the spyware out there is actually pretty good too.
<br><br>I would venture to say it takes some skill to release a "software product" to millions of users and have it work consistently. A lot of malware archives this one simple goal that occasionally even professional software vendors fail at.
<br><br>V.<br><br><div><span class="gmail_quote">On 6/15/07, <b class="gmail_sendername">Paul Melson</b> <<a href="mailto:pmelson@gmail.com">pmelson@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> I would suggest you are talking about different people.<br>> The malware analysts at any AV company probably dig through more malware<br>samples than you do on a<br>> regular basis.<br><br>I would hope so, seeing as it's at the top of their job description. But
<br>you know who's probably not elbow-deep in malware these days? Mark Harris.<br><br><br>> Underestimating your opponents is a fatal mistake either way. The best<br>malware analysts I know are well<br>> aware of the skills of the authors. Likewise so are the authors I know
<br>aware of the skills of the<br>> analysts.<br><br>In fairness to Mark Harris, the malware submission that sparked his post 1)<br>didn't run and 2) contained furry pr0n. Maybe he's not underestimating in<br>
this one case.<br><br>PaulM<br><br><br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">
http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></blockquote></div><br><br clear="all"><br>-- <br>******************************************<br>* Val Smith <br>* CTO Offensive Computing, LLC
<br>* <a href="http://www.offensivecomputing.net">http://www.offensivecomputing.net</a> <br>*******************************************