Years Later, Initial AV Detections Still Low

Despite advances in technology that improve the detection efficacy of antivirus (AV) software, identification rates for newly generated threat artifacts continue to be low. As an example, consider the VirusTotal results for malware served this week by drive-by downloads originating from Indowebster[.]com, an Alexa top-ranked website that has regularly appeared in Threatglass during the last several months. Per the aforementioned results, only 8 of 54 tools identify the executable as malicious, and among the many false negatives are the offerings of several popular AV vendors.

Come for a Drive-by Download, Stay for a Microcosm of a Long-standing Issue

Unfortunately, detection results for the exploit content that resulted in retrieval of the malware executable are no better. Per those results, only 8 of 54 tools identify the exploit as malicious. Meanwhile, detections for the deobfuscated version of the exploit are actually lower than those of the obfuscated version, which reveals continued creation of brittle, easily circumvented signatures and heuristics.

If experience is any guide, within one week, detections for both the exploit and the payload should be dramatically improved. While such a timeframe is substantially better than the average delays observed half a decade ago, there is still plenty of room for improvement, as even a several day window provides sufficient time for the attacker to achieve a variety of objectives.