04:20 PM
Connect Directly

Only One In Seven Consumer AV Tools Catch New 'Aurora' Variants

NSS Labs says its new test shows emphasis on antivirus exploit detection flawed, but others disagree

Most antivirus products don't detect new variants of the exploit used in the so-called "Operation Aurora" attacks on Google, Adobe, and other U.S. companies, according to a new test conducted by NSS Labs.

NSS Labs created variants of the Aurora exploit and tested whether seven consumer AV packages would catch them. The exploits attacked the Internet Explorer vulnerability used in the Aurora attacks. Only McAfee Internet Security 2010 with SecurityCenter, Version 9.15.160, stopped the variants. Other products tested were AVG Internet Security Version 9.0.733; ESET Smart Security 4 Version 4.0.474.0; Kaspersky Internet Security 2010 Version; Symantec Norton Internet Security 2010 Version; Sophos Endpoint Protection for Enterprise Anti-Virus Version 9.0.0; and Trend Micro Internet Security 2010 Version 17.50.1366.0000.

"Vendors need to put more focus on the vulnerability than on exploit protection," says Rick Moy, president of NSS Labs. "They pay more attention to the payload, and that's the problem."

Moy says vulnerability-based protection from AV companies basically serves as a way to plug the hole in the door. "And if you patch, the door goes away altogether," he says. He says he had expected that most, if not all, of the AV tools would have detected variants of the malware given the time that has elapsed since the attacks and the widely published information on the malware.

But Marc Maiffret, chief security architect for FireEye, says it's the reactive approach to catching malware that's all wrong. "The thinking on this [test] is very old-school: Vulnerability-based protection is stupid because you're saying you have to know about the vulnerability. The whole point of Aurora and most modern, significant attacks is that we don't know about the vulnerability," Maiffret says. "They should have been testing to see who actually would have stopped Aurora regardless of known vulnerability prevention. Reactive vulnerability signatures are just another losing battle."

Maiffret says it's a systemic problem. "One of the biggest farces in our industry recently is that all of these vendors are claiming zero-day protection, but what they are really saying is that they went from writing reactive signatures for exploits to writing reactive signatures for vulnerabilities."

Randy Abrams, director of technical education for ESET, says vulnerabilities must be patched by the vendor, not protected by the AV product. "We all detect some attempts to exploit vulnerabilities, but this isn't always feasible with every attempted exploit. In some cases, such scanning would bring systems to their knees," Abrams says. "In some cases, there would be false positives induced as some programmers do not realize they have found a vuln and write in-house programs that make use of the vuln," which sometimes happens, he says.

Abrams says it's all about defense-in-depth. "Right now one of the biggest battles is to simply get people to patch in a timely manner," he says. "Conficker showed how bad patch management is at the corporate and governmental levels. Aurora demonstrated that it really is important to use current Web browsers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.