Welcome Guest. | Log In | Register | Membership Benefits
  • |   Email this page E-mail
  • |  Print Print
  • |   Bookmark and Share

Only One In Seven Consumer AV Tools Catch New 'Aurora' Variants

NSS Labs says its new test shows emphasis on antivirus exploit detection flawed, but others disagree

Mar 11, 2010 | 04:20 PM | 

By Kelly Jackson Higgins

Most antivirus products don't detect new variants of the exploit used in the so-called "Operation Aurora" attacks on Google, Adobe, and other U.S. companies, according to a new test conducted by NSS Labs.

NSS Labs created variants of the Aurora exploit and tested whether seven consumer AV packages would catch them. The exploits attacked the Internet Explorer vulnerability used in the Aurora attacks. Only McAfee Internet Security 2010 with SecurityCenter, Version 9.15.160, stopped the variants. Other products tested were AVG Internet Security Version 9.0.733; ESET Smart Security 4 Version 4.0.474.0; Kaspersky Internet Security 2010 Version 9.0.0.736; Symantec Norton Internet Security 2010 Version 17.0.0.136; Sophos Endpoint Protection for Enterprise Anti-Virus Version 9.0.0; and Trend Micro Internet Security 2010 Version 17.50.1366.0000.

"Vendors need to put more focus on the vulnerability than on exploit protection," says Rick Moy, president of NSS Labs. "They pay more attention to the payload, and that's the problem."

Moy says vulnerability-based protection from AV companies basically serves as a way to plug the hole in the door. "And if you patch, the door goes away altogether," he says. He says he had expected that most, if not all, of the AV tools would have detected variants of the malware given the time that has elapsed since the attacks and the widely published information on the malware.

But Marc Maiffret, chief security architect for FireEye, says it's the reactive approach to catching malware that's all wrong. "The thinking on this [test] is very old-school: Vulnerability-based protection is stupid because you're saying you have to know about the vulnerability. The whole point of Aurora and most modern, significant attacks is that we don't know about the vulnerability," Maiffret says. "They should have been testing to see who actually would have stopped Aurora regardless of known vulnerability prevention. Reactive vulnerability signatures are just another losing battle."

Maiffret says it's a systemic problem. "One of the biggest farces in our industry recently is that all of these vendors are claiming zero-day protection, but what they are really saying is that they went from writing reactive signatures for exploits to writing reactive signatures for vulnerabilities."

Randy Abrams, director of technical education for ESET, says vulnerabilities must be patched by the vendor, not protected by the AV product. "We all detect some attempts to exploit vulnerabilities, but this isn't always feasible with every attempted exploit. In some cases, such scanning would bring systems to their knees," Abrams says. "In some cases, there would be false positives induced as some programmers do not realize they have found a vuln and write in-house programs that make use of the vuln," which sometimes happens, he says.

Abrams says it's all about defense-in-depth. "Right now one of the biggest battles is to simply get people to patch in a timely manner," he says. "Conficker showed how bad patch management is at the corporate and governmental levels. Aurora demonstrated that it really is important to use current Web browsers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Vulnerability Management Reports

report How (and Why) Attackers Choose Their Targets
To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In this report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain.

report Security Pro's Guide to Patch Management
It's no longer sufficient to patch just Windows, Office and IE. With the massive array of applications now residing on enterprise PCs, and the proliferation of mobile and cloud-based applications, your business is far too vulnerable to exploitation unless you have a solid strategy for patch prioritization, deployment and quality assurance. Follow these steps to put your plan in place.

report In-House Malware Analysis: Why You Need It, How to Do It
Vulnerability management identifies and closes exploitable holes in your enterprise network. But some systems remain vulnerable, and traditional antivirus and perimeter defenses are proving less effective against sophisticated malware, targeted attacks and zero-day exploits. In this report, we show you how malware analysis, tied closely to incident response, is an essential complement to enterprise vulnerability management programs.

Other reports from the Vulnerability Management Tech Center:

Related Content

The Ponemon Institute 2012 State of the Endpoint
The 2012 State of the Endpoint study, sponsored by Lumension and conducted by Ponemon Institute, determines how effective organizations are in the protection of their endpoints and what they perceive are the biggest obstacles to reducing risk. The study is focused on four topics on the state of endpoint security: risk, productivity, resources and complexity.

The CISOs Guide to Measuring IT Security
Many organizations continue to blindly blaze into new technology territory without fully understanding the inherent IT risks. As a CISO, you must be able to facilitate business productivity without the risk. If you can accurately measure your security posture and communicate in terms of business risk as opposed to bits and bytes, you can effectively gain buy-in from key executives on important security initiatives. Learn the key steps to enhancing your security visibility so that you have a voice at the executive table.

Think Your Anti-Virus Software Is Working? Think Again
We've been so bombarded by computer viruses, worms, Trojan horses and other malware that we've become acclimated to their presence. We subscribe to an anti-virus (AV) offering and hope for the best. Trouble is, AV hasn't been keeping up. Studies show that even though most organizations use AV, more and more are succumbing to attacks. It's time to shift from the status quo to a new, more effective endpoint security approach, called intelligent whitelisting, which affords greater protection, productivity, and efficiency.

Unruly USB Devices Expose Networks to Malware
It's pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it's time that organizations got serious about this threat. The key to USB security is balancing productivity with protection.

Reducing Local Admin Exposure Through Application Whitelisting
In today's Windows environment, users are accustomed to having local administrator privileges that allow them to download a variety of applications and potentially misconfigure their PCs. While standard wisdom may be to simply solve the problem by revoking local administrator rights on users' systems, the reality is that this may not be an option. Fortunately, there's hope - through application whitelisting.