OMG, our cybervaccines are failing

isotopp image Kristian Köhntopp -
February 17, 2017
a featured image

Dark Reading is scared: All new malware is “zero-day”, for an interesting and wrong definition of zero-day, because then the article reads much more impressive.

The actual definition of a Zero Day is a previously unknown exploit that is being used by some party to compromise a machine. In the article, the term is used differently, meaning a file that is a known malware, but has changed itself so that it has a checksum that is not in currently distributed signature catalogs of known malware. That is of course neither correct, nor new.

Mutation engines, for example for viruses, are an old hat. We have known about them for more than a decade, almost two. The better ones take x86 machine code, auto-dissect it into basic blocks and then re-link these to a semantically equivalent program in a completely different, random order. They may also re-compile certain assembly instructions in these basic blocks to other, semantically equivalent assembly instructions that have different byte codes: There are many ways to clear a register or to load a value from memory, after all.

In today’s detection industry, one should think of hashing as more of a shortcut to locate the easy stuff, or rule out known good files (whitelisting).

That’s more like the state of the detection reality from 15 years ago. On the other hand, threat detection software is getting out of hand. A Macbook I have had access to can unzip a piece of software with some 7000 files just fine in under 3 seconds to its internal SSD. The same Macbook with a Trendmicro AV solution installed takes 11 seconds to do the same, and 18 seconds if it is done in a directory that is not excluded from scan in the TM config file. Add FireEye on top of that and the same operation is now at 27 seconds execution time. The laptop is now secure mostly because nobody can do anything with it any more. In many other articles , these so called security solutions have been shown to be actually contributing to the problem.