Friday, April 07, 2006

How The Anti-Virus Industry Is Turning A White Hat Black, or (at least) Gray

Via eMail Battles.

On the 28th day of December 2005, Tibbar encrypted the public version of Hacker Defender, the world-famous Windows rootkit. At the same time, the anonymous author unleashed codeCrypter on the web.

Then Tibbar waited.

On the first of March 2006, Tibbar ("Rabbit" spelled backwards) submitted the codeCrypter'd Hacker Defender to VirusTotal, an online virus testing service used by white and black hats alike.

The results were dispiriting. Despite two months' warning, just four of 24 anti-virus engines recognized Tibbar's creation: BitDefender, Ikarus, NOD32 and VBA32. Three a/v engines, CAT-QuickHeal, Fortinet and Panda, spotted something they considered suspicious.

Tibbar waited three weeks, then tried again at a different malware scanner: Jotti. The results were slightly more encouraging. This time, AntiVir, BitDefender, Dr. Web, Fortinet, Kaspersky Anti-Virus, NOD32 and VBA32 caught him. AVG AntiVirus caught a generic backdoor. That's eight of 15 vendors. Better.

On the fifth of April, Jack Koziol took up the gauntlet at Ethical Hacking and Computer Forensics. He packaged and resubmitted the codeCrypter'd Hacker Defender rootkit to VirusTotal. Sadly, his list of worthies expanded by only one. Kaspersky found the rootkit.

More here.

0 Comments:

Post a Comment

<< Home