3

Lately, I've read several articles about anti-malware software and one thing caught my eye - ability to detect zero-day attacks.

In short - how does anti-malware / anti-virus industry test their own software against zero-day threats? How can someone claim that AV X protects system against 93% of zero-day viruses?

StupidOne
  • 2,802
  • 21
  • 35
  • 1
    I think they use heuristic detection, more info on [wikipedia](https://en.wikipedia.org/wiki/Heuristic_analysis "wikipedia") and [here](http://internet-security-suite-review.toptenreviews.com/premium-security-suites/what-is-heuristic-antivirus-detection-.html). – null Dec 21 '12 at 16:30

1 Answers1

4

First off, virtually all AV companies have several "fly traps" or "honeypots". A fly trap is a network of desktop computers with Internet access and zero protection that exist to "catch" malware. Bot-scripts on the computers crawl the web looking for risky sites, and break all the rules for safe browsing that are drilled into us normal people. As a result, they pretty much become petri dishes for computer viruses.

These fly traps serve two valuable purposes to security experts; first, these boxes catch new malware that may never have been seen before, giving experts notice that a zero-day threat exists. Second, once they've isolated something new, they can introduce it into a completely isolated, "clean" fly trap with a lot of monitoring tools, and watch it do its thing; see how it replicates, what protocols and ports it uses, what files it modifies, what harmful effects it can have; generally, everything they need to know to be able to protect AV subscribers from this new threat. They can also introduce it to a computer protected by their AV software, and see how well it fares; anything the virus does that the AV doesn't catch and prevent can be specifically looked for by tweaking their virus definition files or their heuristic algorithms to add this known threat.

In addition, AV experts have been at this for years. Decades even. Despite news stories reporting worms like Confickr, Storm, Stuxnet etc, these are the two or three a year that are notable; thousands of new viruses a year go unreported, because they're really just a rehash of something the AV guys already knew about. As Techbrunch said, most AVs have a heuristic detection algorithm layered on top of looking for specific known viruses. There are areas of a computer that are obvious targets (kernel, device drivers, network adapter, I/O hooks), and there are well-known ways to try to get to them. AV algorithms continually scan a protected system looking for these general red flags. Those thousands of new but unoriginal viruses trip the heuristic detection, the AV interrogates the source, collects information, quarantines anything that might have been maliciously affected and calls home to report this new potential malware. This heuristic algorithm basically turns every AV-protected computer in the world into a huge fly trap for the company writing the AV; what better way to see what needs to be defended against than to see infections happening in the real world?

KeithS
  • 6,678
  • 1
  • 22
  • 38
  • And by fly traps he means honeypots. Also, if you think you have 0day code, upload it to virustotal.com or any of the various other websites to test; that will get absorbed into the AV community pretty quickly from there. – JZeolla Dec 21 '12 at 18:14
  • 1
    Edited to include the term; however I always considered "honeypots" to be computers that appear to have something of value, making them hacking targets, not necessarily virus-catchers (though hackers often use viruses to do their deeds). – KeithS Dec 21 '12 at 18:31
  • From the brief and unscientific work I've done on these tests, I'd say one of the most effective ways to test is to write your own malware containing various common and uncommon traits. That way you get the detection without the issues of having the samples spread, or the hassle of honeypotting the real 0day malware. – Polynomial Dec 21 '12 at 20:41