Despite advances in technology that improve the detection efficacy of antivirus (AV) software, identification rates for newly generated threat artifacts continue to be low. As an example, consider the VirusTotal results for malware served this week by drive-by downloads originating from Indowebster[.]com, an Alexa top-ranked website that has regularly appeared in Threatglass during the last several months. Per the aforementioned results, only 8 of 54 tools identify the executable as malicious, and among the many false negatives are the offerings of several popular AV vendors.
Come for a Drive-by Download, Stay for a Microcosm of a Long-standing Issue
Unfortunately, detection results for the exploit content that resulted in retrieval of the malware executable are no better. Per those results, only 8 of 54 tools identify the exploit as malicious. Meanwhile, detections for the deobfuscated version of the exploit are actually lower than those of the obfuscated version, which reveals continued creation of brittle, easily circumvented signatures and heuristics.
If experience is any guide, within one week, detections for both the exploit and the payload should be dramatically improved. While such a timeframe is substantially better than the average delays observed half a decade ago, there is still plenty of room for improvement, as even a several day window provides sufficient time for the attacker to achieve a variety of objectives.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.