Malicious coders' tactic of churning out numerous variations of a malicious program works well at defeating most antivirus defenses, a researchers at security firm FireEye stated in an analysis published on Thursday.
Stuart Staniford, chief scientist at the firm, used 217 binaries flagged as malicious by his company's product for detecting Web infections and submitted them to VirusTotal, a service that collects the responses of 36 antivirus scanners. The results showed that online attackers tend to only use a particular code variant for a short time, Staniford said in a blog post discussing the results.
"They generally create new binary packing, use that exact version for a few days to a week or so, and then discard it once it becomes widely known," Staniford stated. "The lifetime of a newly created malweb binary is a few days to a week before it is discarded."
The researcher also found that the samples submitted to VirusTotal during the three-day period of the study were only detected, on average, by slightly more than 40 percent of the antivirus scanners run by the service.
The study did not track the performance of particular scanning engines, which leaves open the possibility that a handful of anti-malware products performed much better than the statistical 4-out-of-10 result.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos