Recently, there has been some dustup around a process we developed last July to facilitate testing malware prevention products.
An important part of this process is providing users of this methodology with new, never-before-seen pieces of malware. This is important, as many antivirus (AV) engines simply aggregate hash results in their cloud, meaning that most sources of malware available to the public are already “known” malware.
The whole point of an anti-malware product is protecting you against malware that has never before been seen, and so to do a fair and honest test, we “mutate” this malware. Generally, this can be achieved by using a simple, off-the-shelf packer, like MPRESS or VMProtect.
We follow the processes outlined in our Test for Yourself methodology. Literally anyone can repeat this process if they wish, turning known malware into unknown malware.
This process is not new, nor do we make any claims on invention here. What we are proposing is standard practice in the malware industry. Many attackers go much further beyond these simple mutations and have complete recompilations using polymorphic engines.
We chose simplicity because it was easier for people to perform for themselves, and because it laid bare the basic minimum level of skill required to cause a 5 billion dollar a year industry to fail.
Understanding Testing Methodologies
We’ve long held the belief that testing firms need to consider alterations of their samples prior to testing. By using samples from public sources, or sent in by the vendors themselves, they are biasing tests to favor those who write a multitude of basic signatures, and which realistically show absolutely no predictive power over malware that hasn’t been written yet.
Without an unknown, or reliable, real-time “real-world” test, testing firms are just repeating the same basic principle of testing using known samples. (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Chad Skipper. Read the original post at: Cylance Blog