06-16-2009, 01:52 PM
Until we get completely away from damn sig based detection we are all screwed royally.
We have installed many corporate versions of AV products and all of them are about 80% effective against stuff that is 1-3 weeks old.
On a zero-day note non seem to avg. above 75% and that all depends on how well the code is obfuscated and how many bytes you change. Unfortunately the newest Tri-fecta of evil is a few years ahead of the AV community.
Bot nets obfuscate enough code on their own to prevent signature based detection. This can be done on the fly and is by certain ones.
The really good coders high the data streams within other protocols and some use UDP to transmit data to and from in a semi state full connection. Yes I know it shouldn’t be possible but there are flaws with the way UDP is designed that you can pad it with TCP session type information and have yourself a nice little remote session over it.
We have installed many corporate versions of AV products and all of them are about 80% effective against stuff that is 1-3 weeks old.
On a zero-day note non seem to avg. above 75% and that all depends on how well the code is obfuscated and how many bytes you change. Unfortunately the newest Tri-fecta of evil is a few years ahead of the AV community.
Bot nets obfuscate enough code on their own to prevent signature based detection. This can be done on the fly and is by certain ones.
The really good coders high the data streams within other protocols and some use UDP to transmit data to and from in a semi state full connection. Yes I know it shouldn’t be possible but there are flaws with the way UDP is designed that you can pad it with TCP session type information and have yourself a nice little remote session over it.