A few days ago, Pedro Bustamante from Panda wrote a very interesting post about automated AV signature creation, emphasizing the risk of false positives with such a method. He uses the example of a gaming company, Fenomen Games, that generates numerous distinct Gaming Downloaders. According to him, these binaries are not malicious, and massive FPs are automatically inserted by AV editors into their databases.

In order to cope with the exploding number of malware variants that are dynamically created, AV are forced to use various techniques to automatically analyze and detect new threats. This trend is a tough challenge and the race between goods and villains can probably not be won by AV engines through that way.

Automated malware analysis is undoubtedly the key due to the ever increasing number of malware variants being seen in-the-wild. But AVs, ISPs and LEAs should also try to make better use of all the intelligence gathered, and particularly the "network" connections initiated by these pieces of malware. Even if today virus are more and more difficult to reverse-engineer (think about StormWorm's automatic ddos protection or virtual machine detection used by more and more samples), most sandboxes still provide valuable information about command&control and blind drop Web servers.

For example, we noticed today that one of the samples we have -automatically- analyzed was trying to connect to a server located in the US at this address: http://XXXXquanglan4.t35.com/. New malware variants have been trying to download two files (setting.xls and setting.nql) from this server since May 2007 at least! They are known to be a specific Worm called Sohanad -also referenced as Pitin under some AV nomenclature- (see here or here for example). What is surprising here is that this malware propagation source is still online one year after being discovered. Let's hope it was deliberately kept online by LEAs or anti-cybercrime units for investigation purposes.

But what is even more disturbing is that these 2 files are only detected by 2 out of 32 AV editors' signatures according to yesterday's VT report (We'll talk another time about these detection rates, as it could be subject to some misunderstanding).

So far, we still need AV engines, but controversy on the AV industry has risen lately in numerous IT security forums and blogs. The RaceToZero contest dilemma and the latest moves in AV testing (merger of Anti Malware Test Lab and AV Comparatives, new Anti-Malware Testing Working Group set up by a bunch of AV editors, etc) prove that the industry will probably have to go through some serious changes.

I believe that more "human" investigators, able to require the hosting providers -such as t35.com- to disclose information about some of their customers, would help finding the real people behind these criminal activities, and not only dealing with the symptoms (a.k.a better protection against infections).