Related link;
http://www.av-test.org/down/ms05-039.zip

2005-08-22
Reaction Times of the latest MS05-039-based Worm Attacks
You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in this Excel sheet (18 KB). Furthermore we have checked how many AV products haven't required an update in order to deal with these threats. All times in GMT.

And results;
http://img387.imageshack.us/img387/5648/av12fc.th.gif (http://img387.imageshack.us/my.php?image=av12fc.gif)http://img387.imageshack.us/img387/8493/av23ui.th.gif (http://img387.imageshack.us/my.php?image=av23ui.gif)http://img387.imageshack.us/img387/4807/av39so.th.gif (http://img387.imageshack.us/my.php?image=av39so.gif)http://img387.imageshack.us/img387/2029/av40gf.th.gif (http://img387.imageshack.us/my.php?image=av40gf.gif)http://img387.imageshack.us/img387/334/av53cn.th.gif (http://img387.imageshack.us/my.php?image=av53cn.gif)http://img387.imageshack.us/img387/1196/av64wq.th.gif (http://img387.imageshack.us/my.php?image=av64wq.gif)

And my summary;
http://img399.imageshack.us/img399/7308/avpd3zn.th.gif (http://img399.imageshack.us/my.php?image=avpd3zn.gif)

Sorry for turkish words on the summary.
proaktif tesbit = proactively detected
tesbit edilemedi = still no detection
date format = dd.mm.yyyy

comments on this test ?

Regards,

{QUOTE-> Your summary is not correct, NOD32 detected all mentioned samples proactively by heuristics. This is an excerpt from the xls you mentioned above:
Nod32 minnt.exe 2005-08-16 19:27 Win32/IRCBot.OO trojan (variant)

In your summarry window, you stated that NOD32's heuristics actually missed it. Please correct it. <-QUOTE}
it's not correct for me. NOD32 has detected Win32/IRCBot.OO trojan with virus signature update not proactively. please be more carefull. again thanks for your feedback.
Regards.

Make a google when this signature was added. "A variant" means it's very close to this detection, however not 100% identical from a binary compare of the files.

{QUOTE-> it's not correct for me. NOD32 has detected Win32/IRCBot.OO trojan with virus signature update not proactively. please be more carefull. again thanks for your feedback.
Regards. <-QUOTE}

NOD32 - v.1.1178 (20050726)
Win32/IRCBot.OO

{QUOTE-> NOD32 - v.1.1178 (20050726)
Win32/IRCBot.OO <-QUOTE}
There's no difference.
it depends on a virus signature database updates but it's not related with proactive detection.
http://img357.imageshack.us/img357/3873/nod32x4sm.th.gif (http://img357.imageshack.us/my.php?image=nod32x4sm.gif)

I'm sure that NOD32 is a wonderful A/V. I'm a NOD32 user too. Don't worry. :)
Regards,

{QUOTE-> There's no difference.
it depends on a virus signature database updates but it's not related with proactive detection.
http://img357.imageshack.us/img357/3873/nod32x4sm.th.gif (http://img357.imageshack.us/my.php?image=nod32x4sm.gif)

I'm sure that NOD32 is a wonderful A/V. I'm a NOD32 user too. Don't worry. :)
Regards, <-QUOTE}

How did you get your NOD IRCBOT!VAR detection date as 16.08.2005 19:27 in your table?

Or am I missing something here?

Thanks,

Stan

{QUOTE-> How did you get your NOD IRCBOT!VAR detection date as 16.08.2005 19:27 in your table?

Or am I missing something here?

Thanks,

Stan <-QUOTE}
Please read post #2. Only, IRCBOT!VAR hasn't been detected by heuristic engine ın the test. Finally, it wasn't a big problem. only discussion. by the way it's not my table. I summarized it only. Source is http://www.av-test.org/
Regards.

{QUOTE-> Please read post #2. Only, IRCBOT!VAR hasn't been detected by heuristic engine ın the test. Finally, it wasn't a big problem. only discussion. Regards. <-QUOTE}

I am still confused.:)

Your tables showed NOD32 detected Win32/IRCBot.OO trojan
as of 16.08.2005 19:27

However, NOD provided this signature on 26.07.2005
NOD32 - v.1.1178 (20050726) Win32/IRCBot.OO

How did you arrive at the date that NOD didn't detect this until 16.08.2005 19:27 per your tables?

Thanks,

Stan

{QUOTE-> I am still confused.:)

Your tables showed NOD32 detected Win32/IRCBot.OO trojan
as of 16.08.2005 19:27

However, NOD provided this signature on 26.07.2005
NOD32 - v.1.1178 (20050726) Win32/IRCBot.OO

How did you arrive at the date that NOD didn't detect this until 16.08.2005 19:27 per your tables?

Thanks,

Stan <-QUOTE}
Perhaps, you must talk with Andreas Marx :) :)
Regards,

{QUOTE-> There's no difference.
it depends on a virus signature database updates but it's not related with proactive detection.
Regards, <-QUOTE}

BTW, I consider "proactive detection" to be "zero-hour" detection with heuristics, or generic signatures, or other method as long as it provides "zero-hour" detection. That works for me.:)

BitDefender did great!

If we could have NOD32's speed, Bitdefender's Heuristics and Kaspersky's signatures...

Strange...why NOD32 did not detecte Win32/IRCBot.OO in this test if NOD32 has the signature?

{QUOTE-> BitDefender did great!

If we could have NOD32's speed, Bitdefender's Heuristics and Kaspersky's signatures... <-QUOTE}
You forgot to add Nod32's heuristics, KAV's static unpacker and VBA32's Generic Unpacker to that setup 8)

plus kav's hourly update

{QUOTE-> BitDefender did great!

If we could have NOD32's speed, Bitdefender's Heuristics and Kaspersky's signatures... <-QUOTE}What would we call this product? Bitpersky32 maybe? ;D ;D

KasNoDefender xD

"Bitpersky32" and "KasNoDefender" will be the first choice of the A/V world if someone quickly prepare them. by the way, there's a chance to get much more money after than publication of this A/v test. ;D ;D

maybe we can propose this "KasNODefender" idea to each company :D maybe some day thay could merge their AV

Another link for same test results;
http://www.pcmag.com/article2/0,1895,1850851,00.asp

Eleven of the products were able to detect one or more of the attacks proactively, without any special pattern update to identify it specifically. Here are the numbers for each of the eleven:

Product - Score
BitDefender - 6 of 6
Fortinet - 6 of 6
Nod32 - 5 of 6
eSafe - 3 of 6
F-Prot - 3 of 6
Panda - 3 of 6
QuickHeal - 3 of 6
McAfee - 2 of 6
Norman - 2 of 6
AntiVir - 1 of 6
ClamAV - 1 of 6

I wonder how NOD32/BD are performing against Truprevent... ::)

Is really Panda's software so resource hoggy ? ???
Regards,

Interesting,i wonder how ClamAV detected it proactively without any heuristics (or using what detection name?)...
They do use generic detection though...

{QUOTE-> Interesting,i wonder how ClamAV detected it proactively without any heuristics (or using what detection name?)...
They do use generic detection though... <-QUOTE}
Perhaps, you can explain it.
http://img98.imageshack.us/img98/4638/x17tx.gif

I still don't get it how it could be proactively detected when it doesn't use any proactive methods. Or just a lucky "guess" on signatures...

There is one thing that puzzles me...
AV-test states that NOD32 detected only 5 samples,while on NOD32 ESET states that ThreatSense intercepted all 6 variants. Now who should i belive now?

SNAP FROM ESET's PDF...
SAN DIEGO, Calif. * (August 29, 2005) * ESET, a global security software solutions company
providing next-generation anti-threat protection, today announced results from a study conducted by
AV-Test.org that confirm ESET's NOD32 proactively identified all six variants of the recent Zotob
worm. The findings, which appeared on August 22, 2005, clearly showcase the importance of
implementing a proactive anti-threat solution as the industry's major antivirus players including
Symantec, Trend Micro and McAfee did not detect all variants of the worm until after it had hit
systems around the globe

And this is what documents say:
http://img399.imageshack.us/my.php?image=avpd3zn.gif

I also doublechecked all 6 full reports and one is not proactive.
I have nothing against NOD32 policy of advertising their ThreatSense proactive performance,but just makes me wonder...
Thx

Thats probably just the marketing department doing their best, RejZor, they also have the "test" from Colby-Sawyer college on their main page as something special. ;)

I know they gry to market ThreatSense best as possible,but why the difference?
AV-Test says only 5/6 detected by NOD32 and NOD32 PDF says 6/6.

Best thing would be that someone ask for clarification to Marx and ESET. Otherwise it will remain a circle of speculations...

I'll trust to Marx as 51% and to Eset as 49% if i couldn't find a clarification.
Becuse, Eset can't be neutral on this subject.
Regards.

Marketing stuff guys ! ;)
To me AV Comparative is showing that NOD32 detects about 90% of ITW virii, clearly the best of the brunch.
That's enough to me (yes, that's not very scientific to say things like this ;) ),

But I agree I ask for precisions, I wonder how it performs against TruPrevent or BD9...or VBA32 !
Sincerely,
M.J.

{QUOTE-> I also doublechecked all 6 full reports and one is not proactive.
Thx <-QUOTE}

The one thing that is confusing to me is that those tables show the IRCBOT
detected by NOD as Win32/IRCBot.OO.

Looks like NOD had that detection as of:
NOD32 - v.1.1178 (20050726) Win32/IRCBot.OO

It would seem to me that detection by a generic signature at the zero-hour would be proactive?

Yes, I think that too (as it detects it as a variant of). Anyway the date in the table is still confusing, as in the table it looks like it was not detected before that specific date... ??? I mailed now to Marx, maybe he will explain here.

{QUOTE-> I mailed now to Marx, maybe he will explain here. <-QUOTE}
It will be fine, thanks

{QUOTE-> Marketing stuff guys ! ;)
To me AV Comparative is showing that NOD32 detects about 90% of ITW virii, clearly the best of the brunch.
That's enough to me (yes, that's not very scientific to say things like this ;) ),

But I agree I ask for precisions, I wonder how it performs against TruPrevent or BD9...or VBA32 !
Sincerely,
M.J. <-QUOTE}
I think you misunderstood me, i didn't say that they don't have good heuristics, just that 6 out of 6 sounds better when you market things and lets face it, marketingpeople does have a way of stretching things a bit in right direction. :)

{QUOTE-> I think you misunderstood me, i didn't say that they don't have good heuristics, just that 6 out of 6 sounds better when you market things and lets face it, marketingpeople does have a way of stretching things a bit in right direction. :) <-QUOTE}

I agree.
I understood you my friend ;)

Have you seen this posting by Andreas Marx?

http://marc.theaimsgroup.com/?l=focus-virus&m=112489911518567&w=2

Hello!

You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at <http://www.av-test.org>. Furthermore we have checked how many AV products havn't required an update in order to deal with these threats.

We have covered the following worms and variants:
- Win32/Bozari.A (10 outbreak reports)
- Win32/Bozari.B (1 outbreak report)
- Win32/Drudgebot.B (3 outbreak reports)
- Win32/IRCBot!Var (2 outbreak reports)
- Win32/Zotob.A (4 outbreak reports)
- Win32/Zotob.B (3 outbreak reports)

We used the following rules for the formatting (XLS sheet):
- Italic font = proactive/heuristic detection (in general: a detection without \
updates)
- Bold font = first detection (first name) of the worm
- Normal font = subsequent names used for the worm (e.g. second name, third name...)

Two magazine reviews have been published which are based on this data:
- PC Magazine - heuristic test results: \
<http://www.pcmag.com/article2/0,1895,1850847,00.asp>
- PC WELT (Germany) - response times: \
<http://www.pcwelt.de/news/sicherheit/118264/index.html>

Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management. :-)

cheers,
Andreas Marx
CEO, AV-Test.org
http://www.av-test.org

Hello,

someone pointed out that there is some confusion between the PDF report at Eset's webpage and our test results (XLS sheet) at AV-Test's webpage.

Based on our XLS sheet, PC Mag has performed a review which can be found here:
<http://www.pcmag.com/article2/0,1895,1850851,00.asp>

It says: "Nod32: 5 of 6" - and that's also the result you can find in our XLS sheet. Please ensure that you check out the names of the samples used for this test.... then you'll see the differences: :-)

Eset has published a PDF saying, it has detected 6 out of 6 Zotob variants - and if you compare the malware names, you'll see what has happened: Eset has used a different set of samples. Well, they have also selected 6 samples (instead of a higher or lower number) and this caused the current confusion.

Eset has missed (what we were calling) Win32/IRCBot!Var - this one was only detected without updates by BitDefender, Fortinet, Panda and QuickHeal.

Dr Web was the first who detected it at 2005-08-15 / 15:58 GMT as "Win32.Legion", Kaspersky followed later at 2005-08-15 / 16:11 GMT with a detection as "Backdoor.Win32.IRCBot.es".

Eset had a detection in place as of 2005-08-16 / 19:27 GMT as "Win32/IRCBot.OO trojan (variant)" [detection was only available with activated /AH] which was renamed later to "Win32/IRCBot.OO trojan" (at 2005-08-18 / 19:40 GMT) [standard signatures].

Eset has not included this IRCBot variant in their "6 out of 6" detection claim - if so, it would be a "6 out of 7" which sounds a bit worse in case of marketing/PR. ;-)

cheers,
Andreas Marx
http://www.av-test.org

Hehe,thanks for explanation :)

Concerning ClamAV proactive detection :

{QUOTE-> I still don't get it how it could be proactively detected when it doesn't use any proactive methods. Or just a lucky "guess" on signatures... <-QUOTE}

A big difference between ClamAV and the other AVs is that ClamAV will not try to disinfect malware.
This is probably one of the main reason the way ClamAV uses scan strings/signatures is different from the way other AVs use it. ClamAV does not have to identify precisely a malware. It can therefore parse all the files for a given set of scan strings, and decide that the sample is infected if the scan string is found, anywhere in the file. On the opposite, AVs that disinfect files must identify precisely the malwares. Then, it may only look for the scan strings at pre-determided locations of the file. This may also be better for scanning speed.

IMHO, this is the main reason why ClamAV have some "proactive" detection capabilities. By the way, I wonder if proactive detection of some backdoor samples by KAV is due to the same mechanism (for example, detection of some Aphex code snippets that are included in such trojans).

Concerning ESET/AV-test :


I think that writing this :

{QUOTE-> ESET, (...) today announced results from a study conducted by
AV-Test.org that confirm ESET's NOD32 proactively identified all six variants of the recent Zotob
worm <-QUOTE}

is just dishonest. And the number of sample (6) seems to have been selected on purpose.

{QUOTE->

I think that writing this :
is just dishonest. And the number of sample (6) seems to have been selected on purpose. <-QUOTE}Or maybe, some av-vendors are only "bad losers". ;D

Best regards,
Firefighter!

{QUOTE-> Eset has not included this IRCBot variant in their "6 out of 6" detection claim - if so, it would be a "6 out of 7" which sounds a bit worse in case of marketing/PR. ;-)

cheers,
Andreas Marx
http://www.av-test.org <-QUOTE}
First of all, thanks for your explanation. But, there were only six variants in your test if i understood properly. What is the seventh variant? :) Perhaps, Eset must explain it after your explanation :)
Regards...

{QUOTE->
Concerning ESET/AV-test :


I think that writing this :



is just dishonest. And the number of sample (6) seems to have been selected on purpose. <-QUOTE}


Hi,

Sorry that you feel that way, however, there is nothing dishonest in it - as Andreas explained already. Comparing like to like is an important thing - it could just as easily have said that NOD32 detected 5 out of 5 Zotob variants, which would also be true -the IRC Bot was not a zotob variant, but was in the study that AV-Test did because it exploited the same vulnerability, not because it was the same worm. The claim that NOD32 detected 6 out of 6 Zotob variants proactively is absolutely true, and is also true that it is based on the research of AV-Test.org. There was nothing dishonest in any of that. It is no more or less confusing than AV-Test including a non-zotob variant in their study. They were looking at malware exploiting the vulnerability, Eset were looking at the Zotob family. The number of samples was based on the number of Zotob variants that AV-Test had measured NOD32 detecting proactively.

best regards

-AJ
Eset LLC