Research: 80% of Carberp infected computers had antivirus software installed

[King Grub]

Quote:

Just how useful is antivirus software in general? According to a recently published study by security researcher Jim McKenney, based on his analysis 80% of Carberp infected computers had antivirus software installed.

http://www.zdnet.com/research-80-of-...ed-7000001679/

The study:

http://www.dailysafetycheck.com/v/vs...012_Botnet.pdf

[kdcdq]

I can see it coming already; the Norton fans that post here at Wilders are NOT going to be happy when they look at the graph.

On a positive note, Avast and Bitdefender numbers look better.

[King Grub]

Quote:

Originally Posted by kdcdq

On a positive note, Avast and Bitdefender numbers look better.

Do they? Shorter bars just mean that there were fewer of the 603 studied computers that had that security product installed.

Avast at least had about as large a percentage of "crippled" systems as Norton. And BD all "Disabled". I don't know how that is much better.

[RejZoR]

This report is completelly meaningless because of 2 factors:

- no info is given on the versions
- no info is given whether the software was actually fully updated

Why is this important? If we take avast! for example. Current actual version is v7.0. But i know loads of ppl who are still insisting on completelly outdated v4.8.
v4.8 has very little proactive protection, no cloud protection, rather crappy self-protection. You get the picture.

And the second one, is the software actually updated automatically or users think they know it better and keep everything disabled and they do it themself when they feel like it (which is often equal to "nearly never").

And the same applies to all of the listed. What good is Norton or NOD32 if you're using versions 2001 and v2? It's pointless. Antivirus software has to be dead on fully updated. The end of it. Thats why companies invest loads of money on proactive and cloud systems.

I bet 3/4 of the compromised systems were either using outdated AV software, didn't have regularly updated definitions or the system itself wasn't properly patched. Because that usually accounts to most of the infections.

[Dark Shadow]

People need to wake up and relize they need additional protection and not depend on the AV alone to keep them malware free.Safety in numbers is a good matto.

[m0unds]

Quote:

Originally Posted by kdcdq

I can see it coming already; the Norton fans that post here at Wilders are NOT going to be happy when they look at the graph.

On a positive note, Avast and Bitdefender numbers look better.

Quote:

Originally Posted by King Grub

Do they? Shorter bars just mean that there were fewer of the 603 studied computers that had that security product installed.

Avast at least had about as large a percentage of "crippled" systems as Norton. And BD all "Disabled". I don't know how that is much better.

it's not that cut and dried.

Quote:

Originally Posted by RejZoR

This report is completelly meaningless because of 2 factors:

- no info is given on the versions
- no info is given whether the software was actually fully updated

Why is this important? If we take avast! for example. Current actual version is v7.0. But i know loads of ppl who are still insisting on completelly outdated v4.8.
v4.8 has very little proactive protection, no cloud protection, rather crappy self-protection. You get the picture.

And the second one, is the software actually updated automatically or users think they know it better and keep everything disabled and they do it themself when they feel like it (which is often equal to "nearly never").

And the same applies to all of the listed. What good is Norton or NOD32 if you're using versions 2001 and v2? It's pointless. Antivirus software has to be dead on fully updated. The end of it. Thats why companies invest loads of money on proactive and cloud systems.

I bet 3/4 of the compromised systems were either using outdated AV software, didn't have regularly updated definitions or the system itself wasn't properly patched. Because that usually accounts to most of the infections.

^^^ this is precisely what i was thinking.

if someone gets a trial of a norton product on a new computer and they allow it to lapse and don't bother renewing or getting something else, would their telemetry server differentiate between a product disabled by some component of the threat and a product disabled because the user allowed it to lapse and didn't bother renewing? i doubt that's the case, but there's no way to know because that level of detail isn't there and no case is made for that possibility either.

Quote:

Originally Posted by djohn

People need to wake up and relize they need additional protection and not depend on the AV alone to keep them malware free.Safety in numbers is a good matto.

if by "additional protection" you mean common sense, a modern version of windows (not xp) and keeping things patched, i agree. if you mean more security software, i don't.

[xxJackxx]

Quote:

Originally Posted by kdcdq

I can see it coming already; the Norton fans that post here at Wilders are NOT going to be happy when they look at the graph.

I don't care myself. Looks like they all failed. From there it looks like the higher numbers on the graph were jut more popular AVs.

I have enough SRP rules in place I am not too worried about it.

[Dark Shadow]

Common sense is always a good thing,but common sense tells me to lock my car doors that does not mean its still cant get broken into or even stolen.Common sense is not enough as legit sites get hacked front time to time and if your AV does not stop it then neither will common sense.

[Noob]

Quote:

Originally Posted by djohn

Common sense is always a good thing,but common sense tells me to lock my car doors that does not mean its still cant get broken into or even stolen.Common sense is not enough as legit sites get hacked front time to time and if your AV does not stop it then neither will common sense.

Yeah, although not bullet proof common sense can save someone most of the times.
But as you said, it's still vulnerable, we are prone to make mistakes.

[Dark Shadow]

Quote:

Originally Posted by Noob

Yeah, although not bullet proof common sense can save someone most of the times.
But as you said, it's still vulnerable, we are prone to make mistakes.

sure it can but I have to wonder if many of them getting hammered are happy clickers which common sense in that case goes out the windows.My niece is one of them and when the PC is all screwed up she buys a new one.Makes me sick thinking about it.Some people same machine for years,not my niece she always has a New computer but she can afford it.

[Noob]

Quote:

Originally Posted by djohn

sure it can but I have to wonder if many of them getting hammered are happy clickers which common sense in that case goes out the windows.My niece is one of them and when the PC is all screwed up she buys a new one.Makes me sick thinking about it.Some people same machine for years,not my niece she always has a New computer but she can afford it.

Hahahaha, sounds like my friend.
I used to help him fix the computer every 2 months due to virus infections, i found once over 2000 malware traces with EAM. . .
I stopped the scan halfway through and decided to format it LOL, it would never be clean.

[markusg]

wow, what a surprise, infected pcs have antimalware protection.
i would say 99 % of the pcs i have in forums for malware removal have such programs instaled.
but useless, if you never update any of the used software and if the user klick all whats interesting...

[TheKid7]

Wouldn't a properly configured Sandboxie and Common Sense stop Carberp?

[markusg]

Common Sense can not protect you against exploits...
every legid page could be hacked
sandboxie and updated software, also av software can.

[Dark Shadow]

Quote:

Originally Posted by Noob

Hahahaha, sounds like my friend.
I used to help him fix the computer every 2 months due to virus infections, i found once over 2000 malware traces with EAM. . .
I stopped the scan halfway through and decided to format it LOL, it would never be clean.

Wow 2000 thats a lot of malware.

[TheKid7]

Quote:

Originally Posted by djohn

Wow 2000 thats a lot of malware.

In the Year 2005 I made the mistake of actually "trying" to clean Malware from a PC that two un-supervised teenagers had been using for several months. The PC was at a "crawl". There was somewhere around 1,500 Malware items found, but I was unable to properly clean them. I "wasted" around 6 hours trying before I gave up and did a format/re-install.

[trjam]

2 DA questions, so I apologize.

How would WSA hold up against something like this and would EMET make a difference.

thanks

[Noob]

Quote:

Originally Posted by djohn

Wow 2000 thats a lot of malware.

Yeah, EAM showed around 2000 traces, remember traces can be a lot of things such as registry entries from programs like Ares (PUP) so it's not necessarily malware but still a very very high number.

[Kees1958]

Allthough I am not using an AntiVirus real time, I really have a problem with this type of studies. When no Antivirus has a 100% coverage, prooving that they are bypassed is prooving that water is wet. Big deal.

An AntiVirus is like the word says an anti-dote against virri spreading wide out in the open world. Sure a few unlucky ones get infected, but on average the chances of getting infected for the average Joe or Jane are near to zero.

Imagine a politician around 1918 telling people during the world wide influenza padamic, hey because people are killed by the spanish flu, let's skip research and vaccination programs in the world. Because the counter measure is not a 100% percent or because it takes some time find an anti-dote. Imagine a politician telling the same in 1981 when Aids was first discovered. Water is wet studies or waisted money IMO.

When I use public transport or my own means of transport, there is a chance I will get an accident. So until that chance drops to zero I should be staying at home forever. Oh wait, at home I still have a chance of being struck by thunder and lightning. So where should I stay next. Oh yes, dig a bunker deep in the ground. Wait there is still the odd chance of an earth quake.

Unplug you computer from the internet, use alternative means of security, but don't tell the average Joe/Jane to uninstall their AntiVirus. AV is the anti-dote against digital virii pandemics. Stop bashing AV-companies for providing counter measures which work well for the majority of the pc-users.

When OS-ses harden (Windows gradually following best practises of Linux and Mac-world) and browsers provide sandboxes (Chrome as champion, IE second with its protected mode), the impact of traditional virri will lower. According to my friend (a security expert working for banks) the financial impact of virri, is lower than e-mail fraud, e-mail fraud is bypassed by man in the browser malware in 2012, skimming of pay terminals allready accounts for the largest (financial) damage.

Regards

P.S. When 'security' experts advise people on Vista or Windows7 to use Firefox in stead of IE or Chrome, I have the same "please don't tell this kind #^%$*!" response: Firefox does not have the protected mode of IE9 or the full featured sandbox of Chrome. So FF by design is less secure than IE9 and IE9 is by design less secure than Chrome, like Windows by design is less secure than Linux and the average Linux distro is less secure than Mac (unix like benefits combined with windows like features as Apple signing only policy).

[Hungry Man]

Quote:

Originally Posted by RejZoR

This report is completelly meaningless because of 2 factors:

- no info is given on the versions
- no info is given whether the software was actually fully updated

Why is this important? If we take avast! for example. Current actual version is v7.0. But i know loads of ppl who are still insisting on completelly outdated v4.8.
v4.8 has very little proactive protection, no cloud protection, rather crappy self-protection. You get the picture.

And the second one, is the software actually updated automatically or users think they know it better and keep everything disabled and they do it themself when they feel like it (which is often equal to "nearly never").

And the same applies to all of the listed. What good is Norton or NOD32 if you're using versions 2001 and v2? It's pointless. Antivirus software has to be dead on fully updated. The end of it. Thats why companies invest loads of money on proactive and cloud systems.

I bet 3/4 of the compromised systems were either using outdated AV software, didn't have regularly updated definitions or the system itself wasn't properly patched. Because that usually accounts to most of the infections.

It's not meaningless at all. Who cares whether they were up to date or not? This shows that real world usage is not effective.

[The Hammer]

Quote:

Originally Posted by Hungry Man

It's not meaningless at all. Who cares whether they were up to date or not? This shows that real world usage is not effective.

Being up to date is very valid and your comments about real world usage might carry some weight if the products were shown to be.

[Hungry Man]

The point is that, outside of lab conditions, antiviruses don't protect people. Whether that's because they're not up to date or not is irrelevant.

[Cudni]

Quote:

Originally Posted by Hungry Man

The point is that, outside of lab conditions, antiviruses don't protect people. Whether that's because they're not up to date or not is irrelevant.

There is no point, there just your opinion. Most people benefit from current and regularly updated AV protection.

[The Hammer]

Quote:

Originally Posted by Hungry Man

The point is that, outside of lab conditions, antiviruses don't protect people. Whether that's because they're not up to date or not is irrelevant.

Actually most of the time they do protect people. So up to date or not is relevant. The reason people load up on security programs is because Av's are not 100% effective.

[TheWindBringeth]

I think the "what was the configuration of the machine when it was compromised and how was it compromised" question is highly relevant because that could shed light on vulnerabilities that could be closed. However, that requires some means of reconstructing things and looking back in time. For example, if there is a case where an infected machine is running an older version of AV software... is that because the user disabled updates or because the malware disabled updates? If there is a case where an infected machine is running the latest version of AV software... did the user take some step to help the malware establish a foothold or did the malware bypass the proper configuration/administration via some software vulnerability?

Infected, AV protected machines is not necessarily a bad thing. In order to be 100% effective against malware, AV software would have to have comprehensive control over the platform and make it impossible for the user (administrator) to perform an action that *the AV software manufacturer* considers to be a threat. AV software of that nature would simply be another form of malware.