Anti-malware vendors unite to fight cybercriminals

In this viewpoint posted on BetaNews, Mikko Hypponen of F-Secure suggests anti-virus vendors share their samples. It's something I always hope they do.

 

I thought that the vendors already did share their samples.
Not every single sample, but many of them.

 

An eye-opener for me.
I didn't know they cooperated to that extent.
I thought the competitor aspect was too much to overcome.
The article seemed to imply that only the larger companies cooperate.

 

Despite that there are many vendors it is not that evident that it is highly competitive. The big three, Norton, McAfee and Trend Micro, own and will keep a huge market share because they have the money to be distributed on OEM machines. A lot of companies who have acknowledgment on these forums are not really that significant so that they can cause changes in the market, such as Prevx (maybe now with Webroot) and Emsisoft, or companies such as Comodo. Because of this it is not strange that the bigger vendors (so next to the big three companies such as Kaspersky, BitDefender, ESET, avast! and AVG) share samples. Moreover, most consumers don't choose a vendor based on objective test results, assuming that objective test results exist, so how important is it that you actually perform a few tenths of a percent better than competitors?

 

Well just a quick glance at the MRG Flash Test results will tell you that MBAM and SAS don't share. We're not talking about a few tenths of a percent there.

 

I'm not a virus expert but i did an experiment of my own
i opened Malwaredomainlist i found a Ransome variant
downloaded the sample and uploaded it to Virus total
i found that only three product marked it as malicious
kaspersky + Norton + bitdefender

so i upload the sample to another four companies
Dr web + clam i don't remember the other two
then after a week i rescan the sample via Virus total
and i got shocked the scan result was the previous three companies + the ones i submitted the sample to
it's a very very sad result

it's a publicly available sample and yet it didn't got fully detected even after a week of submission

Malware and viruses are getting created every day
and yet we see companies don't collaborate with each other

so i got this idea in mind i wanted to work on it but sadly i don't know web programming

the idea is to make a site that when we submit a sample to it
it will send it to every anti virus company out there
so that will make their work faster
what do you think
if they are not willing to collaborate with each other we will force them to do it

 

If I remember correctly VirusTotal already does that, and I think Jotti does also? Also I thought whoever runs MDL also submits them to each vendor but I am not 100% sure.

 

They could completely share all samples and still have different detection rates.

 

^Yup. It's not like as soon as they share they get added. Definition updates have to get pushed and probably verified.

 

Is that what you mean, because of what Hungry Man said?
("It's not like as soon as they share they get added. Definition updates have to get pushed and probably verified.")
Maybe due to different program default settings too?

 

The MGR flash tests are for Zero-Day malware. So, even if they share samples...

 

i know some companys do not share, or they are exchanging such an small number, it is not usefull for other companies.
i can not say names, but this are some well known

 

Ok here is what i can conclude about 0 hour malware code detection rates

1- Either the vendors that score well have better heuristic or detction routines(this is unlikely but might account for a small % improvement)

or (and more to the truth of the matter)

2- They have researchers actively scowering the web for 0 hour code instead of reacting to submitted suspect files or files gained via their support channels.

Eitherway there is some glaringly obvious poor performances that cannot be explained away as mere coincidences.Trends over time will average out any on the day abnomalies

As for sharing samples between vendors...great in principal and idealogy but in truth not practical as in a system with limited resources they can only process as many samples as they have researcher hours to verify the samples.

A team of 7 researchers pulling 12-14hour days will roast a team of 3 part timers everytime for signature output and speed of threat escalation into their databases.

Also vendors who shut up shop at the weekend or run skeleton staff also forget the malware servers dont take weekends/holidays off

Mondays intray most be overflowing and the postman just keeps bringing more

 

Well I meant that each company will take a different approach and get different things from the same sample set. A well made definition will also detect other variants from the same family. Also it's not all about definitions, but other things like behaviour/heuristics, e.g. Malwarebytes blocks certain filenames from running from certain locations, regardless of a formal 'detection'.

I mean the best I could do from 100,000 samples, would be to produce 100,000 definitions - all based on MD5. Antimalware companies have more elegant ways of going about it, e.g. grabbing bits of code that appears in multiple samples and writing detections for that

 

yet it didn't got fully detected after a week

 

vt sends not to all companies, but to the big ones i think.
all listed on vt getting samples.
but to have an sample do not mean they make an detection, most vendors get so much stuff, i heard from friends, working for av companies, they get over 1 tb malware every week.

 

i'm going to Make an email address that will automaticly Forword
an inbox mail to Virus companies mails

it's plain and simple

also i will make it Private and secret so no one get to abuse it

just kidding