Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: InfoSec Handlers Diary Blog - Symantec False-Positive on Filezilla, NASA World Wind InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec False-Positive on Filezilla, NASA World Wind

Published: 2007-07-16
Last Updated: 2007-07-17 17:23:47 UTC
by John Bambenek (Version: 1)
0 comment(s)

It appears that Symantec's anti-virus definitions (July 15th, rev 2) had a false positive on Filezilla and NASA World Wind, detecting them as Adware.cpush.  The definition was fixed in the July 16th release.  This isn't the first or last time false positives have shown up with anti-virus updates.  As more and more malware gets developed and deployment of said malware gets quicker, the strain on AV vendors to get definitions out quickly is intense.  This makes it difficult to test all software, especially the more esoteric variety.  Test longer and allow more exploitation or get the definition out fast and possibly have false-positives or negatives?  Not an easy question to answer (unless you tier definitions and customize updates so people can choose "stable" rules, "bleeding edge" rules, etc).

However, this leads to an interesting discussion.  Could hackers make their malware such that the signatures tend to match safe files?  This is already done in a sense with malware in the attempt to make the software appear as legitimate as possible on the network, it also tries to avoid heuristic detection.  However, for typical signature detection this is not easy, it takes more than mindless polymorphism.  However, the incentive for malware writers is for their malware to stay undetected for as long as possible.  That means more targetting to avoid the honeynets, more subtlety to avoid network detection, and making the executables subtle to avoid AV software.  Manipulating malware to maximize false-positives could be an entertaining (and certainly painful) way to wreak havoc.  Some basic research exists on this theory already, though nothing ready for market. 

 

(Update: It appears a bunch of other software was caught up in this, Winamp, NSIS stuff, etc, however the latest definitions seem to be fine with that software as well)

---

John Bambenek / bambenek (at) gmail (dot) com
University of Illinois

Keywords:
0 comment(s)
Diary Archives