Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Detecting BlackWorm Without Signatures SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting BlackWorm Without Signatures
An article in a German magazine PC-WELT describes a study of anti-virus vendors' ability to detect BlackWorm when it first hit the Net. The analysis, performed by AV-Test lab, points out that some vendors were able to detect the worm without the need for BlackWorm-specific signatures, while others needed to release new signatures.

Signature-based detection mechanisms have been essential to anti-virus products' ability to recognize malicious code. Over the past several years, anti-virus vendors have made strides in heuristic and behavioral detection algorithms, and I am glad to see that these measures in several products were effective at stopping this worm.

I'd like to extend kudos to eSafe, Fortinet, McAfee, NOD32, and Panda, whose anti-virus products, according to the AV-Test study, were able to recognize that BlackWorm was malware heuristically, without requiring a specialized signature. Also, congrats to ISS, Kaspersky, and Panda for being able to recognize it through behavioral means without a signature.

Take a look at the article for additional details. Even if you don't understand German, you may find the tables, which document the study's findings, interesting. The first table lists behavioral methods, the second heuristic ones, and the third one signature-based tools.

Lenny Zeltser
ISC Handler on Duty

216 Posts
Jan 28th 2006

Sign Up for Free or Log In to start participating in the conversation!