Detecting BlackWorm Without Signatures

Published: 2006-01-28
Last Updated: 2006-01-28 20:19:24 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
An article in a German magazine PC-WELT describes a study of anti-virus vendors' ability to detect BlackWorm when it first hit the Net. The analysis, performed by AV-Test lab, points out that some vendors were able to detect the worm without the need for BlackWorm-specific signatures, while others needed to release new signatures.

Signature-based detection mechanisms have been essential to anti-virus products' ability to recognize malicious code. Over the past several years, anti-virus vendors have made strides in heuristic and behavioral detection algorithms, and I am glad to see that these measures in several products were effective at stopping this worm.

I'd like to extend kudos to eSafe, Fortinet, McAfee, NOD32, and Panda, whose anti-virus products, according to the AV-Test study, were able to recognize that BlackWorm was malware heuristically, without requiring a specialized signature. Also, congrats to ISS, Kaspersky, and Panda for being able to recognize it through behavioral means without a signature.

Take a look at the article for additional details. Even if you don't understand German, you may find the tables, which document the study's findings, interesting. The first table lists behavioral methods, the second heuristic ones, and the third one signature-based tools.

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Keywords:
0 comment(s)

Comments


Diary Archives