So today on my RSS feeds, I saw that a new version of the Sub7 trojan has been released. This new version, called “legends” has some new features and such for exploitation and maintaining control over infected systems.
Being curious, I uploaded the installer to VirusTotal to see what kind of hit ratio I would get. To my surprise, ~96% of the AV software there detected Sub7!
There are two ways to look at this, I suppose. It sure seems like a victory when you get such a high hit rate, but on the other hand there are likely some elements of this extremely well known code that haven’t changed since it first emerged on the scene in the 90’s. So, I would hope that we could detect it with a high accuracy rate. In fact, I had really hoped we could detect it at 100%, but it seems that some AV vendors still miss it. Still 96% is far better than the ~15% detection rate I got on another test like this, just a little bit ago.
The second way to look at it is that we still have long known malware that is not detected by some AV products. Now, given, that is a small percentage, but after all of this time, they can not detect Sub7? That would be pretty horrible if you happen to be a customer of theirs and your data is at risk. Compound this with the data from the breach reports that show increases in custom malware being used in attacks and you can see the problem from a new perspective. If we can’t detect malware from the 90’s across the board, then how can AV hope to continue to be seen as the magic bullet defense against increasingly complex and dynamic attack code in the future? Of course, the answer is, it can not. It NEVER HAS BEEN THE MAGIC BULLET THAT MANY IT FOLKS AND MANAGEMENT FOLKS BELIEVE IT IS.
Where does that leave us? Somewhere between victory and defeat? Right where we have always been, but maybe, just maybe, with a little more argument and knowledge for those “magic bullet” folks!
PS – Here is my VirusTotal submission if you want to check it out.