Kaspersky tightens up anti-virus engine
Kaspersky has fixed recent malware detection problems in its 2010 products via an automatic update. The cause of the detection problems that allowed malware to be overlooked seems to have been even more severe than was initially apparent. Initial testing had shown that "Email-Worm.Win32.Kipis.u", two variants of "Net-Worm.Win32.Mytob.bi" and "Backdoor.Win32.Rbot.bng" malware was being overlooked. The malware samples used came from the WildList reference list, a list of common and important viruses and malware used by anti-virus developers as a basis for testing their applications.
In a quick test, the new versions of Kaspersky Antivirus 2010 and Internet Security 2010 initially failed to detect the four pieces of malware from the reference list, although the problem was rapidly remedied with up-to-date virus signatures from Kaspersky. Additional tests, however, showed that many more pieces of malware were also affected and were not being detected – despite the fact that the previous version had been able to identify them – and that all of the malware which went undetected had been packed with the same runtime packer. The 2010 engine's unpacking routine was clearly not working properly, with the result that the updated signature scan failed to detect the malware.
Virus authors constantly repack their malware using runtime packers such as UPX, FSG and ASPack in order to get around signature based detection by anti-virus software. These packers compress the program code and integrate a routine to unpack it when executed. As a result, many anti-virus products fail to detect malware signatures and simply wave it through. Since legitimate programs also use runtime packers, anti-virus programs can't simply raise an alert for every packed program, as this would give rise to an excessive number of false positives.
When testing anti-virus software, heise Security, The H's associated publication in Germany, has examined whether they can be circumvented using runtime packers. Good products are able to recognise the compression method, unpack the program and carry out a signature scan on the original program. In the most recent test, for example, Kaspersky detected around 90 percent of compressed malware.
heise Security spoke to Magnus Kalkuhl, Senior Virus Analyst at Kaspersky, who confirmed that Kaspersky has fixed the unpacking module in its 2010 products and that it distributed the new version as part of its normal update procedure. It does seem rather odd, however, that Kaspersky did not detect the bug itself during pre-release testing.