It’s always disappointing to see traditional antivirus scanners miss malware detections, especially those in the formal WildList (the WildList is not dead! Well, not completely). It does and will happen, even with the best performing scanners. And witnessing the detection rates and delays in AV detection updates for various malware families that are being run on end user systems but prevented by behavioral protection can be a bit overwhelming. Layered protection is an important part of keeping a system secure.
So when we observe “underground” activity, it’s never a surprise to see ongoing and more sophisticated efforts in developing malware that evades AV detection. Some of the efforts are getting more organized, and we continue to see more professional looking services and amateur looking betas popping up that replace the venerable and legitimate Virustotal and Jotti virusscan sites. We’ve presented before on some underground services, where blackhat developers offer to write fully undetected stubs (undetected by all of the major anti-virus products), and once they are detected, the developer sends on a limited number of new undetected stubs to their customers. When that limit is reached, the customer shells out some more cash for their new AV evasion kit.
Not only the major media grabbers like Storm, Waledac, and botnets related to McColo, but smaller, under-the-radar efforts like the distributors of rogueware and fakeav benefit financially and further this sort of work.
Below is a snapshot of one fairly recent effort put together with malicious intent, to help provide a confirmation that those stubs remain fully undetected without exposing the upload to distribution to AV companies (Virustotal and Jotti both distribute samples to AV companies). Many of the blackhat forums bring on new, unexperienced members that upload new undetected crypters to the legitimate sites, which sends the samples on to AV vendors and has been a problem for their efforts in the past. The site is in beta and slow as molasses.