Waves of New Trojans Overwhelming AV

The recent torrent of more sophisticated Trojan threats is producing a large volume of attacks that cannot be detected by traditional AV systems, security researchers contend.

According to a new paper published by message and Web filtering specialist Commtouch, millions of Trojans easily evaded signature-based AV technologies during Q2 2009 alone.

Recent Trojan outbreaks sent malware volumes soaring in general with higher levels of attacks circumventing defensive controls than seen by the company over the previous six quarters.

AV systems have improved their capabilities are doing a better job in general, but the proliferation of new Trojan variants immune to generic signature detection has proven problematic, Commtouch CTO Amir Lev said in a report summary.

The vendor’s trend report is based on its analysis of billions of email messages and Internet transactions channeled through its Web-based detection centers.

The mere outbreak of several extremely “aggressive” variants of existing Trojans, notably those tied to the Waledac botnet, that utilize newer signature evasion techniques led to the takeoff in attacks, Commtouch reports.

The use of generic signatures became popular among AV providers as a foil to trends such as server side polymorphism, through which millions of variants of the same attack are distributed, versus larger batches of the same threats which are easier for AV firms to fingerprint and block.

“As demonstrated by this massive growth, the generic signatures have not proven to work against the recent variants,” the report said.

The most popular Trojan attacks defeating AV systems between May and June included Mal/WaledPak-A, Mal/FakeVirPk-A andTroj/Agent-KBE.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.