back to article World's best threat detection pwned by HOBBIT

Some of the world's best threat detection platforms have been bypassed by custom malware in a demonstration of the fallibility of single defence security. Five un-named top advanced threat detection products were tested against four custom malware samples written by researchers at Crysys Lab, Hungary and MRG-Effitas, UK” The …

  1. PCS

    And the fifth product was? Symantec per chance?

    1. Voland's right hand Silver badge

      Not relevant

      The key piece of info is who wrote the demo malware. With all due respect, there are not that many places out there which have the competence of Crysis for both analysing malware and demoing exploitability of concepts. To put it bluntly - these guys are good, I would not want to have them as an adversary.

      As far as bypassing the defences it shows something which has been known since time forgotten - no defence can stand against a determined, competent adversary in possession of the appropriate resources.

      1. Nick Ryan Silver badge

        Re: Not relevant

        Largely it's what a lot of people either don't understand or don't realise is that computer AV, much like biological immune systems, is retrospective in that it needs a sample to be able to spot it and deal with it in the future. The advantage of computer AV systems is that the initial detection can be in one location and detection patterns can be spread to others - doesn't help the first victim much but does help the rest. Of course, the longer something remains undetected, which is the aim of the game, the further the spread.

        Unfortunately we're not helped when the prevalent computer system is one that was initially designed as a standalone system with a single fully trusted local user using it. However even with a fully application sand boxed operating system with a full and sensible application permission system, the weak point will be found between the chair and keyboard.

        1. Thunderbird 2

          Re: Not relevant

          "the weak point will be found between the chair and keyboard."

          Or what I used to term a PICNIC problem.

          Problem In Chair, Not in Computer.

  2. Ben Liddicott

    If you wander round the bad part of cybertown...

    You will get mugged.

    1. Anonymous Coward
      Anonymous Coward

      Re: If you wander round the bad part of cybertown...

      Maybe. But the point of this article is that if you wander round the good part of cybertown you may well get mugged, and there's not a lot you can do about it.

      The bad side of cybertown is where poor quality malware is used to recruit botnets to send spam and the like. The users of that side of the web want stuff for free, so by definition have limited money, information that's barely worth stealing. And the malware is of an appropriate grade.

      The sort of malware this research considers is made for high value targets, who as a general rule aren't torrenting grumble flicks, trading in bitcoins, or searching for J-law with her kit off. This would be launched through apparently innocent sites - watering hole attacks, for example. Or by targeting a weak link such as low paid employees working in accounts payable with a booby trapped PDF, or even suppliers with systems access (eg Home Depot, Target).

      1. Ben Liddicott

        Re: If you wander round the bad part of cybertown...

        Why would people be looking for Jude Law with his kit off? Just not getting it. He's not exactly David Hasselhoff.

  3. Tim Bergel

    Uses javascript

    so good old NoScript would have stopped it dead.

    1. Anonymous Coward
      Anonymous Coward

      Re: Uses javascript

      Do not worry, linkedin will come to the rescue.

      Try browsing it with noscript and after that give it a second guess why it was the chosen website for javascript injection by one particular nation adversary.

  4. Mage Silver badge

    Not many people?

    You only need one expert enough and able to market, or a friend marketing it.

  5. Andy Non Silver badge

    Microsoft Security Essentials pwned.

    One of my friends asked me to take a look at his computer a few weeks ago as it was slow and "behaving oddly". It was running Microsoft Security Essentials which claimed the computer had no infections. I downloaded Malwarebytes and was surprised when it found more than 100 viruses and trojans on the computer! I very much doubt that so much malware could remain undetected by the MSE anti-virus software, so the logical conclusion was that MSE had been pwned at some time to make it impotent in detecting any malware but to still give the appearance it was working fine.

    1. Khaptain Silver badge

      Re: Microsoft Security Essentials pwned.

      Just out of interest which OS ?

      1. Andy Non Silver badge

        Re: Microsoft Security Essentials pwned.

        Windows 7.

        1. Captain Scarlet

          Re: Microsoft Security Essentials pwned.

          Ifs its a virus that isn't known about on the time of infection then how would it stop it, no-one runs virus scans these days they expect whatever AV product they have to protect against everything.

          1. Andy Non Silver badge

            Re: Microsoft Security Essentials pwned.

            Quote: "Ifs its a virus that isn't known about on the time of infection then how would it stop it, no-one runs virus scans these days they expect whatever AV product they have to protect against everything."

            The thing that got my interest most wasn't the fact that one or more viruses had managed to get onto the system, but that (fully up to date) Security Essentials didn't find ANY of more than 100 pieces of malware on that computer after a full scan. I may be wrong but IMO that implies something fundamental had been compromised with the virus scanner. The point I'm making is that it is too easy and dangerous to be fooled by any one anti-virus product declaring your computer to be clean if that scanner itself can be compromised. How would you even know?

            Anyway, in view of the severity of the infection I suggested a drive wipe and fresh Windows reinstall.

  6. Andy Non Silver badge

    ... I'll just add.

    That wasn't a dig at MSE as such, more an observation on how dangerous it is to put faith into a single anti-virus / anti-malware product. It makes me wonder how many of the other security products out there, paid or free, can also be "neutered" rendering them useless but apparently still fully functional?

  7. chivo243 Silver badge

    3 strikes

    I had a user that mentioned his workstation was slow, lots of pop up ads and strange homepage even though it was set to another site. I had to nuke this install from orbit, it was way faster than Not once, twice, but three times in less than a month. I suggested to my boss to that we grab an iMac off the shelf. I installed Chrome as the default browser with adblock. Haven't heard a peep since from the pebkac.

    FYI, it was running MSSE, and yes, we are behind a firewall and content filter. Take away from that situation what you like.

    1. Anonymous Coward
      Anonymous Coward

      Re: 3 strikes

      That should be 3 strikes and gone on the employee, not the computer. If you have a person who is constantly reinfecting a work machine then logs should be checked to see what he is messing around with. MSSE is not strong enough for the kind of person who clicks on dodgy adverts and surfs dubious sites during work hours. Grabbing an iMac isn't going to help that kind of employee as he will still click on those adverts and still go to the same dodgy sites on the iMac. This guy is still a risk to your office network.

      1. Unubtanium

        Re: 3 strikes

        I could not agree more.!!I

        It's the f'ning PICNIC's fault not MSSE!!

        This person should get official warnings for this as his IS clearly using company resources for something they should NOT! And IF continued FIRED!!!

    2. Sandtitz Silver badge

      Re: 3 strikes @chivo


      Learn NOT to give admin rights to each user.

      Can the perp run and install everything on the iMac just by typing his/her password when prompted?

      1. chivo243 Silver badge

        Re: 3 strikes @chivo

        As far as I know, the issue turned out to be: extensions/add ons/plug ins for a browser and all the love that come with those lovely extras. I would have boiled them in oil, BUT in the scheme of things I could only harm myself regardless of doing the right thing.

        No, the iMac is locked down, we have to help with any and all the Java and Flash etc update issues.

        On a more current note, another colleague has been challenged restricting web access. I heard something about only the company webmail...

  8. Primus Secundus Tertius

    "The hacker will always get through."

    Almost what was said by Stanley Baldwin, a former British prime minister, in 1932.

  9. Allan George Dyer


    Pack the mouse with C4, and connect a detonator to the left button.

  10. John Brown (no body) Silver badge

    But can it... Crysis?

  11. Haro

    Absolutely undetectable

    The more something is deployed, the greater the chance it is detected. Ergo, as the limit approaches zero of deployment, the result approaches 'undetectable'. Only a nation-state would want this, just to say they had it. :) Sort of a nuclear bomb.

  12. Anonymous Coward
    Anonymous Coward

    Only proves what everyone already knows.

    Every lock has a pick.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like