Last-minute presentations: presented at Virus Bulletin 2008

by 14:00 Status (John hawes),


Summary : "14:00 - 14:20 VB testing - present status, future plans, John Hawes, Virus Bulletin
VB's unique VB100 comparative review system has been around for 10 years, and has seen few
changes in its core design since its 1998 inception. Over the last few
years, VB has introduced a range of additions to the data produced in each
test, including significant redesigns of the speed tests and 'zoo' collections.
Now, for the first time in 10 years, VB plans to introduce a major new addition to these tests.
The new test is based around a system of weekly test sets which cover the three weeks
immediately prior to product freezing as well as one week after. The test is designed to
measure the ability of AV labs to keep up with
the 'flood' of new malware, as well as introducing measurements of
heuristic and generic detection abilities, through the element of
retrospective testing. We hope it will show some interesting trends over
This presentation will focus on the latest addition to the testing line-up. We'll look at
how and why these changes have been designed and implemented, and some of the
problems involved, and will also cover further plans for expansion
and improvement in the future.

14:20 - 14:40 Race to zero with online scanners, Boris Lau, Sophos
DEFCON 2008 proposes to challenge AV vendors by modifying
malware samples to avoid detection by anti-virus scanners
( However, we have already been
observing these activities in the wild as malware authors
attempt to systematically break detection with various online
scanners using existing AV detection.

Observing malware authors using their tricks gives us a unique
opportunity to understand their working processes. Analysing
this information allows the AV industry to stay ahead in the
fight against malware.

At SophosLabs we have a database of samples submitted to the
labs which provide statistics that enable us to correlate
samples from various sources and establish a picture of the
workflow of malware authors. In this presentation I will use
recent case studies based on data taken from our database to
show the efforts malware authors put into evading detection.