Detection Accuracy

[Paranoid_Friendoid]

Hello,

I have another quick question about the accuracy of the scans. If there is a detection such as "adware", can it ever happen that malwarebytes falsely depicts the category of a malware?
For example, if a scan comes up with a threat in the category "adware", does it ever happen that it is in fact a worm or something else?
How reliable are the listed malware-categories of the listed threats?

Thank you for your insight and feel free to tell me if I spam the forum too often!

[Porthos]

11 minutes ago, Paranoid_Friendoid said:

For example, if a scan comes up with a threat in the category "adware"

Did you have an "adware" detection that concerns you? Did you quarantine it?

The detection names are mostly correct.

17 minutes ago, Paranoid_Friendoid said:

that it is in fact a worm or something else?

Even if it was something else, if it is detected and removed then it is good.

 

Are you using the paid version?

[David H. Lipman]

@Paranoid_Friendoid

You are talking about "classification" of a given malware file.

There is a taxonomy to malware based upon its functionality, processes and causalities.

The taxonomy is not unlike that given to animal and plant species.

As you move down a classification branch, it is possible that two sub-types may be misclassified.  For example take a particular vegetable such as Broccoli (Brassica oleracea) which is in the family Brassica.  It is possible that a given plant could be misclassified as Brassica carinata.  However it is unlikely to be misclassified as a member of Apiaceae.

Another way to look at this is like a human infection.  A Virus infection diagnosis can not be confused with a Bacteria or protozoa infection even though symptoms may overlap.

Adware and worms are two distinctly different sub-type of classification. 

Adware is a sub-type of trojans and need assistance to get installed on a PC.  It could be through Social Engineering (the Human exploit) or it could be through a software exploitation or by by another malware infection such as by a trojan downloader.

Worms are a sub-type of viruses as they do not need assistance to get installed on a PC, instead they autonomously spread from PC to PC.  Two examples are AutoRun Worms and Internet Worms.  Both spread autonomously but use different methodologies.  One uses the AutoRun/AutoPlay facility such as when you place an infected Flash Drive in a USB port.  The other uses network protocols such as SMB and SMTP.

There are cases where a given malware sample is multi-faceted.  Such as a Downloader trojan infected with a file infecting virus such as Virut.  In a case like that, the virus declaration will have the higher precedence.

[Paranoid_Friendoid]

Thanks for the thorough explanation of the malware classifications, the comparison with plants and infections really illustrated the concept well!
So carrying over those concepts of classification to malware,
you're essentially saying that it's possible that the sub-type of the detected malware might deviate a bit but malwarebytes would never be as incorrect as to (for example) display something like "adware" where it would in reality be a worm, or any other malware classification, correct?

Unrelated to this, would you have any specific book recommendations for someone who wants to expand his horizon on the topic of malware?

[David H. Lipman]

No, sorry no books or web sites that I can refer you to.

Let me give a little more information and maybe more clarification.

A decade or two ago, the volume of malware was not what it is at Today.  Viruses were much more prevalent with many being sent through email such as the Melissa virus (worm) and file infectors such as Virut and Parite and the volume of trojans was such that one could assign a particular family name.  A malware may have a preface.  That could be like "Win32/ or W32/ [Win64/ or W64/] or "Win32. or Win64. [W32. or W64]" where the "/" or "." is the delimiter.  Then comes the name such as Oscarbot.  Then comes another delimiter followed by the variant. That may also be followed by another delimiter such as "!" or "@" followed by a qualifier.

Examples:  W32/Oscarbot.KD  ,  W32.Wargbot , W97M/TrojanDropper.Lafool.NAA , W32/Bagle.DW@mm

In the above;

• W97M/ == Word 97 Macro
• @mm == Mass Mailer

The problem became where different companies assumed their own "take" on the standardization and also name.

For example all of these detections are fore the same worm known commonly as the BlackWorm

Aladdin Knowledge Systems: Win32.Blackmal.e
Authentium: W32/Kapser.A@mm
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
ESET: Win32/VB.NEI
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm!CME-24
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

 

You can see that became as issue.

So  Mitre Corp., a quasi gov't contractor, was tasked to create what became known as the Common Malware Enumeration (CME) cross reference list. 

The BlackWorm was listed as CME-24 and a vendor may append !CME-24 to the vendors detection name as Microsoft did in the list above.

But the volume of malware was burgeoning and that too became untenable and the naming convention almost completely fell apart.  Today many thousands of trojans are created on a daily basis and vendors decided that the detection as a fact is MORE important that the name so many may show detections with word names rather that a family look Koobface, ZBot, RBot, zlob, Koobface but occasionally some new family may arise and the detections will use than common name.

Today we recognize three major sub-types of Malware (A portmanteau blend of MALicioius and softWARE) being;  Viruses, Trojan and Exploit code and each is like the trunk of a different tree that branches out into; branches, twigs and leaves. 

Unfortunately there are common misperceptions.  The most common is calling everything a "virus" that one "thinks" is malicious.  To deal with malware and help prevent getting infected one must understand what malware is so they can best protect themselves, their platforms and their information.  Just like you don't treat the Hepatitus B virus with and antbiotics like Erythromycin, identifying what the malware is can help in both prevention and cure.  Knowledge is the best preventative medicine.

 

Edited January 29 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[pondus]

It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like "March6", "January Friday 13th" or "CrashWindows" the fictional exchange illustrated below could become commonplace:

(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)

A1: "Hey A2, have you seen that new beast, the 'Newyork' virus?"
A2: "You mean the one which fills all the files on disk with 'New York'?"
A1: "No, that's the 'NYFiller' virus, I mean the one which shows a message box with the text 'New York New York'"
A2: "Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files"
A1: "Hm, the 'Newyork' I was thinking of actually infects Windows PE files"
A2: "Ah, but I think I know what you mean, however, the one I've seen shows a message box stating 'New Orleans New Orleans'. We are calling it 'NewOrleans', of course."
A1: "Hm, that must be a new version of our 'NewYork' virus with a modified message. I think you should rename your 'NewOrleans' virus to something like 'NewYork(version:Orleans)'."
A2: "Hey, wait a minute, why not rename _your_ virus to 'NewOrleans(York)'?"
A3: "Hey guys, have you seen the new virus which fills all the files on disk with 'New Delhi'? We're calling it 'NewDelhi', of course."
A1: "Arghhh..."
A2: "Who designed this stupid payload-based naming scheme anyway...?"

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=78995af3-e961-46da-ad80-f6547bbce3b7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

 

[David H. Lipman]

@pondus  

[pondus]

Malware Naming Hell
https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names

Malware family naming hell is our own fault
https://www.gdatasoftware.com/blog/malware-family-naming-hell

https://www.virusbulletin.com/conference/vb2005/abstracts/current-status-caro-malware-naming-scheme/

https://zeltser.com/malware-naming-approaches/

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/malware-naming?view=o365-worldwide
 

https://docs.trendmicro.com/all/ent/imsec/v1.6.5/en-us/imsec_1.6.5_olh/Malware-Naming.html
 

 

Edited February 5 by AdvancedSetup
Corrected font issue

[Paranoid_Friendoid]

Wow, thanks for all the input! While I can't promise to remember all of that, I'm very grateful for all the information you guys have provided! 😄
Interesting learning about the history of the naming conventions for malware.

How did you guys actually come to learn all these things? If you're willing to share, what's your background and what did you study?

[David H. Lipman]

I have spent decades studying malware and malicious activity.  I was also a Malwarebytes' employee as a Malware Researcher years ago. 

[Paranoid_Friendoid]

21 hours ago, Porthos said:

Did you have an "adware" detection that concerns you? Did you quarantine it?

The detection names are mostly correct.

Even if it was something else, if it is detected and removed then it is good.

 

Are you using the paid version?

Sorry, I'm not using the paid version yet.

I had a detection on another device a few months ago and it made me wonder if an adware detection could actually be a misclassification and actually be a different type of malware.
After reading David's thorough explanation on classification and naming conventions, I assume that it's unlikely malwarebytes missclassified it, as different malware-types are completely different, like how in biology bacteria and virus are completely different agents

Edited January 30 by Paranoid_Friendoid
Clarification

[Paranoid_Friendoid]

1 minute ago, David H. Lipman said:

I have spent decades studying malware and malicious activity.  I was also a Malwarebytes' employee as a Malware Researcher years ago. 

May I ask how you've grown to have such a passion for malware? I think it's fascinating too but it's a bit of a niche thing to develop an interest in, no? Most people just download antimalware software and then stop thinking about it

[David H. Lipman]

I was a Value-Added Reseller technician. 

When I was installing a Novell Network at a North New Jersey manufacturer I noted before copying software and data from older PCs to new AST Computers, one of them had a NYB virus, a boot-sector infector.  I had to clean the source PC and all floppy disks using McAfee software and eradicate it from that company's assets before the upgrade could proceed to the new system we were installing.

That was the impetus of obtaining a greater understanding of "malware" and associated malicious actions and activities.

Edited January 30 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[Paranoid_Friendoid]

Ohh, I can imagine finding that out would be quite a shock! Good think boot-sector infections are exceedingly rare nowadays, especially with the decline of floppy disks.
It's always good to equip yourself with more information 😄

[David H. Lipman]

It was not a "shock", it was a hassle. 
The eradication process was a manual time consuming endeavour.

[Paranoid_Friendoid]

I see, yeah, it would have been a shock to me but if you know what you're doing, I can see it just being a hassle

[pondus]

2 hours ago, Paranoid_Friendoid said:

How did you guys actually come to learn all these things?

I was a nosy guy doing Internet / Google search 😁

and collecting malware samples for Malwarebytes and my previous av vendor Norman for many years

 

 

[NewTricks]

On 1/30/2024 at 11:15 AM, pondus said:

I was a nosy guy doing Internet / Google search

Let's recognize all the nosy people who've made life better for the rest of us! 👏👏👏

[NewTricks]

On 1/30/2024 at 10:37 AM, Paranoid_Friendoid said:

if you know what you're doing,

And most importantly LIKE what you're doing. Some have specially configured brains, and some don't. Thank G-D we're made differently.