With all due respect, you're missing the main point that Secunia makes with their test. Malware scanners indeed do not devote sufficient attention to detecting the exploit itself (i.e., the data corruption that can lead to execution of malicious code) and focus too much on detecting the particular dropped malicious code (or the particular known data file that contains the exploit) instead. I am not saying that detecting the latter is wrong - I am saying that *both* should be detected, because detecting the exploit lets you detect future attempts of using it in malware.
Vesselin Bontchev | Homepage | 10.15.08 - 1:53 am | #

There is always a work-around against software. And so it is much better to invest more cash in detecting the known exploits then having scanners so intelligent that detect the unknown exploits.
Andrew Jacob | Homepage | 10.15.08 - 4:13 am | #

Andrew, I'm afraid you don't understand. Neither Secunia, nor I are talking about detecting unknown exploits with scanners.

We are talking about detecting known *exploits* - as opposed to detecting just known *files* that use known exploits, as most scanners are currently doing. If you detect the exploit itself (i.e., the data corruption), you will also automatically detect, in a generic way, all future uses of that particular exploit - no matter what shellcode and/or payload are used.

Of course there are trade-offs. Detecting a particular sample is easy - just add a checksum or a scans string or whatever. Detecting the exploit itself is difficult - you have to understand what particular data corruption in what field causes the exploit to happen, you must parse correctly the format of the exploitable data file, you have to create a whole detection algorithm (program), as opposed to a simple piece of data (checksum or scan string), and you're running the risk of causing false positives, or pseudo false positives, as you flag as malicious files that are just corrupted or that would crash just particular versions of an application. But the advantage is the ability to detect generically all future usages of this particular (known) exploit.
Vesselin Bontchev | Homepage | 10.16.08 - 4:54 am | #