APT Detection: Could you trust the built-in email virus scan engine?

Post date: May 3, 2011 2:12:54 PM

Today, after meeting up with Google fellows and learning about its security, they readily made efforts on it. I would like to try out whether they could dig those APT sample out.

I have got APT (Advanced Persistent Threat) samples (http://contagiodump.blogspot.com/2010/08/malicious-documents-archive-for.html) and tried it out with my Gmail account. Three samples could be detected and most of the malicious PDF could be found. There is one PDF is missed out but it is marked as malicious when I click "Send" to send out this email to myself.

It means Gmail will conduct two rounds of virus scanning on uploading document and sending it out.

Finally, I have got my APT attachment back as shown as below:

The story is not about whether Gmail did its work or not. It should be a global issue on detecting target attack especially via email attachment.

We have tested it with our engine (which is mainly developed by my research fellows in Taiwan), which could detect these two attachments but miss one detected by the engine in Gmail.

We have submitted our research abstract to Blackhat and DEFCON this year. Please stay tuned and we need to tune our engine as well :-)

I have uploaded these samples to various places in Google like Google Document and even tried to attach them to this blog message. They are all successful. Again, we need to be alert in this area.