Webroot Malware Detection - Hackers in China Attacked The Times for Last 4 Months

  • 4 February 2013
  • 3 replies

  • Fresh Face
  • 4 replies
The New York Times and Wall Street Journal have recently published articles on having their networks hacked by the Chinese government and malware planted on their machines. The malware was not detected by the security and anti-virus software these companies used. (If I recall, the NYT said that it's Symantec security software flagged 1 out of 46 pieces of malware.) Is webroot getting access to those malware samples and adding them to it's detection capabilities?

Best answer by JimM 6 February 2013, 16:53

View original

3 replies

Userlevel 7
Hi mjb,

At the moment, we're trying to gather details on the specific infections that were used. Hopefully we'll have more to say as we gain more insight into which infections were used in the attacks. WSA does quite well against specific, targeted attacks because of how much visibility we have into unknown files and how quickly we can classify them based on behaviors. We hope to be able to provide a more definitive answer if we can ascertain which threats were used.
Userlevel 3
I wish to mention here my problem with Webroot Threat Research:
I have a customer who has 5700+ undetermined software in the 'All undetermined software seen' report for months.
(And some more customers with 1000+ undetermined software)
First of all, I do not understand how this can happen? Actually, I expect Webroot Threat Research to classify all undetermined software as soon as possible, otherwise how could Webroot guarantee that there are not any malware among them --- that are being able to run on the endpoint thanks to the way WSA client is developed, it will run just until the client receives the BAD classification from the cloud. But it looks like many thousand software are simply never gets classified. So in my reading, a malware can simply run anytime for quite a long time (eg. for month as in our case).
I think the expected approach from Webroot is that in case of undetermined objects added to the list and the reported to the cloud then Webroot shall process it ASAP (just like any other AV lab in the world) and classify so that in quite a soon time (most likely in less time than AV competitors) we shall see Webroot's classification in the console. Then we can feel safe and protected and supported good. Otherwise, how could Webroot ensure that viruses ever get recognized (especially targeted malware) if this list is not processed for ALL Webroot users?
I have been constantly asking Webroot for months now support to classify all our undetermined software one-by-one but they just wrote me:
"Most of the undetermined software has only been seen on one PC in the environment and by determining these files, it is very time consuming with not much of an effect other than not showing up on the undetermined list on your side."
So if this is the official Webroot Support / Threat Research approach, how can you expect Webroot protect against such targeted malware like you mentioned here?
Userlevel 7
Inquiring minds will want to know that Gyozo's question was answered in this other topic.  🙂