| |
Home / Weblog
Analyst's Diary
On the way to better testing |
| Magnus | February 01, 2010 | 15:09 GMT |
comments (4)
|
Have you ever found a false positive when uploading a file to a website like VirusTotal? Sometimes it happens that not just one scanner detects the file, but several. This leads to an absurd situation where every product which doesn't detect this file automatically looks bad to users who don't understand that it's just false positives. Sadly you will find the same situation in a lot of AV tests, especially in static on-demand-tests where sometimes hundreds of thousands of samples are scanned. Naturally validating such a huge number of samples requires a lot of resources. That's why most testers can only verify a subset of the files they use. What about the rest? The only way for them to classify the rest of their files is using a combination of source reputation and multi-scanning. This means that, like in the VirusTotal example above, every company that doesn't detect samples that are detected by other companies will look bad - even if the samples might be either corrupted or absolutely clean. Since good test results are a key factor for AV companies, this has led to the rise of multi-scanner based detection. Naturally AV vendors, including us, have been scanning suspicious files with each others’ scanners for years now. Obviously knowing what verdicts are produced by other AV vendors is useful. For instance, if 10 AV vendors detect a suspicious file as being a Trojan downloader, this helps you know where to start. But this is certainly different to what we're seeing now: driven by the need for good test results, the use of multi-scanner based detection has increased a lot over the last few years. Of course no one really likes this situation - in the end our task is to protect our users, not to hack test methodologies. This is why a German computer magazine conducted an experiment, and the results of this experiment were presented at a security conference last October: they created a clean file, asked us to add a false detection for it and finally uploaded it to VirusTotal. Some months later this file was detected by more than 20 scanners on VirusTotal. After the presentation, representatives from several AV vendors at the event agreed that a solution should be found. However, multi-scanner based detection is just the symptom - the root of the problem is the test methodology itself. Unfortunately there isn't much AV companies can do about it, because at the end it's magazines that order tests - and if they can chose between a cheap static-on-demand test using an impressive-sounding 1 million samples (some of which are several months old) or an expensive dynamic test with fewer, but validated, zero-day samples, most magazines will choose the first option. As I've mentioned above, AV companies as well as most testers are aware of this problem, and they aren't too happy about it. Improving test methodologies was also the reasons why two years ago, a number of AV companies (including us), independent researchers and testers founded AMTSO (Anti-Malware Testing Standards Organization). But in the end it's the journalists that play the key role. This is why we decided to illustrate the problem during our recent press tour in Moscow where we welcomed journalists from all around the world. Naturally the goal was not to discredit any AV companies (you could also find examples where we detected a file because of the multi-scanner's influence), but to highlight the negative effect of cheap static on-demand tests. What we did pretty much replicated what the German computer magazine did last year, only with more samples. We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies - in some cases the false detection was probably the result of aggressive heuristics, but multi-scanning obviously influenced some of the results. We handed out all the samples used to the journalists so they could test it for themselves. We were aware this might be a risky step: since our presentation also covered the question of intellectual property, there was a risk that journalists might focus on who copies from whom, rather than on the main issue (multi-scanning being the symptom, not the root cause) But at the end of the day, it's the journalists who have it in their power to order better tests, so we had to start somewhere. So where should we go from here? The good news is that in the last few months, some testers have already started to work on new test methodologies. Instead of static on-demand-scanning they try to test the whole chain of detection components: anti-spam-module -> in the cloud protection -> signature based detection -> emulation -> behavior-based real-time analysis , etc.. But ultimately, it's up to the magazines to order this type of test and to abandon approaches that are simply outdated. If we get rid of static on-demand-tests with their mass of unvalidated samples, the copying of classifications will at least be significantly reduced, test results will correspond more closely to reality (even if that means saying good bye to 99.x% detection rates) and in the end everyone will benefit: the press, the users and of course us as well.
| Costin | January 22, 2010 | 13:00 GMT |
comment
|
Earlier today, Microsoft released the out-of-band (OOB) Microsoft Security Bulletin MS10-002 (rated “Critical”) to the public. The cumulative Security Update for Internet Explorer 978207 fixes a couple of serious issues which allow remote code execution through malicious HTML pages, vulnerabilities that are now known to have been used in the Google/Adobe hack. The bulletin is available here: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx To patch, just use Windows Update. In addition to that, Microsoft created a tool which will opt-in Internet Explorer to Data Execution Prevention (DEP), if your processor has this feature and the operating system is aware of it. DEP is a wonderful technology which makes it much harder for hackers to exploit vulnerabilities such as this one. We recommend that you check it out at: http://support.microsoft.com/kb/978207 As usual, there are a few other fine alternatives to IE out there that you might want to try. I recommend Chrome (http://www.google.com/chrome), Firefox (http://www.getfirefox.com/) and Opera (http://www.opera.com/download/).
| Fabio | January 15, 2010 | 20:00 GMT |
comments (2)
|
Another day, another disaster, this time a big earthquake on Haiti, and once again, the bad guys are exploiting this subject to poison search results so that those looking for some news get lead to a page offering a rogue AV solution. We're detecting this rogue software, and all its variants, as UDS:DangerousObject.Multi.Generic. Our colleagues at Sunbelt Software have identified more than 50 search items used on search engines to lead the user to a malicious page. This isn't exclusive to Google – Yahoo! results also are affected by the same trick: Another interesting fact is you only get redirected to the malicious page offering the rogue AV if the referral link originated in a search engine page. If you try to directly access the URL, you'll see a clean page:
| Bo | January 12, 2010 | 20:54 GMT |
comment
|
January Patch Tuesday From the look of things Microsoft is starting off slow this year with only one of each in today's release – one bulletin, one advisory and one re-released bulletin. However, there is still no bulletin for Security Advisory 977544 - the Vulnerability in SMB Could Allow Denial of Service. Microsoft says they are still working on an update for this issue and are not aware of any attacks using the exploit code. The bulletin they did release is MS09-035 Active Template Library (ATL) bulletin after adding Windows Embedded CE 6.0 to the affected product list. This release only affects developers and OEMs building application on top of CE 6 or producing devices that use the operating system. The last release from Microsoft was a Security Advisory 979267 to increase awareness regarding reports of vulnerabilities in Adobe Flash player 6 which shipped with Windows XP. I would like to mention that Flash 6.0 is a very old version, considering it came with XP, so please update to the latest version of Flash. Please note that Adobe is releasing APSB10-02 Security Advisory today to resolve critical vulnerabilities being actively exploited in Adobe Reader and Acrobat 9.2 on Windows, Mac, and UNIX. Even with only one update from Microsoft, I would suggest that everyone installs it as a matter of standard procedure. But I would make the Adobe update my first priority this month.
Open season on tax-payers |
| Dmitry | January 07, 2010 | 19:57 GMT |
comments (1)
|
As any reader of this blog knows, cybercriminals can steal your money not just by putting malware on your machine, but by phishing attacks too. Phishing attacks don't just target online banking and e-payment systems, but almost any site which asks the user to input sensitive data. Sites run by national government agencies are a prime example as they often demand a wealth of personal information which goes far beyond a simple user name or account number + PIN. While filling in a tax return online might seem like a great way to save time and paper, it gives cybercriminals a great opportunity to scoop all your details at once – data which could then be used to steal your identity and/or commit further crimes in your name. We came across one such phishing site recently. Now that 2010 is in full swing, U.S. tax payers can start submitting their tax returns for 2009. (Although the final deadline for submission isn't until April 15th, the earlier you submit your paperwork, the earlier you'll receive any rebate due.) And for added convenience, you can do this online, via the official IRS site. The cybercriminals haven't missed a trick here: the phishing site is an alarmingly accurate copy of the original, with even the Acrobat Reader toolbar being neatly copied. It's likely that there will be an increase in such sites as the deadline for submitting tax returns gets closer. So as always, be on your guard – with attacks like this you could lose far more than your credit card number, which can be easily blocked – and make sure you always check the full address of the site that you're on, to be sure it's genuine.
Cybercriminals go shopping |
| Dmitry | December 31, 2009 | 11:21 GMT |
comment
|
It's holiday time, and of course the bad guys know that shopping is a popular activity during this period, particularly in Europe and the US. And it's in these regions that most people pay for their purchases either using credit cards, or e-payment systems like PayPal, WebMoney etc. In order to target this data, cybercriminals create "universal" malicious programs, which will intercept all financial data, whether it related to credit cards, bank accounts, or e-payment systems. A recent case shows this clearly: a botnet made up of several thousand machines was used to install Trojan.Win32.Vilsel.qhw on 972 victim machines, all of which are located in the US. It seems likely that this botnet was rented specially in order to install this malware – a common practice in the cybercriminal world. There are plenty of places on the Internet which offer this "service", as the screenshot below shows. In order to deliver the Trojan to 972 machines in the US, the bad guys would have had to pay around $100. So where's the profit in this? Well, the malware in question will intercept Internet transactions made using Internet Explorer and the new(ish) Chrome browser. That covers a huge percentage of Internet users, and because the malware targets a whole range of payment options, it won't make any difference if payment is made by credit card or PayPal – confidential data will still get logged and then sent onwards to the bad guys. Additionally, once it's been run for the first time on the victim machine, this malware deletes its original file (to hide traces of infection); prevents access to Task Manager at system registry level, and also blocks Regedit, making it more difficult to manually check the system and identify and delete the malware. According to VirusTotal, at the time of writing only 6/40 (15%) of antivirus vendors detected this threat, and a lot of the big names were among those missing.
Trojan.Sejweek: a new variant |
| Denis | December 24, 2009 | 13:17 GMT |
comment
|
I blogged a week ago about a Trojan for mobile devices called Sejweek. We've just detected a new version – what's changed in the course of a week? First, the URL has changed: Sejweek.b (the latest variant) downloads an XML file from http://unique*****.com/*****/get.php, which is a different URL from the one used by the previous version. Second, the XML file which the link leads to has been modified – now the file looks like this: And third, although Sejweek still sends SMS message to a short, premium-pay number, it's now sending them to 7122 (a different number to that used by the previous variant), and each SMS costs $10. The one thing that hasn't changed is that Sejweek will still send SMS messages every 11 seconds, so there'll still be a severe impact on your account balance. And finally, do be careful: Sejweel disguises itself as a whole range of applications, so don't download anything unless you're sure you know what you're getting.
All about Brittany on Twitter |
| Dmitry | December 23, 2009 | 08:47 GMT |
comment
|
The day before yesterday, our industry colleagues wrote about how searches on "Brittany Murphy" using search engines brought up sites containing links to malware. So it's the usual situation, with the bad guys exploiting the death of a famous person, just like they did with Michael Jackson. Yesterday we identified some Twitter accounts that are being used both to send "make money on the Internet" spam, and also to spread links to malware. In both cases, they used Brittany Murphy's name. Here's a couple of examples: The actual text of messages of this type can vary. What characterizes them is that the first link is genuine, i.e. it leads to a site which really does talk about the topic tweeted. The second link though, leads to standard spam advertising sites which tell you how to earn money on the Internet, offer various goods, etc. The second type of tweet we're seeing is undeniably malicious. These tweets, like the first type, use Brittany Murphy's name, but have a shortened bit.ly URL leading to malware: Theoretically, all shortened bit.ly URLs get checked to make sure there's no malware. But in this case it looks as though there've been so many that they can't be processed quickly enough to prevent abuse. The screenshot confirms this – the link was tweeted a day before we found it, and it was still live. This type of tweet follows the standard pattern: click, and you get redirected to a malicious site: What's behind all these videos? Malware, of course: this time, it's Packed.Win32.Krap.ag. It's got a backdoor function. It also downloads rogue AV software, which requires the victim to "purchase" it in order to delete "viruses" supposedly detected on the machine. At the time I was putting this blog together, there were 6,950,994,912 tweets about the death of Brittany Murphy. And lots of Twitter users are retweeting the bad guys' messages, meaning that the number of malicious tweets (and the number of potential victims) is only going to grow. To sum up, Brittany Murphy's death is currently being exploited by cybercriminals in two ways:
- To send spam linking to sites offering a range of goods and services
- To spread malware
So please be very, very cautious when you're searching Twitter (or any other social network) for news about Brittany Murphy. The hot topic of the day is always going to be exploited by cybercriminals, but you can make things more difficult for them: don't click on short URLs, and even more important, don't retweet suspicious looking messages to your followers.
| Magnus | December 22, 2009 | 10:21 GMT |
comment
|
mwcollectd v4, a next-generation low-interaction malware collection honeypot, has just been released. It's written in C++, but the easy integration of additional Python modules means that malware researchers around the world can easily extend the honeypot with new protocols and features. We're happy to be sponsoring this project, which was mainly developed by Georg Wicherski (one of our virus analysts in Germany) and Mark Schloesser, from RWTH Aachen University. It's published under the LGPL license. If you want to take a look at mwcollectd, it's here, and libemu, which is used by mwcollectd, is here.
| Dmitry | December 22, 2009 | 07:58 GMT |
comment
|
Crime traditionally increases during the holiday season, and cybercrime is no different. The malware writers, spammers and scammers are out in force. They've recently hit "Odnoklassniki" with this message: "Hi! I've got a New year surprise for you [emoticon] send 2133 279 (must be with a space) to 4460 and you'll be pleasantly surprised! If you don't take a look, I'll be very grouchy with you [emoticon]" This message is clearly designed to make the bad guys a bit of holiday cash: an SMS sent to the number given in the message costs between $5 and $12 dollars, depending on the mobile service provider. With similar messages going out on other social networks like VKontakte, Facebook and MySpace, the scammers could do nicely out of this one. And because the messages might come from friends or contacts who've had their accounts hijacked, it's easy to be fooled. Enjoy the holidays, enjoy spending time with your family and friends, and enjoy the Internet – just be careful and keep safe!
| |
