March 3rd, 2010, by Robert Sandilands
This will be my third blog posting about the dangers of multiscanners. The previous ones are: Malware Naming Confusion and Multiscanners: The good, the bad and the ugly.
This time it is about how garbage can spread and infect definition files.
What I am talking about is somebody is detecting some file just because somebody else is. Or people demand that we detect a file just because somebody else is.
We accidentally did a test that was similar to the one that Kaspersky did that lead to my first blog entry on this subject. The original test was that they created several executables and added detection for it. These executables were then submitted to a public multiscanning service and they monitored detection of these samples. After a few weeks a large number of vendors detected the samples with virtually identical names.
We have a file that we detect as W32/TestSample. It is a simple Windows executable that does 2 things. It opens a handle to itself, which always fails, and it displays a message box stating that it is a test sample. This allows our OEM customers to test our memory and registry scanning routines and to test the functionality of the scan engine in a safe environment. It definitely is not malware.
Or so I thought.
Obviously if 13 products detect a file it must be malware. Interestingly enough some of the major brands detect this file. I would love to name and shame, but I am confident there must be some similar garbage in our own collection. What is really funny is that only one other vendor at least tried to copy our name for this. Two other vendors called it Adware, 3 detected it heuristically and 6 others detected it accurately by name using different names.
This specific sample is at least in one large testing organizations test set that is used to determine malware detection rates.
It is easy to be critical towards these other companies for including detection for this but in the end I think I understand how it happened. Either a mutual client insisted that these samples must be detected or they saw the samples in the test set of some antivirus tester and decided to add detection for it because it is easier than to dispute the sample. Or they saw that we detected it and therefore added detection for it without analyzing the actual sample.
Just be careful how you interpret the results of a multiscanner. Not everything detected by antivirus products are really malware. There are too many non-technical influences on what should be detected for the results of a multiscanner to be valuable.
Posted in This and That | No Comments »
February 23rd, 2010, by Lordian Mosuela
Cybercriminals are attacking bloggers who use Google’s Blogger.com. Today, we have received emails intended for bloggers to update their account. Here’s the snapshot email of the email we have received:
The email contains link that will redirect to fake login page of the “Blogger.com”. As seen from the highlighted link, it has a root domain “*.erdca.kr” which is differ from the authentic root domain of blogger.com. The fake login page which is known as phishing site appears to be like this:
Upon entering the bloggers credentials and clicking “Sign in” button on the phishing site above, it will redirect to this page saying the account is updated:
Blogger’s credentials will be secretly sent to the phishers site.
The stolen blog may be:
• sold for profit due to its readiness to earn income through advertising etc.
• modified and put phishers advertisements for another potential income.
Be extra careful when logging in your credentials in the internet. Always double check the root domain of the site before you log-on. This will give you an idea if it’s Fake or Authentic site.
Posted in Interesting Virus Activity, Phishing | No Comments »
February 16th, 2010, by Robert Sandilands
I have a set of 52 samples that I know are in the same family. Based on other meta-data I know that it is at worst different versions of the same malware that we gathered over the last few weeks. In attempting to determine a name to call this I went to the “trusty” multiscanner to determine what I could call it. I am trying to be consistent and not add to the naming confusion.
The result: I am more confused than usual. Not a single vendor was consistent in its naming.
One vendor called 22 of the samples “Trojan Horse”, another vendor called it “Trojan.Generic”. In total I had 8 votes for Trojan, one for malware, some for Pasta, a few for password stealer. In general nothing useful to be able to easily provide a consistent name. Not even “Trojan Horse” was used to identify the majority of samples. In total I had 306 distinct names for 52 samples.
I will probably end up calling this W32/Trojan because:
The set does not contain enough samples
They are not important enough to worry this much about the name
That is probably the same choice all of my colleagues in other companies are making about these same samples.
I don’t think the name of a piece of malware has any value. It is virtually impossible to be consistent with anybody else even if it we just try the family name. Except if we start calling everything W32/Trojan. Then we can at least be consistent with the family name. But then the name will truly have no value.
I propose a new naming standard: Let us identify every piece of malware with a random number. It will not provide any less information than we already provide and it will allow everybody to shrink their databases by a significant amount as you don’t need to store these weird names in their weird formats.
But to be a bit more serious: There is true value in properly categorized malware with consistent naming. The problem is that nobody in the industry is currently doing consistent naming. To consistently categorize samples is very hard. To build meta-data to be able to associate what seems to be completely unique samples with each other with any measure of certainty is decidedly non-trivial. Most companies are trying their best to do a good job of it and sometimes you can see it. At this stage I am convinced that the route to properly handle the deluge of malware we face is to get better at these tasks.
Posted in Interesting Virus Activity | 1 Comment »
February 13th, 2010, by Lordian Mosuela
While everyone is searching the web for the unusual gift on Valentine’s Day, Cybercriminals take this opportunity to propagate Rouge Antivirus.
I have searched for the keywords “unusual-valentines-day-gifts?, gives the following results:
Clicking the highlighted link above will lead to fake message such as “Alert! Your system is exposed to risk of virus attack. It’s highly recommended to check your PC immediately. Press OK to start the scan right now?.
And then eventually leads to the fake scanning page that will surely alert you to download and execute binary file, just like this one:
Executing the downloaded file will install Fake Antivirus. We detect this as W32/FakeAV.QV.
Be extra careful on what you’re clicking and don’t execute files downloaded from untrusted sites.
Posted in Interesting Virus Activity, New Virus Activity, This and That | No Comments »
February 3rd, 2010, by Robert Sandilands
What is a multiscanner?
It is a system where multiple AV products are used to scan files and provide a report about the files.
What is the good about a multiscanner?
It is relatively easy to build one
It can provide some information about a file or set of files
What is bad about a multiscanner?
The quality of information you get from a multiscanner is quite low
It is the ideal method to copy other people’s mistakes
Before I go on to the ugly I need to explain the previous statements. When a scanner detects something the only information that you have is that some scanner detected that file. It does not imply that the file is malware.
That may sound surprising but the reality is that not all scanners were created equally. Some scanners have heuristics that is so paranoid that they trigger on virtually every second file. Today I spent some time looking at about 200 files gathered by one of our monitoring systems. The files were from three different sources and about 90% of them were detected by at least one scanner. Strangely enough they were all variants of three totally legitimate products and should not have been detected. Had I trusted the multiscanner I would have duplicated their mistake.
Not all scanners are meant to be used this way. Some scanners are focused on scanning email or gateway based traffic. This enables them to specialize and tweak their heuristics in such a way that they do an amazing job at the gateway but would be disastrous to use on the desktop. They have virtually no false positives when used as they were designed, but when used in a multiscanner or as part of a desktop product they would behave in very unexpected ways.
Some scanners will automatically detect that it is being used to scan a collection of malware and change their behavior. This can make it difficult to trust in a multiscanner environment as its behavior is not consistent and the results can be surprising.
I am not going to name any specific vendors but completely trusting the information you get from a multiscanner is quite dangerous. The information gathered from a multiscanner about a file have to be added to other information about the file before a determination can be made whether the file is malware or not.
What is ugly about a multiscanner?
This article was triggered by a highly amusing article by Kaspersky: On the way to better testing. Responses by ESET and PC Magazine. What amused me is to know that they are in the same boat as we are. It is hard to convince a customer that some file that some so-called “tester” magically conjured up from some disreputable spot is garbage if 10 other scanners detect it. What is less amusing is if one of your own products are detected by 10 other products and you try to get it white listed or detection for it removed.
Both these situations are the real ugly of multiscanners. Not only the ones in use by every AV company out there but also the public ones.
I am not trying to point any fingers nor am I saying that any individual scanner or multiscanner should not be trusted. All I am saying is that the context in which a product or products are used should be understood. The risks and the value of the information provided by any source should be investigated and understood before a decision based on the information is made.
Posted in This and That | 2 Comments »
January 22nd, 2010, by Robert Sandilands
A new Microsoft Internet Explorer exploit has been identified. It specifically affects Internet Explorer 6, but it has a very low statistical chance of affecting Internet Explorer 7 or later. It does not affect Firefox, Opera, Safari or Chrome.
Yes, there has been some targeted and some not so targeted attacks using this exploit. We do detect all of the versions of the exploit that we are aware of.
If I were Microsoft I would be a bit exasperated about this exploit and all the news it is getting. What more do they need to do to protect their customers? They have released 2 newer, most likely more secure versions of their own browser that actually handles the exploit pretty well. Microsoft Internet Explorer 6 was released in August 2001. That is nearly 9 years ago. Microsoft Internet Explorer 7 was released in October 2006. That is more than 3 years ago.
There has been some accounts of a working exploit for Internet Explorer 7 but we have not seen that used in malware.
Microsoft did release a patch for this exploit.
We strongly recommend the following actions:
1. Apply all patches to the Operating System and all applications used. It just takes one missing patch to allow a system to be compromised
2. Seriously consider improving the diversity of the Internet by using one of the many alternate browsers that are available.
Posted in Exploits | No Comments »
December 29th, 2009, by Lordian Mosuela
This is the question that my sister-in-law asked me this morning. She is bothered with the annoying pop-ups telling the computer is infected and in order to get rid of the infections you’ll need to purchase the Antivirus Product (named as Security Tool). Here are the snapshots of the infections of Security Tool Antivirus that I found in the laptop computer.
Main Window of the Fake AV
Fake Pop-up Window Warning after Scanning
Activation Pop-up Window after clicking “Remove all threats now? Button
The two possible factors that made the computer infected with Fake AV are as follows:
- Clicking untrusted link on the Social Networking Websites such as Facebook, Friendster, MySpace, etc. Then Executing the Downloaded file in the suspicious link.
- Clicking the Untrustworthy link on the Web Search Engine such as Google, Yahoo, etc. Then Executing the Downloaded file in the fraudulent link.
We detect the Fake AV file as W32/FakeAlert.DX3.gen!Eldorado which was found under the following location:
C:\ProgramData\14665830\14665830.exe
Just a friendly reminder before the year 2009 ends, don’t download and execute file from unreliable source or be mesmerize to purchase the Rouge Anti-Malware Product.
Purchase Window after clicking “Activate Security Tool? Button
Have a Happy New Year Everyone! 
Posted in Interesting Virus Activity, New Virus Activity, Potentially Unwanted Applications | 2 Comments »
December 23rd, 2009, by Lordian Mosuela
The scam on SunTrust Online Treasury Manager was being spammed this week. Here is the sample of the spam email:
Clicking the link will lead to fake SunTrust Online Treasury Manager login page:
As the user login the credentials on the above page, it will redirect to another forged page that will ask the user for “Wire PIN?, if the “Wire Transfers? check box is checked. Here’s the snapshot of that page:
Lastly, clicking the “CREATE DIGITAL CERTIFICATE? button will download Trojan Spyware Zbot as shown below.
We detect the downloaded “certificate.exe? as W32/Zbot.AMZ.
We advise users doing an Online Banking to be extra careful this coming Christmas day. Login to the trusted Online Banking Site like the page below:
Posted in Interesting Virus Activity, New Virus Activity, Phishing, This and That | No Comments »
November 16th, 2009, by Lordian Mosuela
I’m amazed how Manny Pacquiao delivers his furious hand speed that land more blows to Miguel Cotto to win the WBO welterweight boxing title held at the MGM Grand Garden Arena in Las Vegas, Nevada yesterday.
Fake AV will not surprise me to take aggressive blows to this big event over the internet in order to lure computer users for buying the fake antivirus software which gives profit to Fake AV gang.
I was googling for the keywords “Pacquiao Cotto Fight? gives the following results:
Clicking the highlighted link will lead to a fake message, just like this one:
Clicking OK or “X? button will still go to fake scanning page as shown below. This is a common punch for all Fake AV’s in order computer users to download and execute binary file.
Executing the downloaded files will install Rouge Anti-Malware Products as a sure knock-out by the Fake AV gang. We detect these binary files as W32/FakeAlert.DY.gen!Eldorado and FakeAV.OW.
Have a safe browsing! 
Posted in Interesting Virus Activity, Potentially Unwanted Applications, This and That | 1 Comment »
October 27th, 2009, by Robert Sandilands
So there is this 18 year old kid that is making news. Some people call him a security professional, some people give him credit for “advancing the state of security”, some people even call him an antivirus researcher.
This is based on the fact that the 18 year old Peter Kleissner has started doing things that would not be considered good behavior in the antivirus industry. Some of it is documented at Former Anti-Virus Researcher Turns Tables On Industry.
You will have noticed that thus far I have mentioned his age twice. If you go to his blog you will notice that the school he is studying at seems to be investigating him for other behaviors too.
Lets get some balance to this story. I think he is doing a really good job at destroying himself and I hope he has friends and family that can help and support him when he figures that out. I am not trying to protect him or to say what he is doing has any merit, it does not.
What I am saying is that he is young, angry and confused. He is also just 18. He probably does not know enough yet to be a danger to anybody but himself and is probably about 10 years away from making a lasting impression in any field. Lets hope he figures out what he is doing to himself before he gets into real trouble.
Now that I have said nice things about him. I don’t think anything he has done is really going to damage the antivirus industry. I also think that Ikarus was totally correct in asking him to leave. If he was my employee I would probably have done the same thing.
I think the real malware groups out there are doing things much more professionally. They are using people that are paid more and better qualified than Peter. I personally would not recommend a job as a malware author either: I have a suspicion that side of the fence use baseball bats. We just fire people or force them to listen to rants about malware naming conventions.
I also think this shows that the antivirus industry is serious about staying on the right side of the fence. Due to that he will probably never work in the antivirus industry again and any “security” company that appoints him will announce something about their ethics.
Posted in This and That | 2 Comments »