February 3rd, 2010
What is a multiscanner?
It is a system where multiple AV products are used to scan files and provide a report about the files.
What is the good about a multiscanner?
It is relatively easy to build one
It can provide some information about a file or set of files
What is bad about a multiscanner?
The quality of information you get from a multiscanner is quite low
It is the ideal method to copy other people’s mistakes
Before I go on to the ugly I need to explain the previous statements. When a scanner detects something the only information that you have is that some scanner detected that file. It does not imply that the file is malware.
That may sound surprising but the reality is that not all scanners were created equally. Some scanners have heuristics that is so paranoid that they trigger on virtually every second file. Today I spent some time looking at about 200 files gathered by one of our monitoring systems. The files were from three different sources and about 90% of them were detected by at least one scanner. Strangely enough they were all variants of three totally legitimate products and should not have been detected. Had I trusted the multiscanner I would have duplicated their mistake.
Not all scanners are meant to be used this way. Some scanners are focused on scanning email or gateway based traffic. This enables them to specialize and tweak their heuristics in such a way that they do an amazing job at the gateway but would be disastrous to use on the desktop. They have virtually no false positives when used as they were designed, but when used in a multiscanner or as part of a desktop product they would behave in very unexpected ways.
Some scanners will automatically detect that it is being used to scan a collection of malware and change their behavior. This can make it difficult to trust in a multiscanner environment as its behavior is not consistent and the results can be surprising.
I am not going to name any specific vendors but completely trusting the information you get from a multiscanner is quite dangerous. The information gathered from a multiscanner about a file have to be added to other information about the file before a determination can be made whether the file is malware or not.
What is ugly about a multiscanner?
This article was triggered by a highly amusing article by Kaspersky: On the way to better testing. Responses by ESET and PC Magazine. What amused me is to know that they are in the same boat as we are. It is hard to convince a customer that some file that some so-called “tester” magically conjured up from some disreputable spot is garbage if 10 other scanners detect it. What is less amusing is if one of your own products are detected by 10 other products and you try to get it white listed or detection for it removed.
Both these situations are the real ugly of multiscanners. Not only the ones in use by every AV company out there but also the public ones.
I am not trying to point any fingers nor am I saying that any individual scanner or multiscanner should not be trusted. All I am saying is that the context in which a product or products are used should be understood. The risks and the value of the information provided by any source should be investigated and understood before a decision based on the information is made.
This post was written by Robert Sandilands
Posted in This and That | No Comments »
January 22nd, 2010
A new Microsoft Internet Explorer exploit has been identified. It specifically affects Internet Explorer 6, but it has a very low statistical chance of affecting Internet Explorer 7 or later. It does not affect Firefox, Opera, Safari or Chrome.
Yes, there has been some targeted and some not so targeted attacks using this exploit. We do detect all of the versions of the exploit that we are aware of.
If I were Microsoft I would be a bit exasperated about this exploit and all the news it is getting. What more do they need to do to protect their customers? They have released 2 newer, most likely more secure versions of their own browser that actually handles the exploit pretty well. Microsoft Internet Explorer 6 was released in August 2001. That is nearly 9 years ago. Microsoft Internet Explorer 7 was released in October 2006. That is more than 3 years ago.
There has been some accounts of a working exploit for Internet Explorer 7 but we have not seen that used in malware.
Microsoft did release a patch for this exploit.
We strongly recommend the following actions:
1. Apply all patches to the Operating System and all applications used. It just takes one missing patch to allow a system to be compromised
2. Seriously consider improving the diversity of the Internet by using one of the many alternate browsers that are available.
This post was written by Robert Sandilands
Posted in Exploits | No Comments »
December 29th, 2009
This is the question that my sister-in-law asked me this morning. She is bothered with the annoying pop-ups telling the computer is infected and in order to get rid of the infections you’ll need to purchase the Antivirus Product (named as Security Tool). Here are the snapshots of the infections of Security Tool Antivirus that I found in the laptop computer.
Main Window of the Fake AV
Fake Pop-up Window Warning after Scanning
Activation Pop-up Window after clicking “Remove all threats now” Button
The two possible factors that made the computer infected with Fake AV are as follows:
- Clicking untrusted link on the Social Networking Websites such as Facebook, Friendster, MySpace, etc. Then Executing the Downloaded file in the suspicious link.
- Clicking the Untrustworthy link on the Web Search Engine such as Google, Yahoo, etc. Then Executing the Downloaded file in the fraudulent link.
We detect the Fake AV file as W32/FakeAlert.DX3.gen!Eldorado which was found under the following location:
C:\ProgramData\14665830\14665830.exe
Just a friendly reminder before the year 2009 ends, don’t download and execute file from unreliable source or be mesmerize to purchase the Rouge Anti-Malware Product.
Purchase Window after clicking “Activate Security Tool” Button
Have a Happy New Year Everyone! 
This post was written by Lordian Mosuela
Posted in Interesting Virus Activity, New Virus Activity, Potentially Unwanted Applications | 2 Comments »
December 23rd, 2009
The scam on SunTrust Online Treasury Manager was being spammed this week. Here is the sample of the spam email:
Clicking the link will lead to fake SunTrust Online Treasury Manager login page:
As the user login the credentials on the above page, it will redirect to another forged page that will ask the user for “Wire PIN”, if the “Wire Transfers” check box is checked. Here’s the snapshot of that page:
Lastly, clicking the “CREATE DIGITAL CERTIFICATE” button will download Trojan Spyware Zbot as shown below.
We detect the downloaded “certificate.exe” as W32/Zbot.AMZ.
We advise users doing an Online Banking to be extra careful this coming Christmas day. Login to the trusted Online Banking Site like the page below:
This post was written by Lordian Mosuela
Posted in Interesting Virus Activity, New Virus Activity, Phishing, This and That | No Comments »
November 16th, 2009
I’m amazed how Manny Pacquiao delivers his furious hand speed that land more blows to Miguel Cotto to win the WBO welterweight boxing title held at the MGM Grand Garden Arena in Las Vegas, Nevada yesterday.
Fake AV will not surprise me to take aggressive blows to this big event over the internet in order to lure computer users for buying the fake antivirus software which gives profit to Fake AV gang.
I was googling for the keywords “Pacquiao Cotto Fight” gives the following results:
Clicking the highlighted link will lead to a fake message, just like this one:
Clicking OK or “X” button will still go to fake scanning page as shown below. This is a common punch for all Fake AV’s in order computer users to download and execute binary file.
Executing the downloaded files will install Rouge Anti-Malware Products as a sure knock-out by the Fake AV gang. We detect these binary files as W32/FakeAlert.DY.gen!Eldorado and FakeAV.OW.
Have a safe browsing! 
This post was written by Lordian Mosuela
Posted in Interesting Virus Activity, Potentially Unwanted Applications, This and That | 1 Comment »
October 27th, 2009
So there is this 18 year old kid that is making news. Some people call him a security professional, some people give him credit for “advancing the state of security”, some people even call him an antivirus researcher.
This is based on the fact that the 18 year old Peter Kleissner has started doing things that would not be considered good behavior in the antivirus industry. Some of it is documented at Former Anti-Virus Researcher Turns Tables On Industry.
You will have noticed that thus far I have mentioned his age twice. If you go to his blog you will notice that the school he is studying at seems to be investigating him for other behaviors too.
Lets get some balance to this story. I think he is doing a really good job at destroying himself and I hope he has friends and family that can help and support him when he figures that out. I am not trying to protect him or to say what he is doing has any merit, it does not.
What I am saying is that he is young, angry and confused. He is also just 18. He probably does not know enough yet to be a danger to anybody but himself and is probably about 10 years away from making a lasting impression in any field. Lets hope he figures out what he is doing to himself before he gets into real trouble.
Now that I have said nice things about him. I don’t think anything he has done is really going to damage the antivirus industry. I also think that Ikarus was totally correct in asking him to leave. If he was my employee I would probably have done the same thing.
I think the real malware groups out there are doing things much more professionally. They are using people that are paid more and better qualified than Peter. I personally would not recommend a job as a malware author either: I have a suspicion that side of the fence use baseball bats. We just fire people or force them to listen to rants about malware naming conventions.
I also think this shows that the antivirus industry is serious about staying on the right side of the fence. Due to that he will probably never work in the antivirus industry again and any “security” company that appoints him will announce something about their ethics.
This post was written by Robert Sandilands
Posted in This and That | 2 Comments »
October 15th, 2009
If you monitored our definition file releases for today you should notice that we have released quite a few for the day.
We have had 7 releases over the last 24 hours. We are not one of those companies that does releases just because we need to keep a schedule. Okay we do at least one a day on a regular schedule if nothing interesting happens.
This implies significant activity by the gang that produces this malware. Bredolab have not been the only threat we have seen over the last 24 hours but was definitely the most numerous.
I went back and looked at the activities in our email honeypot for the last 3 months or so. What I found is the following graphs. The first graph shows the drastic increase in raw numbers in the last month compared to the 2 months before that. Not only are we seeing more samples at a time we are also seeing them on a regular basis. Our heuristic detection have mostly been doing well, but it is a continuous effort to keep on top of all of this.
This graph indicates the number of unique malware names we have seen over the period. There are always some noise in these graphs of old malware that keep on mailing the same old malware over and over. This situation has improved drastically over the last year as ISP’s have finally started clamping down on some of the worst offenders. It is however easy to see that the number of new variants we are seeing just from this one source is much higher over the last month than any other time.
This post was written by Robert Sandilands
Posted in New Virus Activity | No Comments »
October 6th, 2009
The Fake AV Gang is now taking advantage of the recent disasters in the Philippines. The Philippines has been hit with Typhoon Ketsana (Ondoy) followed by the Typhoon Parma (Pepeng), which has brought serious flooding in the Philippines. Searching for the key words “philippines-flood-2009” on Google and Yahoo Search Engine gives the following results:
Clicking the link will redirect the user to a fake alert message, just like one of the following:
Users will not be able to close these messages, clicking the OK, Cancel or “X” Button will still go to a fake malware scanning page that will eventually report fake infections, and downloads the binary files as shown below:
We detect the files downloaded from the aforementioned malicious links as W32/FakeAV.NJ and W32/FakeAV.NK. The downloaded files will install Rouge Anti-Malware Products.
As a reminder, don’t run files downloaded from untrusted source.
This post was written by Lordian Mosuela
Posted in Interesting Virus Activity, Potentially Unwanted Applications, This and That | 1 Comment »
September 25th, 2009
Another Virus Bulletin Conference is over and I have to say it was better than last year. In general the talks were of higher quality and the entertainment was entertaining.
The conference ended with a panel “discussion” about Fake antivirus products that turned out to be more entertaining than informative. If it was informative it would probably have been boring, as there are a limited number of ways to politely call something a scourge to society.
I enjoyed the talk by nexGIN about PE-Probe where they use statistical classification techniques to classify malware. I have done similar experiments with encouraging results, but not as good as the ones they report. Maybe it is time to look at my experiments again.
I found the talk “Is there a lawyer in the lab?” very informative and enjoyable. Just don’t tell Juraj Malcho I said so
There were several talks about cloud/cumulus and other air-based technologies. Somebody even predicted intergalactic cluster technologies in the near future. The talks by Symantec (Reputation: a new chapter in malware protection) and by Bitdefender (Tales from Cloud Nine) were good. Andreas Marx provided a good reality check with his presentation “Why ‘in-the-cloud’ scanning is not a solution”.
The last-minute presentations were also of a high quality and I have to congratulate Virus Bulletin on introducing them. I specifically enjoyed the talk on Koobface by Ivan Macalintal and “Connecting the AV Industry” by Igor Muttik. The presentation on “My bots are not yours!” by Eric Wu was also very informative.
In short: Congratulations Virus Bulletin team in providing an informative and high quality conference: It was well worth attending.
This post was written by Robert Sandilands
Posted in This and That | No Comments »
August 20th, 2009
As the antivirus technology continues to evolve in creating detections, malware writers were inventing new strategies for their virus to avoid detection from security industry.
Here’s the preview of the server-side polymorphic malware we encounter:
The malware connects to the following link:
We have downloaded enough number of samples from the attacker server to generate generic detection for this malware. We detect the malware samples as W32/Laglass!Generic.
This post was written by Lordian Mosuela
Posted in Interesting Virus Activity, New Virus Activity | 1 Comment »