Similar to the EICAR file, we have created a small “Cloud Test File” which can be used by testers and users to verify if their Panda product can successfully connect to the Collective Intelligence cloud-scanning servers.

The file PandaCloudTestFile.exe should be detected:

• During HTTP download
• On-Access
• On-Demand

Download PandaCloudTestFile.exe. It’s MD5 hash is E01A57998BC116134EE96B6D5DD88A13. Alternatively you can also download a passworded RAR file with the EXE in it. The password is “panda”.

DISCLAIMER: This file is *not malicious*. If it is detected it simply means your Panda product can correctly connect to Collective Intelligence.

NOTE TO OTHER AV VENDORS: Please do not add detection for this file.

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953  |.  81F2 736C6E74         |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days

Last week I wrote about an Akismet modified plugin for Wordpress which we are using as a blog comment spam honeypot. Recently the honeypot caught an interesting comment whose content was only a link to a website:
hxxp://krojamsoft.com/confickerwormremover.php (do not visit this link)

Basically this site is advertising a program that removes infections from the Conficker virus. It allows you to download the supposed “remover” but all this does is show you a window where you can enter the “removal registration key” and prompts you to buy a key for $19.

Of course the entire thing is just a fraud. If you happen to fall for it, the only thing this program does is to launch a real Conficker Remover from a well known antivirus company, which you can get for free anyway.

If you do happen to suspect having an infection, make sure to scan your PC with Panda ActiveScan or simply install Panda Cloud Antivirus Free Edition, Editor’s Choice for Best Free Antivirus.

After some years we have decided to participate again in the AV-Comparatives.org tests.

The main driver for this decision has been the evolution of the methodologies employed by AV-Comparatives. We are happy to see that cloud-scanning components of products are also tested and this of course is important for testing Panda products as they incorporate not only signature-based cloud-scanning but also cloud-heuristics.

We will participate in all the main tests of AV-Comparatives (On-Demand, Retrospective, False Positive, Malware Removal, etc.) as well as the new Whole-Product Test which is a very promising test which replicates user experience.

However AV-Comparative’s Retrospective Test (which consists of freezing a 2-week old signature and testing against new malware to see how good the heuristic engine is) still does not use cloud-heuristics which are present in Panda products. Even though this methodology will penalize Panda’s products to some degree, we believe it is important to be present in the rest of the tests performed by AV-Comparatives.

One of the most common vectors for distributing malware nowadays is spamming blogs with comments pointing to malicious sites that host exploits, malware, rogue antiviruses or other types of scams.

In order to analyze the huge volume of spam comments that come in through our various Panda Blogs (PandaLabs, Panda Research, Panda Cloud Antivirus Blog, etc.) Iker from PandaLabs has developed a “blog comment spam honeypot” which is basically a modified Akismet plugin for Wordpress. The honeypot basically posts everything that Akismet detects as spam into an XML which is then processed and all links are followed to detect malware, exploits, drive-by downloads, etc.

If you have a wordpress blog and would like to install the honeypot to send your trapped spam to PandaLabs for analysis, simply download and install the blog comment spam honeypot.

Thanks to Iker for all his work on spam research.

Happy new year everybody !

I’m taking some days off with the family. This is the view our from cabin

I’ll be back in a few days…. maybe

With any advance in science and technology there will always be critics and people oppossed to change. This has happened over and over again in the course of history. Antivirus is no different. We saw resistance when we released behavioral analysis in 2004 (which is mainstream technology nowadays) and we have seen it recently with the release of Panda Cloud Antivirus.

In this post I have compiled a list of all arguments against cloud-based antivirus that I was able to find. Let us review these arguments against cloud-based antivirus and see why they are based on either misconceptions or simple lack of understanding and knowledge of how this technology works.

A malware could cripple the Internet connection and render the cloud antivirus useless
Exactly the same thing could happen to the traditional signature based antivirus. If a malware gets through the traditional signature defenses and manages to disable your Internet connection, you will not be able to get signature updates from your AV vendor and therefore will not be protected against the new malware variants, rendering your traditional AV just as useless.

A cloud-based antivirus needs to check everything against the cloud. Takes more time
Actually not everything is checked against the cloud. At least with Panda’s implementation of cloud-scanning there are locally installed technologies (heuristics, cache of cloud-detection, goodware cache, etc.) that are able to detect a good deal of malware threats and known good files. All these files are not checked against the cloud. Think about it, once you install the cloud-based antivirus, how many new programs do you install on your computer every day? Not that many, right? Once installed, only new programs copied or trying to run on your computer are checked against the cloud (if they are not detected first by the local technologies). From our beta testing phase we have seen that on average Panda Cloud Antivirus only consumes a few KB of bandwidth per day, less than the typical traditional signature updates.

It is an invasion of privacy. I do not want my files & documents to leave my computer
This is one of the most common misconceptions, maybe due to some weak implementations of cloud-scanning by some vendors. At least in Panda’s implementation of cloud-scanning when a file is “scanned by the cloud” it doesn’t actually leave your computer, it is not uploaded to our Collective Intelligence servers. What really happens is that Panda Cloud Antivirus creates a really small reverse signature of the file and the signature is what gets checked against the cloud. Also cloud-scanning is only implemented to Portable Executable (PE) files, so your Word/Excel documents, etc. are not checked against the cloud. There is one scenario with PE files where, if it is flagged as suspicious and Collective Intelligence doesn’t already have a copy of the file, then the file is uploaded for further analysis. But even then people can opt-out of participating in the community by simply un-checking this option in the product.

Cloud-based antivirus do not protect while offline
While this might be true of some cloud-based antivirus implementations, in the case of Panda Cloud Antivirus it is not true. Panda Cloud Antivirus has a local cached copy of the Collective Intelligence cloud servers. This local cache is tasked with detecting (even while not connected to the Internet) malware that is in the wild, non-PE malware and other threats. Unlike traditional signature updates, this local cache update is a “moving target” of what the community sees as circulating out there in the wild. Therefore it is able to efficiently protect against the important threats. This local cache does not protect against Win98 or DOS viruses or even malware that is dead or not circulating anymore. That is why the community aspect of Panda Cloud Antivirus is so important as, the more people use it, the better protection it offers.

So that means that it provides lower protection while offline
First let’s take a look at the practical aspect: after running the beta and release of Panda Cloud Antivirus for over 7 months with millions of users, we have not had a single recorded incident of an infected user while not connected to the Internet. There’s a common misconception that protection = detection rates of millions of samples as tested by magazines. This is not really true as those tests include malware that is dead, not circulating anymore or even does not work on your operating system (like old DOS/Win98 viruses). If we define protection as stopping real-life malware that is circulating then the offline protection that is offered by Panda Cloud Antivirus is more than enough.

So if I have some old malware and disconnect from the Internet, can I infect myself?
Yes of course. You can also take a stroll down the worse neighborhood of your city sprouting a gold watch and necklaces and there’s a pretty good chance you will be (at least) mugged. Or you can just drive off a 200 meter cliff hoping your seatbelt and airbag will be enough to save your life. Panda Cloud Antivirus was designed for real people and real-life use. With that in mind you won’t have to worry about these highly unlikely scenarios during your normal computing experience.

I’m worried about latency and response time
This a very valid worry with regards to an AV whose real-time monitor (on-access scanner) works in a synchronous mode against the cloud. Currently we have two “timeouts” in the product, a first one to notify the user of problems with latency and a second one for blocking the execution altogether if no answer is received. However from our measurements these last months in over 98% of the cases the response time of the on-access scanner is below a second. Keep in mind that only a few bytes are sent back and forth when a file is queried, so the real impact is really low.

Cloud-scanning is just the latest marketing buzzword
It seems it is becoming much more a buzzword. But it doesn’t mean there is not benefit behind it. Many different products (not only security-related) are migrating their “intelligence” to the cloud and leaving behind those old, overloaded, slow applications behind in exchange of faster, always up-to-date clients. There is a clear benefit not only from the perspective of developers who are much less constrained by the limitations of a single PC, but also from the point of view of the user who gets an improved computing experience without all the negative aspects of resource consumption of his/her PC.

Cloud-scanning is just a way for AV vendors to lower their cost of downloading signatures
Yeah right, you should talk to our CFO about this (he stands out as the only one with grey hairs because of how expensive this whole thing has been ). Seriously, it would have been waaaaay cheaper to stick to the existing traditional signature download infrastructure approach than to set-up an additional multi-million infrastructure just for cloud-scanning. Not only is there the initial investment but also the continuous maintenance. And of course this does not take into consideration the additional investment in development and QA that’s also needed to develop and maintain this technology in the products.

Cloud-scanning is only good as a second opinion
This might have been true of the first cloud implementations a couple of years ago (online scanner, the first cloud-only products, etc.) but it is not true anymore. At least with Panda’s implementation, Panda Cloud Antivirus is a full replacement of a traditional AV. Panda Cloud Antivirus has the best of both worlds; it includes local protection for offline and the most effective protection while online. While some vendors are adding some cloud-scanning abilities to their existing products’ (as an additional technology in the mix of different technologies), Panda Cloud Antivirus has been developed from scratch to work in real-time in synchronous mode against the cloud. It has been proven as an effective replacement of traditional signature approach.

If you can think of any other argument against this type of technology feel free to let us know!

As you will notice we’ve migrated the Panda Research blog to a new platform, which I’m hoping will take less time to manage, specially moderating comments and filtering spam, which took a lot of time with the cumbersome Microsoft blogging platform.

If you’ve posted a comment which hasn’t made the migration, please post it again. I’ll try my best to moderate it as soon as possible.

I'm happy to announce that all our consumer and most corporate products with full Windows 7 compatibility have been released. You can download them from:

http://www.pandasecurity.com/windows7

Just as we did last year and other years before that, last week we had our Panda Security Days in Sweden. This year we started in Malmö, followed by Gothenburg and ending up in Stockholm. There were very good speakers from Panda presenting different topics; Cecilia Carlsdotter talked about Panda's corporate social responsabilities innitiatives. Sebastian Zabala talked about our different products and technologies. Daniel Nyström, Head of Tech Support in Sweden, talked about various support issues and presented his excellent team. Luis Corrons talked about the latest cyber-crime techniques, focusing on banking trojans and rogue antivirus. Petter Lautin talked about the different corporate objectives for Panda in Sweden and lastly I talked about internal statistics of Collective Intelligence and other stuff we're working on.

As I know you'll be curious about this, here's some of the Collective Intelligence stats we presented during the talks:
25 TB          Size of Collective Intelligence Database
48 million     Files hosted by Collective Intelligence
80 million     Files analyzed by Collective Intelligence
61.000         New files received daily at Collective Intelligence
99.4%         Files processed automatically every day
150 GB       Size of logs generated every day by Collective Intelligence
165 million   Files queried against Collective Intelligence every day
127 KB        Bandwith usage of each Panda Cloud Antivirus agent every day

In addition to the interesting stats I'll also leave you with some pictures of this fun week in Sweden.