Archive for December, 2006

Antimalware Engine Software Development Kit

December 22nd, 2006 1 comment

The Panda EngineAPI SDK consits of different PavAPI Modules which you can use to integrate the anti-malware detection and disinfection engine into your product, platform, service, application or whatever you can think of. It includes support not only for traditionall viruses but also for dialers, spyware, hacking tools, fakefrom worms, keyloggers, password stealers, etc.

The main components are pavapi.dll and for win32 and linux respectively. Your application must call this component which, in turn, will handle the rest of the EngineAPI components. It initializes the functions and handles the results. The only requirement is that once integrated all libraries must reside together in the same directory.

Some of the features, in addition to detection/disinfection, are file content filtering, file extension filtering, incremental updating and detection within packed and compressed formats (ZIP, ARJ, LHA, CAB, ZOO, ARC, LZOP, RAR, BZIP2, …), Exepackers (UPX, AsPack, PEPack, Petite, Telock, FSG, Crunch, WWWPack32, …) and other types of packed formats such as DOC, PDF, TAR, Quake, RTF, CHM, etc.

The EngineAPI SDK supports our Genetic Heuristic Engine (GHE) which is doing a pretty good job lately of detecting new malware samples based on the correlation of genetic similarities of PE files (content, calls, formats, properties, etc.). We're using GHE applied to File System, HTTP, SMTP, HTTPMAIL, POP3, NNTP, MAPI and IM protocol scanning.

It runs on all current Win32 platforms and some linux distributions such as Red Hat, Debian, SuSe and Mandrake. We're pretty sure it runs on other distributions as well but we haven't gone through thorough testing and QA control under other linux distributions. Feedback is welcomed in this aspect.

Contact me if you want the installation package and we'll be more than happy to help you out with whatever project.

UPDATE – March 13, 2007:
The SDK has been updated to version 5.04.03 to include the Panda Engine 1.4.3. Contact me for the new SDK package.

Categories: Utils Tags:

A very large malware honeynet

December 19th, 2006 Comments off

As of today approximately 4.5 million PCs are running a malware honeypot on their machines with Panda's behavioural-based Host Intrusion Prevention System (aka TruPrevent©). All these high-interaction malware honeypot nodes report to PandaLabs any new malware sample that TruPrevent© flags as malware and which is not detected by regular AV signatures.

The results are pretty interesting. Over 80% of the malware samples received at PandaLabs from our users are now coming from automated submissions from this honeynet. This also means that the number of unique samples received from users at PandaLabs has increased by about 700% over the last two years. It is interesting to note that these are the most interesting samples we are receiving in the Lab as they are real-life samples affecting real users, not private zoo collections that are not actively infecting users.

The following graphs the evolution of how the samples are received at PandaLabs over time since we started deploying the HIPS honeynet to our users in mid-2004. Of course this graph excludes collections submitted by industry sharing and private researchers.

 PandaLabs Unique Samples

Other interesting malware honeypot projects to watch out for are mwcollect and eEye.

Categories: behavior analysis, Malware, Stats Tags:

Rootkit cleaner

December 13th, 2006 10 comments

Rootkits are normally not visible to traditional AVs since they hide by installing themselves as kernel modules, low level hooks and by patching undocumented OS functions. Rootkits may not be malicious on their own but they're used by hackers to hide utilities and malware. We're seeing more and more malware samples every day that use rootkit technologies to hide their presence.

Panda AntiRootkit (Codename Tucan) shows hidden system resources, identifying known and unknown rootkits. Tucan analizes the following system components:

- Hidden drivers
- Hidden processes
- Hidden modules
- Hidden files
- Hidden registry entries
- SDT modifications
- EAT hooks
- Modification to the IDT
- Non standard INT2E
- Non standard SYSENTER
- IRP hooks
- And more… 

Unlike other rootkit utilities which merely "reveal" hidden objects, Tucan positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files. 

Of course this is still apha code so all typical disclaimers apply. We're not responsible if this breaks your machine so make sure to run it only on test systems. There's also a command-line version in case you're interested. Contact me privately for that. 

UPDATE 12/29/2006
We have just released Panda AntiRootkit (Codename Tucan) to public beta. Click here to download version 1.05.

UPDATE 4/2/2007
Panda AntiRootkit 1.06 has been released. Visit the updated Panda AntiRootkit page to find out more and download it.

UPDATE 9/11/2007
You can find the updated page for Panda Anti-Rootkit here

Categories: Rootkits, Utils Tags:

Panda Engine

December 13th, 2006 21 comments

For those interested in a command-line version of the Panda Engine here's one you can use. Specially interesting is the switch to turn on/off the Genetic Heuristic Engine (GHE from now on). The most useful ones for scanning samples on disk are:

-nob        Do not scan boot sectors
-nos        Deactivate sounds
-cmp       Scan compressed files
-aex       Scan all extensions
-rpt:        Create report file (ex. -rpt:c:\pavcl\report.txt)
-heu:1    Activate heuristic scanning paranoid mode
-nomem  Do not scan memory 

Here you can find the win32 version with advanced tracing and logging. Of course this is available for research purposes only. Contact me if you want the linux version or wish to use this for a not-for-profit public service purpose with sig updates.

Categories: Utils Tags:

Welcome to Panda Research

December 12th, 2006 Comments off

Welcome to Panda Research. Took us a while but finally we've managed to go live. Here we'll be sharing our ideas and code on proactive malware detection technologies we're developing. You'll have access to everything from conceptual ideas to alpha and beta code. Our objective is to share our views and receive feedback from you, the security research professional (click here if you don't know what a disassembler is). To read more about Panda Research click here.

Categories: News Tags:

About Panda Research

December 12th, 2006 Comments off

Among the creators of malware, fame and
recognition is being replaced by
economic motivations;
they create malware to make money, the result being a very large increase in
the number of malware samples released “in the wild”, malware which remains inconspicuously
in computers belonging to unsuspecting users. These computers are then remotely
controlled in order to launch spam from them, plant spyware in other computers
or even to gather authentication credentials stored in those systems. This
situation is leading to a less visible but more dangerous malware outbreak, or
“silent epidemic” as we internally refer to it at
Panda Software. This means that there are enormous amounts of new malware out there that users, and even security administrators at companies, are not aware of.

In order to combat this ever changing malware landscape, traditional and reactive AV technologies are not enough to protect users. A new breed of proactive technologies needs to be developed that can tackle the problem at its root and effectively protect users against all new kinds of malware, crimeware, targetted attacks and different crapware emerging on a daily basis.

With this landscape in mind Panda Research was created in 2003 with the sole purpose of researching and developing proactive technologies capable of dealing with this situation. Since then, successful proactive technologies such as TruPrevent Behavioural Analysis and Genetic Heuristic Engines have been developed and deployed to users worldwide, and have proven their success in protecting them from new and unknown malware with close to zero false positives and small resource footprints.

We continue advancing the state of proactive anti-malware technologies and now wish to make these advances available to leading security researchers. Via this Panda Research blog we are opening developer and research access to new ideas, code and technologies. Feel free to try these new technologies out, discuss them with us or simply drop us a note.

Pedro Bustamante
Senior Research Advisor

Categories: Uncategorized Tags: