With all the talk about the latest wave of PDF exploits in the wild,
proactive protections against vulnerabilities in common applications (MS
Office, Acrobat Reader, RealPlayer, WinAmp, Windows Media Player…) are proving
to be an effective solution for protecting users. These proactive measures
allow the vast majority of users to be protected against any and all new 0-day
exploits without going bananas over whose vulnerability it is, where to
download the latest hotfix from, whether this hotfix will prevent future
similar vulnerabilities or even introduce new ones.

But how can we achieve effective proactive protection against these vulnerabilities? Some protections against Buffer Overflows, Heap Overflows, Integer Overflows, etc. have to overcome some great technological difficulties.
We need to search for a different path when designing an effective proactive
solution for end users. At Panda we developed a project of proactive
protections over 3 years ago which is now known under the commercial name of
TruPrevent ("How TruPrevent Works" Part 1 and Part 2).
The second part of this technology was specifically designed to avoid these types of
0-day exploits, protecting users from the very same moment the exploit is
released and before the vulnerability is widely patched.

The main idea consists of establishing a behavioral profile for
software.
Basically, if we are able to establish which actions are legal and
which actions are outside of the normal behavior of an application, we can
detect potentially dangerous actions. You might think that establishing this
type of profile can be complicated, but let's go over a few examples that,
while being fairly simple, have allowed us to proactively block 100% of the
Microsoft Office and PDF exploits seen recently.

For example, how can we block 100% of the vulnerabilities that affect
Microsoft Office products?
If we review the malware that exploits vulnerabilities in Word, Excel,
PowerPoint, etc. we will find a common behavior which occurs when the
vulnerability is exploited: the creation of executable code in the system by
the Microsoft Office applications. Now we should ask ourselves the following
question: is it really necessary that Word, Excel, and PowerPoint should be able to create and launch executable code on the system? Is this not an atypical
behavior for these types of applications?

Let's think about some more examples. What applications really need to
execute cmd?
Does Adobe Acrobat need to execute cmd? NO.
Does Windows Media Player need to execute cmd? NO.
Does RealPlayer need to execute cmd? NO.

These are very simple examples but which have demonstrated their
effectiveness against many vulnerabilities during the last years. These types
of protections can be greatly enhanced with the help of event correlation
logic, which allows for establishing a baseline of application behavior,
thereby avoiding the limitation of basing decisions only on individual or point
actions.

Why don't we block these behaviors by default?
But the big question is "who is we?" Who is responsible for
creating a safe computing environment that does not allow these types of
vulnerabilities to run wild and spread more malware with complete immunity?
Without going into another finger-pointing war about who's fault it is (Adobe
has issued a patch even though it doesn't solve the underlying problem), "we" is the
entire computing industry, including OS and third-party vendors as well, not
only the anti-malware vendors. Fixing point-problems (patches for
vulnerabilities) without attacking the root of the problem will continue to allow
malware to prevail.

TruPrevent's Kernel Rule Engine proactively blocking a PDF exploit 

Thanks to Ismael Briones for his great contributions and continued work on vulnerability exploitation prevention.

For many years the security industry has been saying that in order to be correctly protected, users should have an anti-malware and firewall solution installed and up-to-date with the latest signatures at all times. However malware today is really specialized in bypassing signature and heuristic detection and effectively infecting users. We all know that users with outdated signature databases are at risk. But how about users with the latest and completely up-to-date signature files? How protected or unprotected are they?

We have conducted two studies in consumer PCs and corporate networks, auditing over 1.5 million PCs and 1,200 networks respectively. We audited computers protected by over 40 different security vendors to see if they were at risk even if they were protected by the products' latest and up-to-date signature database.

Of the 1.5 million home PCs, only 37.45% were correctly protected with an active anti-malware solution with the latest signature database. Of these protected PCs, 22.97% still had active malware infections. One could argue that the sample selection is biased as people who scan their PCs are suspicious that something is wrong. But even taking this important fact into consideration, the results we found still indicate that a significant portion of PCs with correctly installed up-to-date protection are infected by malware.

In the corporate study a total of 1,206 companies' networks were audited. These networks were protected by a variety of different security vendors and in 69.34% of the cases they were correctly protected (active resident driver with the latest signature database). However out of the companies with more than 100 workstations audited, we found malware actively infecting computers in 71.79% of the networks.

Almost half of the infections where due to Trojans, Rootkits, Downloaders, Spyware, Bots and Banking Trojans. There is also a large portion of Adware infections as it is usual to see Trojanized or Botted machines to also host Adware or Rogue Anti-spyware. We believe this has a lot to do with how malware writers make money with pay-per-installs of unwanted programs on compromised machines.

We used a very restrictive definition of infection for the purposes of these studies. Only malware actively running in memory was considered an infection. Latent malware, i.e. malware quitely stored in a .PST file or hard disk directory, tracking cookies and jokes were not considered as infections.

The objective of this study is to show that anti-malware, and even complete HIPS solutions, are not enough to protect against today's threats. New approaches to proactive protection such as runtime behavioral analysis and telemetry from the community are absolutely necessary layers in order to protect customers more effectively and efficiently.

The complete study can be downloaded from here.

After working so hard it's difficult to keep it to ourselves, so it's time for a little blatant self-promotion. SuspectFile.com, a well known malware support forum in Italy, has recently finished its 2007 AV Report (italian / english), focusing on proactive detection via generic signatures and heuristics of undetected malware samples found infecting user machines in the wild. In its review of 25 different vendors, it had this to say about our engine:

Panda. Nothing has changed since last year, was and remains the top product. The best. If we want to trust in a safe product, this is what every kind of users needs, expert or not. First in heuristics, we found no false positive. The proactive defense is what impressed us the most. During the last 5 years, this product has made giant leaps. The relation user/vendor is really the "icing on the cake". Absolutely recommended product.

There are other similar studies like the one CastleCops MIRT
runs in real-time, but what I liked about this study is that it gives a
clearer picture as it also takes into consideration engine speed and False Positives thrown by the different heuristic engines.

Keep up the good work Marco & Lucass !!
 

I just read an interesting post by Alex about adoption of Windows Vista. We recently finished a three month research study to discover infection rates on 1,206 medium-sized companies worldwide by performing a malware audit on them. The following are the OS statistics of all the workstations audited. It's interesting to note that Windows Vista is only used in less than 1% of all the workstations audited.

Last week I had a series of talks with medium and large companies in Sweden (Stockholm, Göteborg and Malmö) and asked the question of how many workstations used Windows Vista in their networks. The answers are very inline with the stats above.

And finally to correlate against Alex's post, here are the statistics of our main site www.pandasecurity.com: