Archive for May, 2008

Debian OpenSSL

May 27th, 2008 1 comment

From HDMoore, too good to pass out:


Categories: Fun Tags:

Fenomen(al) False Positives

May 19th, 2008 15 comments

One of the problems with automation of antivirus signature creation is that if a few AV vendors start detecting something as malicious, even with heuristics, "automagically" soon afterwards other AV vendors start doing the same without even checking if the file in question is in fact malicious or not, even going as far as creating specific signatures for it via automated systems.

An example of such a False Positive (FP) problem with automatic AV signature creation is the case of Fenomen Games (aka Gamecentersolution), by Legacy Interactive. Fenomen is a company that creates and distributes games. They do so via a bunch of "Game Downloaders" which basically allow users to choose and download different games on-the-fly. The problem is that these "Game Downloaders" have very similar characteristics to known "Trojan Downloaders", such as the runtime-packing and their behaviour (connecting to the Internet, downloading something, executing it and then exiting), so they naturally set off heuristic alarms like a christmas tree.

After manual analysis the only thing I found truly suspicious about it is the fact that we have over 200.000 different unique "Game Downloaders" from Fenomen Games in our Collective Intelligence database. The ones I checked are not malicious in any way nor do they do anything different than what they advertise (if you have evidence of the contrary please let me know). Fenomen seems pretty active from a partner/affiliate perspective and this could be the reason for the multitude of unique MD5's.

So let's look at detections by different AV engines. Most of the Fenomen Game Downloaders out of the 200.000 we have checked are detected by anywhere from 4 to almost 20 different AV engines:

The problem with these detections are not the "heuristic" detections but the signature detections. Normally (traditionally that is) a signature detection signifies a "100% known malicious" program. However in today's world where signatures are created automatically based on other criteria, False Positives are amplified and rolled-over to other engines freely.

Some statistics of detections per engine based on the 200.000 Fenomen Games Download samples we have (names have been omitted to protect the "innocent"):
       Scanner A               137.465 detections
       Scanner B               101.061 detections
       Scanner C                96.472 detections
       Scanner D                68.264 detections
       Scanner E                45.602 detections
       Scanner F                38.027 detections
       Scanner G                31.603 detections
       Scanner H                28.152 detections
And so on…

These include both heuristic and signature detections. All of the latter are false positives by very well known AV engines!

The other problem created by these "FPs generated by automated signature systems" is that, once considered malicious, samples of these FPs are included in regular "collection sharing packages" amongst different AV labs and, more importantly, independent research and testing organizations. These type of organizations, which rely on multi-scanners to classify their testbeds, should take good care of not falling into the same mistake. So the next time you see detection rates based on AV signatures published in a magazine or website, you should be asking yourselves "what" is truly being tested.

All in all, automation at the lab is an absolute must for any AV vendor that wants to keep up with the large volume of new incoming malware. However it is critical that these systems are well supervised, finetuned and backed by engineers who oversee the signatures generated automatically to avoid creating "fenomenal" false positive problems.

Categories: Heuristics, Malware Tags:

Anti-Rootkit Testing

May 16th, 2008 4 comments

DarkReading issued a note a few days ago titled "New Tests Show Rootkits Still Evade AV". These tests, originally performed by, are becoming more important every day as malware is making use of advanced rootkit and hiding techniques to evade detection by security solutions. This, of course, is not news to anyone.

What is news is the effectiveness of rootkit-based malware. It really doesn't make much of a difference if solution XYZ detects the most amount of malware using traditional AV signatures if it can't even "see" the malware which is hidden by a rootkit. Modern security solutions need not only count with advanced heuristics and behavioral analysis and blocking but must also be able to dig deeper into the Operating System or else fail to protect users correctly.

The results of the test are very satisfactory for Panda products, thanks mostly to the technology incorporated into our products which has been tested thoroughly by Panda Anti-Rootkit, specially by regular readers of this blog.

In the online-scanner portion of the anti-rootkit test we did pretty well, with the highest scores in both detection and removal of malware hidden by rootkits:

                                                                                Detection         Removal
Security ActiveScan 5.54.01                                26                      26
F-Secure Online Virus Scanner 3.2 Beta (1.0.64)            26                      23
Microsoft Windows Live Safety Scanner                         25                       8
Kaspersky Online Scanner                                            21                       0
Trend Micro HouseCall                                                  5                        1
BitDefender Online Scanner                                          3                        0


In the Windows Vista test we did pretty good as well:

Three AV tools had perfect scores, catching all active and
inactive rootkits as well as removing all of them: Norton Antivirus
2008; Panda Security Antivirus 2008 3.00.00; and F-Secure
Anti-Virus 2008 6.80.2610.0.


The test is available here for those who want to take a deeper look (look for "Anti-Stealth Fighters: Testing for Rootkit Detection and Removal", Virus Bulletin 04/2008). Again many thanks to the people who've helped us test and improve our anti-rootkit technology.

EDIT: Updated link to Papers section of AV-Test Website and F-Secure detection and removal rations (26/23 vs. 23/26).

Categories: News, Rootkits Tags:

New Malware Prevalence April 2008

Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.


New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).

Prevalence	Name
**** Adware_Netproject
*** Spyware_Virtumonde
*** Adware_VideoAccessCodec
*** Adware_Netproject
*** Adware_NaviPromo
** Trj_Nabload.DEX
** Trj_Mitglieder.TJ
** Trj_Lineage.IGA
** Trj_Lineage.IDJ
** Trj_Lineage.IDE
** Trj_Lineage.HZI
** Trj_Downloader.TIN
** Trj_Downloader.THP
** Trj_Downloader.TCC
** Trj_dmRandom.TW
** Trj_Banker.KWQ
** Trj_Banker.KWP
** Trj_Banker.KWO
** Trj_Banker.KWH
** Malicious Packer
** Adware_WinReanimator
** Adware_VirusHeat
** Adware_VideoPlugin
** Adware_VideoAccessCodec
** Adware_VapSup
** Adware_UltimateDefender
** Adware_Suurch
* W32_Lineage.ICJ.worm
* Trj_Zlob.IF
* Trj_SysW.G
* Trj_Spammer.AHH
* Trj_Spammer.AHD
* Trj_Spamine.G
* Trj_Sinowal.VKF
* Trj_Sinowal.VKE
* Trj_Sinowal.VKB
* Trj_Sinowal.VJZ
* Trj_QQPass.BGT
* Trj_QQPass.BGN
* Trj_QQPass.BGM
* Trj_QQPass.BGL
* Trj_Nabload.DEU
* Trj_Nabload.DET
* Trj_Multidropper.RMN
* Trj_Mitglieder.TI
* Trj_Lineage.IFH
* Trj_Lineage.IFG
* Trj_Lineage.IFF
* Trj_Lineage.IFE
* Trj_Lineage.IFC
* Trj_Lineage.IFB
* Trj_Lineage.IEY
* Trj_Lineage.IEW
* Trj_Lineage.IEU
* Trj_Lineage.IEM
* Trj_Lineage.IDV
* Trj_Lineage.IDE
* Trj_Lineage.ICA
* Trj_Lineage.IAN
* Trj_Lineage.IAL
* Trj_Lineage.HTK
* Trj_Lineage.HNA
* Trj_Hosts.V
* Trj_Hosts.U
* Trj_Gamania.GS
* Trj_FireByPass.BP
* Trj_Exchanger.D
* Trj_Downloader.TME
* Trj_Downloader.TLU
* Trj_Downloader.TLL
* Trj_Downloader.TJR
* Trj_Downloader.TJF
* Trj_Downloader.TJE
* Trj_Downloader.TJA
* Trj_Downloader.TIL
* Trj_Downloader.TIK
* Trj_Downloader.THZ
* Trj_Downloader.THI
* Trj_Downloader.TEG
* Trj_Downloader.TDA
* Trj_Downloader.TCQ
* Trj_Downloader.TAU
* Trj_dmRandom.UB
* Trj_Dadobra.AOR
* Trj_Busky.DE
* Trj_BHO.AT
* Trj_Banker.KXI
* Trj_Banker.KWX
* Trj_Banker.KWV
* Trj_Banker.KWR
* Trj_Banker.KTU
* Trj_Banbra.FQI
* Trj_Banbra.FQB
* Trj_Banbra.FON
* Trj_Autorun.TS
* Trj_Autorun.JN
* Trj_Agent.IPR
* Trj_Agent.IPI
* Trj_Agent.IOH
* Trj_Agent.IOD
* Trj_Agent.IOB
* Spyware_Virtumonde
* Generic Malware
* Bck_Sdbot.LUN
* Bck_SDBot.LUF
* Bck_SDBot.LTW
* Bck_Sdbot.LTR
* Bck_PoisonIvy.U
* Bck_Oderoor.Q
* Bck_Oderoor.P
* Bck_LanMan.CN
* Bck_IRCBot.BYY
* Bck_IRCBot.BYO
* Bck_IRCBot.BYI
* Bck_IRCBot.BYH
* Bck_IRCBot.BXW
* Bck_IRCBot.BXU
* Bck_IrcBot.BXT
* Bck_IRCBot.BXL
* Bck_Hupigon.LAB
* Bck_Agent.IPD
* Bck_Agent.IOG
* Application_VirusHeat
* Application_SpyShredder
* Application_PCCleaner
* Adware_Zenosearch
* Adware_XXXHoliday
* Adware_WinSecureDisc
* Adware_WinReanimator
* Adware_WinIFixer
* Adware_WebHancer
* Adware_VirusIsolator
* Adware_VirusHeat
* Adware_VideoPorn
* Adware_VideoKeyCodec
* Adware_VapSup
* Adware_TopSpyware
* Adware_SpywareSoftStop
* Adware_SpyAway
* Adware_SecuritySystem
* Adware_SecurityError
* Adware_SearchVideo
* Adware_PCCleaner
* Adware_MalwareAlarm
* Adware_Lop
* Adware_ChristmasPorn
* Adware_BaiduBar
* Adware_AntiSpywareReview
* Adware_Alexa


New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).

Prevalence	Name
*** W32_MSN.J.worm
*** W32_Lineage.HXI.worm
** W32_Nuwar.SS.worm
** W32_MSNWorm.EJ.worm
** W32_Lineage.IFX.worm
** W32_Lineage.IEN
** W32_Lineage.ICM.worm
** W32_Lineage.IBW.worm
** W32_Lineage.HZE.worm
** W32_Bagle.SR.worm
* W32_Wow.SI.worm
* W32_Virutas.AB
* W32_VBS.H.worm
* W32_VanBot.AE.worm
* W32_UsbStorm.K.worm
* W32_Thanks.B.worm
* W32_SundMan.A.worm
* W32_Spamta.AGD.worm
* W32_Sohanat.EX.worm
* W32_Sohanat.AS.worm
* W32_Socks.C.worm
* W32_Socks.B.worm
* W32_SDBot.LUI.worm
* W32_Sdbot.LUB.worm
* W32_SdBot.LTV.worm
* W32_Sdbot.LTT.worm
* W32_Sality.AA
* W32_QQRob.OS
* W32_Oscarbot.TK.worm
* W32_Nuwar.TC.worm
* W32_Nuwar.SV.worm
* W32_Nuwar.SR.worm
* W32_MSNworm.EK.worm
* W32_MSNworm.EI.worm
* W32_Mabezat.C
* W32_Lineage.IFI.worm
* W32_Lineage.IEZ.worm
* W32_Lineage.IEN.worm
* W32_Lineage.IEG.worm
* W32_Lineage.IDS
* W32_Lineage.IDR.worm
* W32_Lineage.IDI.worm
* W32_Lineage.ICT.worm
* W32_Lineage.ICO.worm
* W32_Lineage.ICL.worm
* W32_Lineage.ICJ.worm
* W32_Lineage.ICB
* W32_Lineage.IBZ.worm
* W32_Lineage.IBX.worm
* W32_IRCBot.BYQ.worm
* W32_IRCBot.BYL.worm
* W32_IRCBot.BYC.worm
* W32_IRCBot.BYB.worm
* W32_IRCBot.BYA.worm
* W32_Gaobot.QGN.worm
* W32_DengDun.A.worm
* W32_Brontok.JL.worm
* W32_Bagle.SN.worm
* W32_Autorun.TU.worm
* W32_Autorun.TK.worm
* W32_Agent.INI.worm
* W32_Agent.ILD.worm
* VBS_Sasan.A.worm


By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.

UPX		581
Upack 302
'Private' 150
FSG 101
PECompact 94
AS-Pack 88
EXECryptor 62
Themida 53
Multi-layer 38
Nspack 38
ASProtect 37
nPack 22
Adware_Lop 17
RLPack 16
PKLite32 14
tElock 14
UPolyX 13
Wsnpoem 11
Armadillo 8
MEW 11 SE 7
Thinstall 7
Expressor 6
Cexe 4
PolyCryptA 4
PE Crypt 3
Virtumonde 3
YodaProtect 3
DalKrypt 2
Molebox 2
PESpin 2
Petite 2
CryptFF.b 1
NiceProtect 1
DragonArmor 1
EPProt 1
Exe32pack 1
Kkrunchy 1
MaskPE 1
Morphine 1
NTKrnl 1
PCShrink 1
PEncrypt 1
RCryptor 1
RPCrypt 1
SDProtect 1
SimplePack 1
UltraProtect 1
WWPack32 1
yzpack 1
Categories: behavior analysis, Stats Tags: