Finally the full report of the comprehensive Full-Product Test from German independent antivirus tester AV-Test.org is out.

Panda Internet Security has received excellent scores in all categories, accomplishing top rank along with two other vendors. According to Andreas Marx, CEO of AV-Test.org, “Panda Internet Security was one of only three products which was able to receive the highest scores during this exhaustive test which was performed over a period of 12 weeks“.

The Full-Product Test is a very extensive test which looks at many different aspects of a security solution:

• Real-World Testing – protection against 0-day and web/email malware
• Dynamic (Behaviour) Detection Testing – blocking of malware on execution
• Detection of Large Malware Collection – testbed from last 3 months’ malware
• Detection of Widespread Malware – based on WildList criteria
• Repair and removal of widespread malware
• Removal of malicious components and remediation of system modifications
• Detection of hidden active rootkits
• Removal of hidden active rootkits
• Average slow-down of the computer
• False positives during static on-demand scanning
• False positives during dynamic on-access scanning

The complete report can be download from the AV-Test.org website or from our server here.

Some additional comments from AV-Test.org regarding Panda Internet Security:

Panda Internet Security showed impressive high results for the static and dynamic detection of new malware.

The detection and removal of actively running stealth malware such as rootkits was no problem for Panda Internet Security, but for many other reviewed products.

We tested not only the protection against known and unknown malware, but also the removal of critters which had previously infected the system and Panda Internet Security received 5.5 out of 6.0 possible points in these two category, the highest scores archived by a program during this exhaustive review.

Not only the protection against and removal of new malware was very high, but at the same time Panda Internet Security had less impact on the system from the usability point of view.

We have finally released a new version (4.4.3.0) of the Panda SafeCD. This version includes the following new features over the previous one:

• New graphical user interface
• Update signature file from Internet, beta sig or from local PC
• Ability to choose individual partitions for scans

You can download the new version from http://www.pandasecurity.com/resources/tools/SafeCD.iso

For those first-timers out there, once you download the ISO file, you need to burn it into a CD/DVD. Alternatively you can use something like UNetbootin to put it in a USB drive and boot it from there.

I’ve covered the impact that automated detection systems have on false positives in the past. Hispasec, the makers of VirusTotal, also talked about this issue in their blog post aptly named Antivirus Rumorology. More recently Kaspersky conducted an experiment during a press conference and showed a bunch of journalists how these false positives roll over from one vendor engine to the next. Of course being journalists, they only took home the message “AV copies each other and mostly us” as is shown in the articles published covering the event . Even though the objective of the experiment was put under scrutiny, the fact remains that this is an industry-wide problem and no single vendor is immune to its effects, not even Kaspersky as we will see.

As some of the regular readers of this blog will probably remember, in March 2010 we published a “PandaCloudTestFile.exe” binary file to test the connectivity of Panda products with its cloud-scanning component, Collective Intelligence. This “PandaCloudTestFile.exe” is a completely harmless file that only tells the Panda products to query the cloud. Our cloud-scanning servers have been manually configured to detect this file as malicious with the only objective of showing the end user that the cloud-scanning component of his/her product are working correctly.

Initially this file was only detected by Panda as Trj/CI.A (a Collective Intelligence detection) and Symantec’s Insight (noting that this is not a very common file, even though treating reputation alone as “suspicious” is by itself grounds enough for debate — maybe another future post).

Panda 10.0.2.2 2010.03.10 Trj/CI.A
Symantec 20091.2.0.41 2010.03.11 Suspicious.Insight

A few days later came the first problematic detection, this time from Kaspersky, who detected the “PandaCloudTestFile.exe” with a signature, specifically calling it a Bredolab backdoor. I call this detection problematic as it is clearly not a suspicious detection nor a reputation signature. It is also clearly an incorrect detection as the file in itself is not related in any way to Bredolab. Soon we will see why this Kaspersky signature is problematic.

Kaspersky 7.0.0.125 2010.03.20 Backdoor.Win32.Bredolab.djl

In the next few days some other AV scanners started detecting it as well, in many cases with the exact same Bredolab name.

McAfee+Artemis 5930 2010.03.24 Artemis!E01A57998BC1
Fortinet 4.0.14.0 2010.03.26 W32/Bredolab.DJL!tr.bdr
TheHacker 6.5.2.0.245 2010.03.26 Backdoor/Bredolab.dmb
Antiy-AVL 2.0.3.7 2010.03.31 Backdoor/Win32.Bredolab.gen
Jiangmin 13.0.900 2010.03.31 Backdoor/Bredolab.bmr
VBA32 3.12.12.4 2010.03.31 Backdoor.Win32.Bredolab.dmb

In the month that follows (April 2010) a bunch of new engines started detecting it, mostly as the Bredolab name we are now familiar with, although some new names started appearing as well (Backdoor.generic, Monder, Trojan.Generic, etc.).

a-squared 4.5.0.50 2010.04.05 Trojan.Win32.Bredolab!IK
AhnLab-V3 2010.04.30.00 2010.04.30 Backdoor/Win32.Bredolab
AVG 9.0.0.787 2010.04.30 BackDoor.Generic12.BHAD
Ikarus T3.1.1.80.0 2010.04.05 Trojan.Win32.Bredolab
CAT-QuickHeal 10.00 2010.04.12 Backdoor.Bredolab.djl
TrendMicro 9.120.0.1004 2010.04.03 TROJ_MONDER.AET
Sunbelt 6203 2010.04.21 Trojan.Win32.Generic!BT
VBA32 3.12.12.4 2010.04.02 Backdoor.Win32.Bredolab.dmb
VirusBuster 5.0.27.0 2010.04.17 Backdoor.Bredolab.BLU

And to top it all off, during this month of May 2010 the following engines started detecting “PandaCloudTestFile.exe” as well. Here we can also even see a “suspicious” detection, probably the only one out of all of them that could make any sense.

Authentium 5.2.0.5 2010.05.15 W32/Backdoor2.GXIM
F-Prot 4.5.1.85 2010.05.15 W32/Backdoor2.GXIM
McAfee 5.400.0.1158 2010.05.05 Bredolab!j
McAfee-GW-Edition 2010.1 2010.05.05 Bredolab!j
Norman 6.04.12 2010.05.13 W32/Suspicious_Gen3.CUGF
PCTools 7.0.3.5 2010.05.14 Backdoor.Bredolab
TrendMicro-HouseCall 9.120.0.1004 2010.05.05 TROJ_MONDER.AET
ViRobot 2010.5.4.2303 2010.05.05 Backdoor.Win32.Bredolab.40960.K

It is worth noting that consumer products have other technologies included in their products, such as white-listing and digital certificate checks, which could cause the file to not be detected on the consumer endpoint, but the fact that there is a signature for such file is a good indicator that it will probably be detected on the endpoint.

So why am I writing about all this? First of all, to emphasize the point I tried to make in the past that automated systems have to be maintained, monitored, tuned and improved so that more in-depth analysis is done through them and not rely so much on “rumorology”.

Secondly, to show that this is an industry-wide problematic that results from having to deal with tens of thousands of new malware variants per day, and no vendor is immune to it. What matters at the end of the day is that the automated systems are supervised and improved constantly to avoid false positives.

I can certainly understand why vendors point to their signatures being “rolled over” to other AV engines, but these same vendors should also take care so that they do not become the source of these “false positive rumors” in the first place.
 

UPDATE June 3rd, 2010: Reading Larry’s post over at securitywatch, it seems Kaspersky has reacted quickly and has removed their signature for the PandaCloudTestFile.exe file. Thanks Larry & Kaspersky!

As many of you already know, a large portion of today’s malware is created and/or distributed from China. With that in mind, chinese independent AV testing lab PC Security Labs, has published a comparative study of AV detection of chinese malware. The comparative can be downloaded from here in PDF format.

Panda Internet Security 2010 has done fairly good in this test, ranking first in both detection as well as overall score:

The thing I like best about PCSL tests is that, unlike other tests out there, PCSL takes a unified look at the products tested. Not only does it look at static and dynamic (behavioural) detection, but also at static and dynamic false positives, combining everything into a single, unified, global score per product. Other tests only look at these different technologies separate from each other.

As some of you may remember we started taking part in PCSL’s main AV tests in November 2008 and so far we’ve achieved Excellent score in all the tests.

More info @ PC Security Labs website or at the main published report at http://article.pchome.net/content-1116841.html (chinese only)

It seems that my original post Vodafone distributes Mariposa botnet caught a lot of attention. It was very interesting to see the reactions from the different actors. On the one hand Vodafone called it an isolated incident, deleted all posts on their forum from users asking about the incident, and then two days later announced the end of life of the HTC Magic. On the other hand reactions from users all over the blogosphere ranged from applause for uncovering this to accusing us of making it up, along with the inevitable and always amusing Android vs. iPhone fanboy quarrels.

However it also caught the attention of an employee of a different IT security company here in Spain, S21Sec, which specializes in researching banking trojans & vulnerabilities. This guy had also purchased an HTC Magic direct from Vodafone’s official website the same week as my co-worker. He hadn’t connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding.

He immediately contacted us and was kind enough to send us the microSD card and allowed us to connect to his PC to analyze what had happend. According to the dates of the files, it seems his Vodafone HTC Magic was loaded with the Mariposa bot client on March 1st, 2010 at 19:07, a little over a week before the phone was delivered to him directly from Vodafone.

This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled (download USB Vaccine to disable autorun if you haven’t done so yet).

The Mariposa botnet client itself is exactly the same as reported last week, with the same nickname and same Command & Control servers.

00129953  |.  81F2 736C6E74  |XOR EDX,746E6C73 ; â€tnls”

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

If these are not enough coincidences, there was also more malware in the SD card in addition to Mariposa. I also found a Win32/AutoRun worm in the following location of the phone’s card:

I:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe

And for those conspiracy theorists amongst you (bess you!), the AV that he has installed was not Panda but AVG.

So what conclusions can we draw from all this?

• Vodafone stated it was an isolated incident, but that theory is losing ground as quick as you can say “p0wn3d”
• Originally I had thought it was an issue with a specific refurbished phone as well. But having the exact same botnet client with the exact same characteristics, with such little time difference between the malware being loaded and delivered to the client and all happening during the same week, makes me think this might be a bigger problem, either with QA or with a specific batch of phones.
• If you’re in Europe and you’ve purchased a HTC Magic from Vodafone a few weeks before or after March 1st 2010, I’d double-check my PC and my HTC’s microSD card if I were you.

The lesson to be learned here could be: either stop pre-loading malware into the phones or at least stop selling them to employees of IT security companies

Similar to the EICAR file, we have created a small “Cloud Test File” which can be used by testers and users to verify if their Panda product can successfully connect to the Collective Intelligence cloud-scanning servers.

The file PandaCloudTestFile.exe should be detected:

• During HTTP download
• On-Access
• On-Demand

Download PandaCloudTestFile.exe. It’s MD5 hash is E01A57998BC116134EE96B6D5DD88A13. Alternatively you can also download a passworded RAR file with the EXE in it. The password is “panda”.

DISCLAIMER: This file is *not malicious*. If it is detected it simply means your Panda product can correctly connect to Collective Intelligence.

NOTE TO OTHER AV VENDORS: Please do not add detection for this file.

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953  |.  81F2 736C6E74         |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days

Last week I wrote about an Akismet modified plugin for WordPress which we are using as a blog comment spam honeypot. Recently the honeypot caught an interesting comment whose content was only a link to a website:
hxxp://krojamsoft.com/confickerwormremover.php (do not visit this link)

Basically this site is advertising a program that removes infections from the Conficker virus. It allows you to download the supposed “remover” but all this does is show you a window where you can enter the “removal registration key” and prompts you to buy a key for $19.

Of course the entire thing is just a fraud. If you happen to fall for it, the only thing this program does is to launch a real Conficker Remover from a well known antivirus company, which you can get for free anyway.

If you do happen to suspect having an infection, make sure to scan your PC with Panda ActiveScan or simply install Panda Cloud Antivirus Free Edition, Editor’s Choice for Best Free Antivirus.

After some years we have decided to participate again in the AV-Comparatives.org tests.

The main driver for this decision has been the evolution of the methodologies employed by AV-Comparatives. We are happy to see that cloud-scanning components of products are also tested and this of course is important for testing Panda products as they incorporate not only signature-based cloud-scanning but also cloud-heuristics.

We will participate in all the main tests of AV-Comparatives (On-Demand, Retrospective, False Positive, Malware Removal, etc.) as well as the new Whole-Product Test which is a very promising test which replicates user experience.

However AV-Comparative’s Retrospective Test (which consists of freezing a 2-week old signature and testing against new malware to see how good the heuristic engine is) still does not use cloud-heuristics which are present in Panda products. Even though this methodology will penalize Panda’s products to some degree, we believe it is important to be present in the rest of the tests performed by AV-Comparatives.

One of the most common vectors for distributing malware nowadays is spamming blogs with comments pointing to malicious sites that host exploits, malware, rogue antiviruses or other types of scams.

In order to analyze the huge volume of spam comments that come in through our various Panda Blogs (PandaLabs, Panda Research, Panda Cloud Antivirus Blog, etc.) Iker from PandaLabs has developed a “blog comment spam honeypot” which is basically a modified Akismet plugin for WordPress. The honeypot basically posts everything that Akismet detects as spam into an XML which is then processed and all links are followed to detect malware, exploits, drive-by downloads, etc.

If you have a wordpress blog and would like to install the honeypot to send your trapped spam to PandaLabs for analysis, simply download and install the blog comment spam honeypot.

Thanks to Iker for all his work on spam research.