Archive

Archive for the ‘Stats’ Category

Q2 2011 Test Results of Security Suites

July 20th, 2011 5 comments

Recently both AV-Test.org and AV-Comparatives.org have announced respective results for their dynamic real-world or whole-product tests. Basically these AV tests try to replicate user experience by introducing malware to the test machine in pretty much the same way a regular user would encounter malware and get infected. We are very proud of the results of Panda Internet Security 2011/2012 as it shows consistency in providing top quality detection and protection, on top of better known security vendors such as Symantec, Avast, AVG, ESET, Trend Micro, Microsoft, Webroot, etc.

AV-TEST REAL-WORLD TEST – Q2 2011 RESULTS

In this real-world test results for Q2 2011 Panda was one of only 4 vendors to achieve a score higher than 15 points.

AV-COMPARATIVES WHOLE-PRODUCT TEST – JUNE 2011

In the June 2011 test Panda Internet Security achieved the first place in “blocking” rate without requiring any user interaction along with two other vendors.

Tis the comparative season

April 25th, 2011 Comments off

There’s been a few comparative tests published as of late. In case you’ve missed any of them here’s a quick rundown of the most significant ones.

First on the list are the Q1-2011 quarterly results of the Full Product Test (FPT)  by AV-Test.org. These FPT’s are performed on a monthly basis and are very in-depth, covering pretty much all aspects of a modern security software and testing from a users’ perspective by replicating infection vectors and user experience. The areas tested include real-time blocking of malicious websites, detection of relevant and active malware samples (zoo malware, wildlist malware according to AV-Test.org criteria of wildlist, not the limited WildList.org list), false positive testing, performance testing, disinfection testing, detection and disinfection of active rootkits, behaviour-based dynamic detection, dynamic false positives and packing and archive support. Overall one of the most comprehensive regular tests out there. It’s such a tough test that 5 out of the 22 vendors tested did not obtain the minimum score to achieve certification. Panda Internet Security came out with very good scores and achieved certification. The report on Panda Internet Security can be found here (PDF) and the complete results for all vendors here.

Next in line are a couple of tests by AV-Comparatives.org. The first one is the traditional On-Demand test from February 2011 which also tests false positives and performance of the on-demand scanner. In this test Panda Antivirus Pro achieved the #4 rank in terms of malware detection. We still had 18 false positives that, even though are of low prevalence according to AV-Comparatives.org, prevented us from achieving the Advanced+ certification. We’re doing a lot of work in improving in this area. Panda Antivirus Pro also achieved the #2 rank in the performance test for scanning speeds. The full report can be downloaded from the AV-Comparatives.org website here.

The second test by AV-Comparatives.org that has been published recently is the Whole-Product Test. Similar to the AV-Test.org Full Product Test, this test tries to test user experience by replicating the infection vector. Unlike the AV-Test.org FPT, this one focuses only on malicious websites and behaviour-based dynamic detection. Panda Internet Security scored very good with a 98.8% protection index. More information can be found at the AV-Comparatives.org site here.

If you’re interested in these types of AV tests, make sure to vote on your favourite AV testing outfit in our open poll here. So far both AV-Comparatives and AV-Test are leading the pack.

Microsoft’s 6-year long open door to malware

March 9th, 2011 4 comments
Finally Microsoft has released an automatic update which disables AutoPlay in USB drives for all its Windows Operating Systems. Up until now only Windows 7 disabled this functionality by default. With this update Microsoft finally puts a stop to one of the most common malware infection vectors of the last 6 years.

Let’s quickly review the history of this functionality which during 2010 has been said to account for 25% of malware infections worldwide and the source of quite a few embarrassments for many companies (examples here and here). But first some definitions:

AutoRun: feature to automatically launch programs from removable media as soon as they are mounted on the system. Under Windows the parameters of this auto-execution are defined inside a file called autorun.inf which is located at the root of the removable media.
AutoPlay: introduced with Windows XP, analizes the removable media and depending on the contents launches a dialog window which suggests the most appropriate programs to reproduce the content. If the default is chosen the dialog window will not show again thanks to AutoRun and the AutoPlay “memory”.

Important milestones
  • In 2005 USB drives became popular and malware started using them to propagate.
  • Even three years after malware started actively using this method to infect customers, Microsoft refused to accept the reality of the problem and continued offering AutoRun enabled by default in the Windows OS’s. However in 2008 Microsoft added an option for disabling AutoRun via policies or manual registry entries. However the workaround provided did not work. Even when disabled users were still open to attack from the AutoRun infection vector.
  • In July 2008 Microsoft published MS08-038 which “fixed the broken fix” but this was only available via Windows Update for Windows Vista and Windows 2008. Instead of patching XP users as well, it kept the problem unsolved in what some might consider a business strategy to sell more Vista licenses.
  • Towards the end of 2008 Conficker showed up taking advantage of the AutoRun feature in a never seen before manner. It created an autorun.inf file whose content looked like garbage yet was fully functional. All the Microsoft recommended workarounds to date via NoDriveTypeAutorun policies continued to be useless against malware exploits.
  • In early 2009 and due to Conficker’s success Microsoft corrected a bug (CVE-2009-0243) which fixed portions of the previous problem and which was pushed out automatically to all Windows XP users. Amazingly it wasn’t considered a “security patch” and does not have an associated Microsoft Bulletin. In addition the patch modified the behaviour of AutoRun and after applying it created a new registry entry which was required to be manually configured correctly. Effectively AutoRun continued being a problem for the vast majority of users.
  • In mid 2009 there seems to be some light at the end of the tunnel and Microsoft decides to improve the security of AutoRun in writeable removable media by preventing the AutoPlay dialog window in USB drives. However this is only included by default under Windows 7. Windows XP users, still the most widely used platform by far, had to manually download and install KB971029. This move was effectively useless from the point of protecting XP users from malware infection. Again some might consider this move a business-driven decision to “keep security low in XP in order to drive sales of the more secure Windows 7″.
  • In July 2010 Stuxnet shocks the world. It is able to propagate via USB drives without requiring an autorun.inf file and using a zero-day vulnerability in .LNK files which allows for code execution even with AutoRun and AutoPlay disabled, which Microsoft promptly patches.
  • Finally in February 2011 Microsoft decided to push an update to fix the problem for Operating Systems prior to Windows 7.
It has been a long and tedious road to have this wide open door finally shut down. The main question that comes to mind given the technical simplicity of the fix is “why wasn’t this issue fixed before?“. Why has Microsoft allowed its users to become easily infected by malware for years when the solution was readily available? Of course the real reasons might never see the light of day. Instead arguments such as “improved usability and portability” will probably take the spotlight. But how about the security implications of the dozens of millions of infections which have siphoned credentials, money and personal information from users during all these years?

As a side note, there are still many infected and unpatched machines out there so be sure to apply the Microsoft patch and use something like USB Vaccine to provide an additional layer of protection.

NOTE: this post is based on the original published by Hispasec .

AV-Test.org 2010 Test Results

January 31st, 2011 2 comments

The independent AV testing organization AV-Test.org recently released the last results of its monthly “Full Product Tests”. The Full Product Tests are a comprehensive look at anti-malware products’ ability to protect end users in real-life situations. It covers three main areas of each product: Protection, Repair and Usability. Under each area there are multiple sub-tests, such as signature detection, behavioural or dynamic detection, etc. The detailed results are available at www.av-test.org/certifications.

In order to gain certification a product has to achieve a minimum score of 12 or above. The results are very revealing, with many products not reaching the mininum score nor the certification. We are happy to announce that in the 3 quarters that AV-Test.org has conducted these tests, Panda Internet Security has achieved the certification in all cases.

On a related note, AV-Test.org recently surpassed the 50 million unique malicious sample mark. This is aligned with what our Collective Intelligence servers have analyzed and processed automatically, which is up to 146 million files (both good and bad files).

Blog Comment Spam Honeypot

January 25th, 2010 6 comments

One of the most common vectors for distributing malware nowadays is spamming blogs with comments pointing to malicious sites that host exploits, malware, rogue antiviruses or other types of scams.

In order to analyze the huge volume of spam comments that come in through our various Panda Blogs (PandaLabs, Panda Research, Panda Cloud Antivirus Blog, etc.) Iker from PandaLabs has developed a “blog comment spam honeypot” which is basically a modified Akismet plugin for WordPress. The honeypot basically posts everything that Akismet detects as spam into an XML which is then processed and all links are followed to detect malware, exploits, drive-by downloads, etc.

If you have a wordpress blog and would like to install the honeypot to send your trapped spam to PandaLabs for analysis, simply download and install the blog comment spam honeypot.

Thanks to Iker for all his work on spam research.

First Independent Test of Panda Internet Security 2010

June 26th, 2009 23 comments

As you may know we released our Panda 2010 products yesterday. In addition to the traditional Panda Antivirus Pro 2010, Panda Internet Security 2010 and Panda Global Protection 2010, this year we've also released a tailor-made product for netbooks and ultra portables called Panda Antivirus for Netbooks.

I just got word from Andreas Marx from AV-Test.org that they've put Panda Internet Security 2010 (PIS 2010) to the test today. Some conclusions from the test can be seen below, using Andreas' own words:

WildList Test.  We started with a detection test against all samples from the most recent WildList 05/2009 and malware from older releases. Our test set includes 3,194 confirmed malicious and widespread samples. We tested the set with the on-demand scanner and on-access guard. In both cases, Panda was able to detect and remove these viruses, worms and bots easily.

Full Collection Test. We were able to test PIS 2010 against a larger set of about 680,000 malware samples, including ad- and spyware, trojan horses and other critters. It detected 99.6% of these files, without flagging any files in our false positive / clean file test set, which is a very good result.

TruPrevent Test.  We have tested the dynamic (behaviour-based) detection with a few recently released malware samples which are not yet detected by heuristics, signatures or the "in the cloud" features and found that Panda warned in about 45% of the cases when we executed the malware sample. However, it only blocked and quarantined just a few of these tested samples. (More testing in this area needs to be performed to report statistically significant results.)

Disinfection Test. The detection and removal of an already infected PC was working properly, all active components were removed during the system repair process and just in some cases, registry keys belonging to the malware were left behind.

Rootkit Test. The detection and removal of actively running rootkits was quite impressive: all rootkits in our test were successfully identified and deleted.

As you may imagine we're very happy about the results of this test and hope other independent tests come along soon that also validate the highest level of quality provided by our most advanced ever anti-malware solutions.

For detailed testing methodology (for rootkit detection and removal, system disinfection, dynamic detection, etc.) I recommend you visit AV-Test.org Papers selection.

Other advanced testing methodologies worth reading up on can also be found at ATMSO's Document Library.

Panda participates in new AV comparative

January 15th, 2009 8 comments

Since a few months ago we've started participating in a new AV comparative test from PC Security Labs called Total Protection Testing. It's a pretty kewl test since, as opposed to other AV comparatives out there, PC Security Labs has a very interesting testing methodology that takes into consideration:

  • Freshness of malware samples. Only the newest samples from the previous month are tested, not year old samples.
  • Static detection using traditional signature files, very similar to what other AV comparative testers are doing.
  • Dynamic (behavioral) detection of malicious running processes. Only a handful of professional AV testers are doing this.
  • Cloud-based detection such as Panda's Collective Intelligence. As far as I know PCSL is the first AV tester with a methodology that takes this type of technology into account.
  • False positive testing. Global scores are lowered on each false positive.

All-in-all a very complete testing methodology that gives a broad view of the global performance of different anti-malware solutions. It's no surprise that PC SecurityLabs has recently joined the AntiMalware Testing Standards Organization (AMTSO).

I'm glad to report that Panda has achieved an "Excellent" score in each of the three tests we've participated in so far.

Total Protection Testing reports from PCSL can be downloaded directly from the following locations:

The tests are performed on a monthly basis, so make sure to visit PC Security Labs every now and then to get the latest results!

Categories: News, Stats Tags:

WildList, Virus Bulletin 100% and other battles

July 6th, 2008 2 comments

There’s been a lot of talk about the WildList lately. On one hand Larry Seltzer criticized the WildList based certifications as not representative of reality plus a strain on antivirus products by having to detect 10 year old viruses. Some key comments from Larry:

“There is an extraordinary amount of malware that was making headlines in 2004, back in the heyday of the mail worm. There’s W32/BugBear.A-mm from 2002. Go all the way down to the bottom of the list and you’ll find W95/Spaces.1445 from 2000. Yes, that’s one of two Windows 95 viruses on the list.”

“It’s all self-replicating malware, viruses and worms. Research has shown for years that self-replicating malware is not the way people get infected anymore”

“But what if that most advanced product fails to detect W95/Dupator.1503, a Windows 95 virus? A black mark on their marketing which probably precludes them from certain bids. It’s nuts.”

On the other hand Alex from Sunbelt reported on how Trend Micro decided to “boycott the WildList” by cancelling its participation in the Virus Bulletin 100% certification:

“The shocker was last Thursday, when it was reported that Trend Micro (following Panda’s lead) has decided to “boycott” the Wildlist.”

In Trend Micro’s own words:

“Testing is not done with an internet connection and it isn’t testing for things like rootkits. Pattern matching is now only one piece of puzzle, alongside behaviour blocking technology but pattern matching is all VB100 tests,”

Now, while I  agree with almost all the arguments against the WildList (other than the argument against replicating viruses, which ARE still prevalent), it is not true that Panda decided to “boycott the WildList”. In fact early 2007 we submitted a position paper to the ICSA AVPD (owners of WildList.org) titled “The Disconnect Between the WildList and Reality” (I’m releasing it now as it’s one and a half years old), pinpointing the flaws of WildList-based certification and testing and proposing measures to correct the problem, such as:

* Change the WildList reporting criteria to include all types of malware, not only viruses
* Encourage current members to report based on these new criteria
* Release the updated WildList more rapidly
* Design a new certification scheme with extended participation from CERTs and others

These are some of the reasons we don’t participate in Virus Bulletin 100% WildList-based certification tests. Now I know for a fact (even though I can’t disclose details about it) that there’s a lot being done to improve the WildList.

Finally and as proof that Panda is not trying to “boycott the WildList”, I gathered some statistics for the current WildList submissions from the January to May WildCore and Supplemental Lists.

 Init	Reporter 	Vendor		Jan	Feb	Mar	Apr	May	Total 
==================================================================================== 
Pa	Luis Corrons	Panda 		824	734	670	618	405	3251 
Tl/Za	Tony Lee	Microsoft	326	381	641	1035	387	2770 
St	Stuart Taylor	Sophos		393	361	340	331	249	1674 
Ao	Amyn Sachedina	Symantec	319	324	412	414	144	1613 
Mt	Miroslav Trnka	Eset		266	227	206	206	201	1106 
Sj	Sanjay Katkar	Quickheal	188	179	160	157	162	846 
Mo	Martin Overton	Independent	142	134	123	124	119	642 
Is	Jim Wu		IBM		119	118	111	113	112	573 
Fn	Bryan Lu	Fortinet	141	32	31	79	76	359 
Sr	Subramanya Rao	Proland		78	72	68	66	60	344 
Ww	Martin Stecher	WebWasher	61	61	60	61	61	304 
Ta	Tjark Auerbach	Avira		64	63	63	60	30	280 
Jc	Luogang		Rising		37	35	36	33	29	170 
Jy	Jamz Yaneza	Trend Micro	45	45	36	36	0	162 
Ss	Szilard Stange	Virus Buster	36	32	31	31	29	159 
So	SiHaeng Cho	Ahnlab		28	26	26	27	40	147 
Id	Ken Dunham	Independent	24	22	22	24	22	114 
Nl	Laura Hartmann	Anchiva		26	14	14	26	9	89 
Ay	Allysa Myers	McAfee		1	1	0	0	0	2

The above figures are only the self-replicating viruses submitted that actually make it to the lists. Following our own proposal of expanding the WildList, we also submit on a weekly basis many more non-replicating Trojans which do not make it to the traditional WildList (see Malware Prevalence for April & May for details of what we submit).

I think it’s obvious from the data that we’re not trying to boycott the WildList. We’re just trying to make certification testing meaningful and useful for consumers.

Categories: News, Stats Tags:

Malware Prevalence May 2008

June 16th, 2008 Comments off

During the month of May we've seen a 346% growth over April of unique samples
actively circulating and infecting users (23.550 samples in May vs. 6.809 in April). Out of the total seen
In-The-Wild only a portion are new and
not seen in previous months, of which 78% are
non-replicating while the rest are self-replicating viral/worm
code. We encourage you to visit our Virus Encyclopedia to get detailed descriptions of each one of these.
 
New Replicating Malware

The ranking of new replicating viruses and worms this month is led by the W32/Lineage and W32/Autorun families. This last one consists of worms which replicate via USB devices and is the newcomer to the top of the list. Who said worms are
dead? The rest as usual is made up of MSN worms, spammer bots and an old acquaintance W32/Bagle still making the rounds.

****     W32/Lineage
****     W32/Autorun
***      W32/Sdbot
***      W32/Nuwar
***      W32/Mandaph
***      W32/MSNWorm
**       W32/Spamta
**       W32/Socks
**       W32/Nahkos
**       W32/IRCBot
**       W32/Gaobot
**       W32/Bagle
**       VBS/Autorun
*        W32/Wow
*        W32/VB
*        W32/Rxbot
*        W32/ProxyServer
*        W32/Perwall
*        W32/Mailworm
*        VBS/Solow

New Non-Replicating Malware

On the Trojan front, we've seen a strong increase in infections by Identity Theft Trojans (Sinowal, Banker, Agent, Dadobra, Banbra, etc.) while the pay-per-install adware/spyware affiliates are having a hard time maintaining their number one position. I guess it pays more to steal directly from consumers' bank accounts. The rest of the list is made up by spammer bots, rogue anti-spyware and other creatures.

****     Trj/Lineage
****     Adware/Netproject
***      Trj/dmRandom
***      Trj/Sinowal
***      Trj/QQpass
***      Trj/Nabload
***      Trj/Downloader
***      Trj/Banker
***      Trj/Autorun
***      Trj/Agent
***      Spyware/Virtumonde
***      Bck/IRCBot
***      Adware/VapSup
***      Adware/NaviPromo
**       Trj/Spambot
**       Trj/Ranky
**       Trj/Qhost
**       Trj/Dadobra
**       Trj/Buzus
**       Trj/Banbra
**       Trj/Agysteo
**       Generic Malware
**       Bck/Sdbot
**       Bck/Hamweq
**       Bck/Agent
**       Adware/VideoPlugin
**       Adware/BHO
*        Trj/WmaDownloader
*        Trj/VBbot
*        Trj/Spy
*        Trj/Spammer
*        Trj/Passwordstealer
*        Trj/Multidropper
*        Trj/Mitglieder
*        Trj/Killfiles
*        Trj/Dropper
*        Trj/DNSChanger
*        Trj/Clicker
*        Trj/Busky
*        Trj/BedeTres
*        Generic Trojan
*        Dialer
*        Bck/VBBot
*        Bck/Turkojan
*        Bck/Tiny
*        Bck/Peacomm
*        Bck/Nepoe
*        Bck/Hupigon
*        Bck/Gaobot
*        Bck/Dbot
*        Application/WinSpywareProtect
*        Application/VirusHeat
*        Adware/Zenosearch
*        Adware/Yazzle
*        Adware/WinSpywareProtect
*        Adware/WinReanimator
*        Adware/WinIFixer
*        Adware/WinAntiVirus2007
*        Adware/VirusRanger
*        Adware/VirusHeat
*        Adware/VideoKeyCodec
*        Adware/VideoAccessCodec
*        Adware/UltimateDefender
*        Adware/SecurityError
*        Adware/SearchPorn
*        Adware/RussiaPorn
*        Adware/PCCleaner
*        Adware/MalwareAlarm
*        Adware/Lop
*        Adware/Ivideo
*        Adware/BraveSentry
*        Adware/AntiSpywareShield
*        Adware/Alexa
*        Adware/AdvancedXPFixer
*        Adware/4Porn
 

Categories: behavior analysis, Stats Tags:

New Malware Prevalence April 2008

Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.

 

New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).

Prevalence	Name
**** Adware_Netproject
*** Spyware_Virtumonde
*** Adware_VideoAccessCodec
*** Adware_Netproject
*** Adware_NaviPromo
** Trj_Nabload.DEX
** Trj_Mitglieder.TJ
** Trj_Lineage.IGA
** Trj_Lineage.IDJ
** Trj_Lineage.IDE
** Trj_Lineage.HZI
** Trj_Downloader.TIN
** Trj_Downloader.THP
** Trj_Downloader.TCC
** Trj_dmRandom.TW
** Trj_Banker.KWQ
** Trj_Banker.KWP
** Trj_Banker.KWO
** Trj_Banker.KWH
** Malicious Packer
** Adware_WinReanimator
** Adware_VirusHeat
** Adware_VideoPlugin
** Adware_VideoAccessCodec
** Adware_VapSup
** Adware_UltimateDefender
** Adware_Suurch
* W32_Lineage.ICJ.worm
* Trj_Zlob.IF
* Trj_SysW.G
* Trj_Spammer.AHH
* Trj_Spammer.AHD
* Trj_Spamine.G
* Trj_Sinowal.VKF
* Trj_Sinowal.VKE
* Trj_Sinowal.VKB
* Trj_Sinowal.VJZ
* Trj_QQPass.BGT
* Trj_QQPass.BGN
* Trj_QQPass.BGM
* Trj_QQPass.BGL
* Trj_Nabload.DEU
* Trj_Nabload.DET
* Trj_Multidropper.RMN
* Trj_Mitglieder.TI
* Trj_Lineage.IFH
* Trj_Lineage.IFG
* Trj_Lineage.IFF
* Trj_Lineage.IFE
* Trj_Lineage.IFC
* Trj_Lineage.IFB
* Trj_Lineage.IEY
* Trj_Lineage.IEW
* Trj_Lineage.IEU
* Trj_Lineage.IEM
* Trj_Lineage.IDV
* Trj_Lineage.IDE
* Trj_Lineage.ICA
* Trj_Lineage.IAN
* Trj_Lineage.IAL
* Trj_Lineage.HTK
* Trj_Lineage.HNA
* Trj_Hosts.V
* Trj_Hosts.U
* Trj_Gamania.GS
* Trj_FireByPass.BP
* Trj_Exchanger.D
* Trj_Downloader.TME
* Trj_Downloader.TLU
* Trj_Downloader.TLL
* Trj_Downloader.TJR
* Trj_Downloader.TJF
* Trj_Downloader.TJE
* Trj_Downloader.TJA
* Trj_Downloader.TIL
* Trj_Downloader.TIK
* Trj_Downloader.THZ
* Trj_Downloader.THI
* Trj_Downloader.TEG
* Trj_Downloader.TDA
* Trj_Downloader.TCQ
* Trj_Downloader.TAU
* Trj_dmRandom.UB
* Trj_Dadobra.AOR
* Trj_Busky.DE
* Trj_BHO.AT
* Trj_Banker.KXI
* Trj_Banker.KWX
* Trj_Banker.KWV
* Trj_Banker.KWR
* Trj_Banker.KTU
* Trj_Banbra.FQI
* Trj_Banbra.FQB
* Trj_Banbra.FON
* Trj_Autorun.TS
* Trj_Autorun.JN
* Trj_Agent.IPR
* Trj_Agent.IPI
* Trj_Agent.IOH
* Trj_Agent.IOD
* Trj_Agent.IOB
* Spyware_Virtumonde
* Generic Malware
* Bck_Sdbot.LUN
* Bck_SDBot.LUF
* Bck_SDBot.LTW
* Bck_Sdbot.LTR
* Bck_PoisonIvy.U
* Bck_Oderoor.Q
* Bck_Oderoor.P
* Bck_LanMan.CN
* Bck_IRCBot.BYY
* Bck_IRCBot.BYO
* Bck_IRCBot.BYI
* Bck_IRCBot.BYH
* Bck_IRCBot.BXW
* Bck_IRCBot.BXU
* Bck_IrcBot.BXT
* Bck_IRCBot.BXL
* Bck_Hupigon.LAB
* Bck_Agent.IPD
* Bck_Agent.IOG
* Application_VirusHeat
* Application_SpyShredder
* Application_PCCleaner
* Adware_Zenosearch
* Adware_XXXHoliday
* Adware_WinSecureDisc
* Adware_WinReanimator
* Adware_WinIFixer
* Adware_WebHancer
* Adware_VirusIsolator
* Adware_VirusHeat
* Adware_VideoPorn
* Adware_VideoKeyCodec
* Adware_VapSup
* Adware_TopSpyware
* Adware_SpywareSoftStop
* Adware_SpyAway
* Adware_SecuritySystem
* Adware_SecurityError
* Adware_SearchVideo
* Adware_PCCleaner
* Adware_MalwareAlarm
* Adware_Lop
* Adware_ChristmasPorn
* Adware_BaiduBar
* Adware_AntiSpywareReview
* Adware_Alexa

 

New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).

Prevalence	Name
*** W32_MSN.J.worm
*** W32_Lineage.HXI.worm
** W32_Nuwar.SS.worm
** W32_MSNWorm.EJ.worm
** W32_Lineage.IFX.worm
** W32_Lineage.IEN
** W32_Lineage.ICM.worm
** W32_Lineage.IBW.worm
** W32_Lineage.HZE.worm
** W32_Bagle.SR.worm
* W32_Wow.SI.worm
* W32_Virutas.AB
* W32_VBS.H.worm
* W32_VanBot.AE.worm
* W32_UsbStorm.K.worm
* W32_Thanks.B.worm
* W32_SundMan.A.worm
* W32_Spamta.AGD.worm
* W32_Sohanat.EX.worm
* W32_Sohanat.AS.worm
* W32_Socks.C.worm
* W32_Socks.B.worm
* W32_SDBot.LUI.worm
* W32_Sdbot.LUB.worm
* W32_SdBot.LTV.worm
* W32_Sdbot.LTT.worm
* W32_Sality.AA
* W32_QQRob.OS
* W32_Oscarbot.TK.worm
* W32_Nuwar.TC.worm
* W32_Nuwar.SV.worm
* W32_Nuwar.SR.worm
* W32_MSNworm.EK.worm
* W32_MSNworm.EI.worm
* W32_Mabezat.C
* W32_Lineage.IFI.worm
* W32_Lineage.IEZ.worm
* W32_Lineage.IEN.worm
* W32_Lineage.IEG.worm
* W32_Lineage.IDS
* W32_Lineage.IDR.worm
* W32_Lineage.IDI.worm
* W32_Lineage.ICT.worm
* W32_Lineage.ICO.worm
* W32_Lineage.ICL.worm
* W32_Lineage.ICJ.worm
* W32_Lineage.ICB
* W32_Lineage.IBZ.worm
* W32_Lineage.IBX.worm
* W32_IRCBot.BYQ.worm
* W32_IRCBot.BYL.worm
* W32_IRCBot.BYC.worm
* W32_IRCBot.BYB.worm
* W32_IRCBot.BYA.worm
* W32_Gaobot.QGN.worm
* W32_DengDun.A.worm
* W32_Brontok.JL.worm
* W32_Bagle.SN.worm
* W32_Autorun.TU.worm
* W32_Autorun.TK.worm
* W32_Agent.INI.worm
* W32_Agent.ILD.worm
* VBS_Sasan.A.worm

 

By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.

UPX		581
Upack 302
'Private' 150
FSG 101
PECompact 94
AS-Pack 88
EXECryptor 62
Themida 53
Multi-layer 38
Nspack 38
ASProtect 37
nPack 22
Adware_Lop 17
RLPack 16
PKLite32 14
tElock 14
UPolyX 13
Wsnpoem 11
Armadillo 8
MEW 11 SE 7
Thinstall 7
Expressor 6
Cexe 4
PolyCryptA 4
PUSH/RET 4
PE Crypt 3
Virtumonde 3
YodaProtect 3
DalKrypt 2
Molebox 2
PESpin 2
Petite 2
CryptFF.b 1
NiceProtect 1
DragonArmor 1
EPProt 1
Exe32pack 1
Kkrunchy 1
MaskPE 1
Morphine 1
NTKrnl 1
PCShrink 1
PEncrypt 1
PEP 1
RCryptor 1
RPCrypt 1
SDProtect 1
SimplePack 1
UltraProtect 1
WWPack32 1
yzpack 1
Categories: behavior analysis, Stats Tags: