Recently both AV-Test.org and AV-Comparatives.org have announced respective results for their dynamic real-world or whole-product tests. Basically these AV tests try to replicate user experience by introducing malware to the test machine in pretty much the same way a regular user would encounter malware and get infected. We are very proud of the results of Panda Internet Security 2011/2012 as it shows consistency in providing top quality detection and protection, on top of better known security vendors such as Symantec, Avast, AVG, ESET, Trend Micro, Microsoft, Webroot, etc.

AV-TEST REAL-WORLD TEST – Q2 2011 RESULTS

In this real-world test results for Q2 2011 Panda was one of only 4 vendors to achieve a score higher than 15 points.

AV-COMPARATIVES WHOLE-PRODUCT TEST – JUNE 2011

In the June 2011 test Panda Internet Security achieved the first place in “blocking” rate without requiring any user interaction along with two other vendors.

There’s been a few comparative tests published as of late. In case you’ve missed any of them here’s a quick rundown of the most significant ones.

First on the list are the Q1-2011 quarterly results of the Full Product Test (FPT)  by AV-Test.org. These FPT’s are performed on a monthly basis and are very in-depth, covering pretty much all aspects of a modern security software and testing from a users’ perspective by replicating infection vectors and user experience. The areas tested include real-time blocking of malicious websites, detection of relevant and active malware samples (zoo malware, wildlist malware according to AV-Test.org criteria of wildlist, not the limited WildList.org list), false positive testing, performance testing, disinfection testing, detection and disinfection of active rootkits, behaviour-based dynamic detection, dynamic false positives and packing and archive support. Overall one of the most comprehensive regular tests out there. It’s such a tough test that 5 out of the 22 vendors tested did not obtain the minimum score to achieve certification. Panda Internet Security came out with very good scores and achieved certification. The report on Panda Internet Security can be found here (PDF) and the complete results for all vendors here.

Next in line are a couple of tests by AV-Comparatives.org. The first one is the traditional On-Demand test from February 2011 which also tests false positives and performance of the on-demand scanner. In this test Panda Antivirus Pro achieved the #4 rank in terms of malware detection. We still had 18 false positives that, even though are of low prevalence according to AV-Comparatives.org, prevented us from achieving the Advanced+ certification. We’re doing a lot of work in improving in this area. Panda Antivirus Pro also achieved the #2 rank in the performance test for scanning speeds. The full report can be downloaded from the AV-Comparatives.org website here.

The second test by AV-Comparatives.org that has been published recently is the Whole-Product Test. Similar to the AV-Test.org Full Product Test, this test tries to test user experience by replicating the infection vector. Unlike the AV-Test.org FPT, this one focuses only on malicious websites and behaviour-based dynamic detection. Panda Internet Security scored very good with a 98.8% protection index. More information can be found at the AV-Comparatives.org site here.

If you’re interested in these types of AV tests, make sure to vote on your favourite AV testing outfit in our open poll here. So far both AV-Comparatives and AV-Test are leading the pack.

The independent AV testing organization AV-Test.org recently released the last results of its monthly “Full Product Tests”. The Full Product Tests are a comprehensive look at anti-malware products’ ability to protect end users in real-life situations. It covers three main areas of each product: Protection, Repair and Usability. Under each area there are multiple sub-tests, such as signature detection, behavioural or dynamic detection, etc. The detailed results are available at www.av-test.org/certifications.

In order to gain certification a product has to achieve a minimum score of 12 or above. The results are very revealing, with many products not reaching the mininum score nor the certification. We are happy to announce that in the 3 quarters that AV-Test.org has conducted these tests, Panda Internet Security has achieved the certification in all cases.

On a related note, AV-Test.org recently surpassed the 50 million unique malicious sample mark. This is aligned with what our Collective Intelligence servers have analyzed and processed automatically, which is up to 146 million files (both good and bad files).

One of the most common vectors for distributing malware nowadays is spamming blogs with comments pointing to malicious sites that host exploits, malware, rogue antiviruses or other types of scams.

In order to analyze the huge volume of spam comments that come in through our various Panda Blogs (PandaLabs, Panda Research, Panda Cloud Antivirus Blog, etc.) Iker from PandaLabs has developed a “blog comment spam honeypot” which is basically a modified Akismet plugin for WordPress. The honeypot basically posts everything that Akismet detects as spam into an XML which is then processed and all links are followed to detect malware, exploits, drive-by downloads, etc.

If you have a wordpress blog and would like to install the honeypot to send your trapped spam to PandaLabs for analysis, simply download and install the blog comment spam honeypot.

Thanks to Iker for all his work on spam research.

As you may know we released our Panda 2010 products yesterday. In addition to the traditional Panda Antivirus Pro 2010, Panda Internet Security 2010 and Panda Global Protection 2010, this year we've also released a tailor-made product for netbooks and ultra portables called Panda Antivirus for Netbooks.

I just got word from Andreas Marx from AV-Test.org that they've put Panda Internet Security 2010 (PIS 2010) to the test today. Some conclusions from the test can be seen below, using Andreas' own words:

WildList Test.  We started with a detection test against all samples from the most recent WildList 05/2009 and malware from older releases. Our test set includes 3,194 confirmed malicious and widespread samples. We tested the set with the on-demand scanner and on-access guard. In both cases, Panda was able to detect and remove these viruses, worms and bots easily.

Full Collection Test. We were able to test PIS 2010 against a larger set of about 680,000 malware samples, including ad- and spyware, trojan horses and other critters. It detected 99.6% of these files, without flagging any files in our false positive / clean file test set, which is a very good result.

TruPrevent Test.  We have tested the dynamic (behaviour-based) detection with a few recently released malware samples which are not yet detected by heuristics, signatures or the "in the cloud" features and found that Panda warned in about 45% of the cases when we executed the malware sample. However, it only blocked and quarantined just a few of these tested samples. (More testing in this area needs to be performed to report statistically significant results.)

Disinfection Test. The detection and removal of an already infected PC was working properly, all active components were removed during the system repair process and just in some cases, registry keys belonging to the malware were left behind.

Rootkit Test. The detection and removal of actively running rootkits was quite impressive: all rootkits in our test were successfully identified and deleted.

As you may imagine we're very happy about the results of this test and hope other independent tests come along soon that also validate the highest level of quality provided by our most advanced ever anti-malware solutions.

For detailed testing methodology (for rootkit detection and removal, system disinfection, dynamic detection, etc.) I recommend you visit AV-Test.org Papers selection.

Other advanced testing methodologies worth reading up on can also be found at ATMSO's Document Library.

Since a few months ago we've started participating in a new AV comparative test from PC Security Labs called Total Protection Testing. It's a pretty kewl test since, as opposed to other AV comparatives out there, PC Security Labs has a very interesting testing methodology that takes into consideration:

• Freshness of malware samples. Only the newest samples from the previous month are tested, not year old samples.
• Static detection using traditional signature files, very similar to what other AV comparative testers are doing.
• Dynamic (behavioral) detection of malicious running processes. Only a handful of professional AV testers are doing this.
• Cloud-based detection such as Panda's Collective Intelligence. As far as I know PCSL is the first AV tester with a methodology that takes this type of technology into account.
• False positive testing. Global scores are lowered on each false positive.

All-in-all a very complete testing methodology that gives a broad view of the global performance of different anti-malware solutions. It's no surprise that PC SecurityLabs has recently joined the AntiMalware Testing Standards Organization (AMTSO).

I'm glad to report that Panda has achieved an "Excellent" score in each of the three tests we've participated in so far.

Total Protection Testing reports from PCSL can be downloaded directly from the following locations:

• PC SecurityLabs Total Protection Testing 2008/11 
• PC SecurityLabs Total Protection Testing 2008/12
• PC SecurityLabs Total Protection Testing 2009/01

The tests are performed on a monthly basis, so make sure to visit PC Security Labs every now and then to get the latest results!

There’s been a lot of talk about the WildList lately. On one hand Larry Seltzer criticized the WildList based certifications as not representative of reality plus a strain on antivirus products by having to detect 10 year old viruses. Some key comments from Larry:

“There is an extraordinary amount of malware that was making headlines in 2004, back in the heyday of the mail worm. There’s W32/BugBear.A-mm from 2002. Go all the way down to the bottom of the list and you’ll find W95/Spaces.1445 from 2000. Yes, that’s one of two Windows 95 viruses on the list.”

“It’s all self-replicating malware, viruses and worms. Research has shown for years that self-replicating malware is not the way people get infected anymore”

“But what if that most advanced product fails to detect W95/Dupator.1503, a Windows 95 virus? A black mark on their marketing which probably precludes them from certain bids. It’s nuts.”

On the other hand Alex from Sunbelt reported on how Trend Micro decided to “boycott the WildList” by cancelling its participation in the Virus Bulletin 100% certification:

“The shocker was last Thursday, when it was reported that Trend Micro (following Panda’s lead) has decided to “boycott” the Wildlist.”

In Trend Micro’s own words:

“Testing is not done with an internet connection and it isn’t testing for things like rootkits. Pattern matching is now only one piece of puzzle, alongside behaviour blocking technology but pattern matching is all VB100 tests,”

Now, while I  agree with almost all the arguments against the WildList (other than the argument against replicating viruses, which ARE still prevalent), it is not true that Panda decided to “boycott the WildList”. In fact early 2007 we submitted a position paper to the ICSA AVPD (owners of WildList.org) titled “The Disconnect Between the WildList and Reality” (I’m releasing it now as it’s one and a half years old), pinpointing the flaws of WildList-based certification and testing and proposing measures to correct the problem, such as:

* Change the WildList reporting criteria to include all types of malware, not only viruses
* Encourage current members to report based on these new criteria
* Release the updated WildList more rapidly
* Design a new certification scheme with extended participation from CERTs and others

These are some of the reasons we don’t participate in Virus Bulletin 100% WildList-based certification tests. Now I know for a fact (even though I can’t disclose details about it) that there’s a lot being done to improve the WildList.

Finally and as proof that Panda is not trying to “boycott the WildList”, I gathered some statistics for the current WildList submissions from the January to May WildCore and Supplemental Lists.

 Init	Reporter 	Vendor		Jan	Feb	Mar	Apr	May	Total 
==================================================================================== 
Pa	Luis Corrons	Panda 		824	734	670	618	405	3251 
Tl/Za	Tony Lee	Microsoft	326	381	641	1035	387	2770 
St	Stuart Taylor	Sophos		393	361	340	331	249	1674 
Ao	Amyn Sachedina	Symantec	319	324	412	414	144	1613 
Mt	Miroslav Trnka	Eset		266	227	206	206	201	1106 
Sj	Sanjay Katkar	Quickheal	188	179	160	157	162	846 
Mo	Martin Overton	Independent	142	134	123	124	119	642 
Is	Jim Wu		IBM		119	118	111	113	112	573 
Fn	Bryan Lu	Fortinet	141	32	31	79	76	359 
Sr	Subramanya Rao	Proland		78	72	68	66	60	344 
Ww	Martin Stecher	WebWasher	61	61	60	61	61	304 
Ta	Tjark Auerbach	Avira		64	63	63	60	30	280 
Jc	Luogang		Rising		37	35	36	33	29	170 
Jy	Jamz Yaneza	Trend Micro	45	45	36	36	0	162 
Ss	Szilard Stange	Virus Buster	36	32	31	31	29	159 
So	SiHaeng Cho	Ahnlab		28	26	26	27	40	147 
Id	Ken Dunham	Independent	24	22	22	24	22	114 
Nl	Laura Hartmann	Anchiva		26	14	14	26	9	89 
Ay	Allysa Myers	McAfee		1	1	0	0	0	2

The above figures are only the self-replicating viruses submitted that actually make it to the lists. Following our own proposal of expanding the WildList, we also submit on a weekly basis many more non-replicating Trojans which do not make it to the traditional WildList (see Malware Prevalence for April & May for details of what we submit).

I think it’s obvious from the data that we’re not trying to boycott the WildList. We’re just trying to make certification testing meaningful and useful for consumers.

During the month of May we've seen a 346% growth over April of unique samples
actively circulating and infecting users (23.550 samples in May vs. 6.809 in April). Out of the total seen
In-The-Wild only a portion are new and
not seen in previous months, of which 78% are
non-replicating while the rest are self-replicating viral/worm
code. We encourage you to visit our Virus Encyclopedia to get detailed descriptions of each one of these.
 
New Replicating Malware

The ranking of new replicating viruses and worms this month is led by the W32/Lineage and W32/Autorun families. This last one consists of worms which replicate via USB devices and is the newcomer to the top of the list. Who said worms are
dead? The rest as usual is made up of MSN worms, spammer bots and an old acquaintance W32/Bagle still making the rounds.

****     W32/Lineage
****     W32/Autorun
***      W32/Sdbot
***      W32/Nuwar
***      W32/Mandaph
***      W32/MSNWorm
**       W32/Spamta
**       W32/Socks
**       W32/Nahkos
**       W32/IRCBot
**       W32/Gaobot
**       W32/Bagle
**       VBS/Autorun
*        W32/Wow
*        W32/VB
*        W32/Rxbot
*        W32/ProxyServer
*        W32/Perwall
*        W32/Mailworm
*        VBS/Solow

New Non-Replicating Malware

On the Trojan front, we've seen a strong increase in infections by Identity Theft Trojans (Sinowal, Banker, Agent, Dadobra, Banbra, etc.) while the pay-per-install adware/spyware affiliates are having a hard time maintaining their number one position. I guess it pays more to steal directly from consumers' bank accounts. The rest of the list is made up by spammer bots, rogue anti-spyware and other creatures.

****     Trj/Lineage
****     Adware/Netproject
***      Trj/dmRandom
***      Trj/Sinowal
***      Trj/QQpass
***      Trj/Nabload
***      Trj/Downloader
***      Trj/Banker
***      Trj/Autorun
***      Trj/Agent
***      Spyware/Virtumonde
***      Bck/IRCBot
***      Adware/VapSup
***      Adware/NaviPromo
**       Trj/Spambot
**       Trj/Ranky
**       Trj/Qhost
**       Trj/Dadobra
**       Trj/Buzus
**       Trj/Banbra
**       Trj/Agysteo
**       Generic Malware
**       Bck/Sdbot
**       Bck/Hamweq
**       Bck/Agent
**       Adware/VideoPlugin
**       Adware/BHO
*        Trj/WmaDownloader
*        Trj/VBbot
*        Trj/Spy
*        Trj/Spammer
*        Trj/Passwordstealer
*        Trj/Multidropper
*        Trj/Mitglieder
*        Trj/Killfiles
*        Trj/Dropper
*        Trj/DNSChanger
*        Trj/Clicker
*        Trj/Busky
*        Trj/BedeTres
*        Generic Trojan
*        Dialer
*        Bck/VBBot
*        Bck/Turkojan
*        Bck/Tiny
*        Bck/Peacomm
*        Bck/Nepoe
*        Bck/Hupigon
*        Bck/Gaobot
*        Bck/Dbot
*        Application/WinSpywareProtect
*        Application/VirusHeat
*        Adware/Zenosearch
*        Adware/Yazzle
*        Adware/WinSpywareProtect
*        Adware/WinReanimator
*        Adware/WinIFixer
*        Adware/WinAntiVirus2007
*        Adware/VirusRanger
*        Adware/VirusHeat
*        Adware/VideoKeyCodec
*        Adware/VideoAccessCodec
*        Adware/UltimateDefender
*        Adware/SecurityError
*        Adware/SearchPorn
*        Adware/RussiaPorn
*        Adware/PCCleaner
*        Adware/MalwareAlarm
*        Adware/Lop
*        Adware/Ivideo
*        Adware/BraveSentry
*        Adware/AntiSpywareShield
*        Adware/Alexa
*        Adware/AdvancedXPFixer
*        Adware/4Porn
 

Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.

New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).

Prevalence	Name
****	 Adware_Netproject
***	 Spyware_Virtumonde
***	 Adware_VideoAccessCodec
***	 Adware_Netproject
***	 Adware_NaviPromo
**	 Trj_Nabload.DEX
**	 Trj_Mitglieder.TJ
**	 Trj_Lineage.IGA
**	 Trj_Lineage.IDJ
**	 Trj_Lineage.IDE
**	 Trj_Lineage.HZI
**	 Trj_Downloader.TIN
**	 Trj_Downloader.THP
**	 Trj_Downloader.TCC
**	 Trj_dmRandom.TW
**	 Trj_Banker.KWQ
**	 Trj_Banker.KWP
**	 Trj_Banker.KWO
**	 Trj_Banker.KWH
**	 Malicious Packer
**	 Adware_WinReanimator
**	 Adware_VirusHeat
**	 Adware_VideoPlugin
**	 Adware_VideoAccessCodec
**	 Adware_VapSup
**	 Adware_UltimateDefender
**	 Adware_Suurch
*	 W32_Lineage.ICJ.worm
*	 Trj_Zlob.IF
*	 Trj_SysW.G
*	 Trj_Spammer.AHH
*	 Trj_Spammer.AHD
*	 Trj_Spamine.G
*	 Trj_Sinowal.VKF
*	 Trj_Sinowal.VKE
*	 Trj_Sinowal.VKB
*	 Trj_Sinowal.VJZ
*	 Trj_QQPass.BGT
*	 Trj_QQPass.BGN
*	 Trj_QQPass.BGM
*	 Trj_QQPass.BGL
*	 Trj_Nabload.DEU
*	 Trj_Nabload.DET
*	 Trj_Multidropper.RMN
*	 Trj_Mitglieder.TI
*	 Trj_Lineage.IFH
*	 Trj_Lineage.IFG
*	 Trj_Lineage.IFF
*	 Trj_Lineage.IFE
*	 Trj_Lineage.IFC
*	 Trj_Lineage.IFB
*	 Trj_Lineage.IEY
*	 Trj_Lineage.IEW
*	 Trj_Lineage.IEU
*	 Trj_Lineage.IEM
*	 Trj_Lineage.IDV
*	 Trj_Lineage.IDE
*	 Trj_Lineage.ICA
*	 Trj_Lineage.IAN
*	 Trj_Lineage.IAL
*	 Trj_Lineage.HTK
*	 Trj_Lineage.HNA
*	 Trj_Hosts.V
*	 Trj_Hosts.U
*	 Trj_Gamania.GS
*	 Trj_FireByPass.BP
*	 Trj_Exchanger.D
*	 Trj_Downloader.TME
*	 Trj_Downloader.TLU
*	 Trj_Downloader.TLL
*	 Trj_Downloader.TJR
*	 Trj_Downloader.TJF
*	 Trj_Downloader.TJE
*	 Trj_Downloader.TJA
*	 Trj_Downloader.TIL
*	 Trj_Downloader.TIK
*	 Trj_Downloader.THZ
*	 Trj_Downloader.THI
*	 Trj_Downloader.TEG
*	 Trj_Downloader.TDA
*	 Trj_Downloader.TCQ
*	 Trj_Downloader.TAU
*	 Trj_dmRandom.UB
*	 Trj_Dadobra.AOR
*	 Trj_Busky.DE
*	 Trj_BHO.AT
*	 Trj_Banker.KXI
*	 Trj_Banker.KWX
*	 Trj_Banker.KWV
*	 Trj_Banker.KWR
*	 Trj_Banker.KTU
*	 Trj_Banbra.FQI
*	 Trj_Banbra.FQB
*	 Trj_Banbra.FON
*	 Trj_Autorun.TS
*	 Trj_Autorun.JN
*	 Trj_Agent.IPR
*	 Trj_Agent.IPI
*	 Trj_Agent.IOH
*	 Trj_Agent.IOD
*	 Trj_Agent.IOB
*	 Spyware_Virtumonde
*	 Generic Malware
*	 Bck_Sdbot.LUN
*	 Bck_SDBot.LUF
*	 Bck_SDBot.LTW
*	 Bck_Sdbot.LTR
*	 Bck_PoisonIvy.U
*	 Bck_Oderoor.Q
*	 Bck_Oderoor.P
*	 Bck_LanMan.CN
*	 Bck_IRCBot.BYY
*	 Bck_IRCBot.BYO
*	 Bck_IRCBot.BYI
*	 Bck_IRCBot.BYH
*	 Bck_IRCBot.BXW
*	 Bck_IRCBot.BXU
*	 Bck_IrcBot.BXT
*	 Bck_IRCBot.BXL
*	 Bck_Hupigon.LAB
*	 Bck_Agent.IPD
*	 Bck_Agent.IOG
*	 Application_VirusHeat
*	 Application_SpyShredder
*	 Application_PCCleaner
*	 Adware_Zenosearch
*	 Adware_XXXHoliday
*	 Adware_WinSecureDisc
*	 Adware_WinReanimator
*	 Adware_WinIFixer
*	 Adware_WebHancer
*	 Adware_VirusIsolator
*	 Adware_VirusHeat
*	 Adware_VideoPorn
*	 Adware_VideoKeyCodec
*	 Adware_VapSup
*	 Adware_TopSpyware
*	 Adware_SpywareSoftStop
*	 Adware_SpyAway
*	 Adware_SecuritySystem
*	 Adware_SecurityError
*	 Adware_SearchVideo
*	 Adware_PCCleaner
*	 Adware_MalwareAlarm
*	 Adware_Lop
*	 Adware_ChristmasPorn
*	 Adware_BaiduBar
*	 Adware_AntiSpywareReview
*	 Adware_Alexa

New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).

Prevalence	Name
***	 W32_MSN.J.worm
***	 W32_Lineage.HXI.worm
**	 W32_Nuwar.SS.worm
**	 W32_MSNWorm.EJ.worm
**	 W32_Lineage.IFX.worm
**	 W32_Lineage.IEN
**	 W32_Lineage.ICM.worm
**	 W32_Lineage.IBW.worm
**	 W32_Lineage.HZE.worm
**	 W32_Bagle.SR.worm
*	 W32_Wow.SI.worm
*	 W32_Virutas.AB
*	 W32_VBS.H.worm
*	 W32_VanBot.AE.worm
*	 W32_UsbStorm.K.worm
*	 W32_Thanks.B.worm
*	 W32_SundMan.A.worm
*	 W32_Spamta.AGD.worm
*	 W32_Sohanat.EX.worm
*	 W32_Sohanat.AS.worm
*	 W32_Socks.C.worm
*	 W32_Socks.B.worm
*	 W32_SDBot.LUI.worm
*	 W32_Sdbot.LUB.worm
*	 W32_SdBot.LTV.worm
*	 W32_Sdbot.LTT.worm
*	 W32_Sality.AA
*	 W32_QQRob.OS
*	 W32_Oscarbot.TK.worm
*	 W32_Nuwar.TC.worm
*	 W32_Nuwar.SV.worm
*	 W32_Nuwar.SR.worm
*	 W32_MSNworm.EK.worm
*	 W32_MSNworm.EI.worm
*	 W32_Mabezat.C
*	 W32_Lineage.IFI.worm
*	 W32_Lineage.IEZ.worm
*	 W32_Lineage.IEN.worm
*	 W32_Lineage.IEG.worm
*	 W32_Lineage.IDS
*	 W32_Lineage.IDR.worm
*	 W32_Lineage.IDI.worm
*	 W32_Lineage.ICT.worm
*	 W32_Lineage.ICO.worm
*	 W32_Lineage.ICL.worm
*	 W32_Lineage.ICJ.worm
*	 W32_Lineage.ICB
*	 W32_Lineage.IBZ.worm
*	 W32_Lineage.IBX.worm
*	 W32_IRCBot.BYQ.worm
*	 W32_IRCBot.BYL.worm
*	 W32_IRCBot.BYC.worm
*	 W32_IRCBot.BYB.worm
*	 W32_IRCBot.BYA.worm
*	 W32_Gaobot.QGN.worm
*	 W32_DengDun.A.worm
*	 W32_Brontok.JL.worm
*	 W32_Bagle.SN.worm
*	 W32_Autorun.TU.worm
*	 W32_Autorun.TK.worm
*	 W32_Agent.INI.worm
*	 W32_Agent.ILD.worm
*	 VBS_Sasan.A.worm

By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.

UPX		581
Upack		302
'Private'	150
FSG		101
PECompact	94
AS-Pack		88
EXECryptor	62
Themida		53
Multi-layer	38
Nspack		38
ASProtect	37
nPack		22
Adware_Lop	17
RLPack		16
PKLite32	14
tElock		14
UPolyX		13
Wsnpoem		11
Armadillo	8
MEW 11 SE	7
Thinstall	7
Expressor	6
Cexe		4
PolyCryptA	4
PUSH/RET	4
PE Crypt	3
Virtumonde	3
YodaProtect	3
DalKrypt	2
Molebox		2
PESpin		2
Petite		2
CryptFF.b	1
NiceProtect	1
DragonArmor	1
EPProt		1
Exe32pack	1
Kkrunchy	1
MaskPE		1
Morphine	1
NTKrnl		1
PCShrink	1
PEncrypt	1
PEP		1
RCryptor	1
RPCrypt		1
SDProtect	1
SimplePack	1
UltraProtect	1
WWPack32	1
yzpack		1