Archive

Archive for the ‘Malware’ Category

Q2 2011 Test Results of Security Suites

July 20th, 2011 5 comments

Recently both AV-Test.org and AV-Comparatives.org have announced respective results for their dynamic real-world or whole-product tests. Basically these AV tests try to replicate user experience by introducing malware to the test machine in pretty much the same way a regular user would encounter malware and get infected. We are very proud of the results of Panda Internet Security 2011/2012 as it shows consistency in providing top quality detection and protection, on top of better known security vendors such as Symantec, Avast, AVG, ESET, Trend Micro, Microsoft, Webroot, etc.

AV-TEST REAL-WORLD TEST – Q2 2011 RESULTS

In this real-world test results for Q2 2011 Panda was one of only 4 vendors to achieve a score higher than 15 points.

AV-COMPARATIVES WHOLE-PRODUCT TEST – JUNE 2011

In the June 2011 test Panda Internet Security achieved the first place in “blocking” rate without requiring any user interaction along with two other vendors.

Tis the comparative season

April 25th, 2011 Comments off

There’s been a few comparative tests published as of late. In case you’ve missed any of them here’s a quick rundown of the most significant ones.

First on the list are the Q1-2011 quarterly results of the Full Product Test (FPT)  by AV-Test.org. These FPT’s are performed on a monthly basis and are very in-depth, covering pretty much all aspects of a modern security software and testing from a users’ perspective by replicating infection vectors and user experience. The areas tested include real-time blocking of malicious websites, detection of relevant and active malware samples (zoo malware, wildlist malware according to AV-Test.org criteria of wildlist, not the limited WildList.org list), false positive testing, performance testing, disinfection testing, detection and disinfection of active rootkits, behaviour-based dynamic detection, dynamic false positives and packing and archive support. Overall one of the most comprehensive regular tests out there. It’s such a tough test that 5 out of the 22 vendors tested did not obtain the minimum score to achieve certification. Panda Internet Security came out with very good scores and achieved certification. The report on Panda Internet Security can be found here (PDF) and the complete results for all vendors here.

Next in line are a couple of tests by AV-Comparatives.org. The first one is the traditional On-Demand test from February 2011 which also tests false positives and performance of the on-demand scanner. In this test Panda Antivirus Pro achieved the #4 rank in terms of malware detection. We still had 18 false positives that, even though are of low prevalence according to AV-Comparatives.org, prevented us from achieving the Advanced+ certification. We’re doing a lot of work in improving in this area. Panda Antivirus Pro also achieved the #2 rank in the performance test for scanning speeds. The full report can be downloaded from the AV-Comparatives.org website here.

The second test by AV-Comparatives.org that has been published recently is the Whole-Product Test. Similar to the AV-Test.org Full Product Test, this test tries to test user experience by replicating the infection vector. Unlike the AV-Test.org FPT, this one focuses only on malicious websites and behaviour-based dynamic detection. Panda Internet Security scored very good with a 98.8% protection index. More information can be found at the AV-Comparatives.org site here.

If you’re interested in these types of AV tests, make sure to vote on your favourite AV testing outfit in our open poll here. So far both AV-Comparatives and AV-Test are leading the pack.

Microsoft’s 6-year long open door to malware

March 9th, 2011 4 comments
Finally Microsoft has released an automatic update which disables AutoPlay in USB drives for all its Windows Operating Systems. Up until now only Windows 7 disabled this functionality by default. With this update Microsoft finally puts a stop to one of the most common malware infection vectors of the last 6 years.

Let’s quickly review the history of this functionality which during 2010 has been said to account for 25% of malware infections worldwide and the source of quite a few embarrassments for many companies (examples here and here). But first some definitions:

AutoRun: feature to automatically launch programs from removable media as soon as they are mounted on the system. Under Windows the parameters of this auto-execution are defined inside a file called autorun.inf which is located at the root of the removable media.
AutoPlay: introduced with Windows XP, analizes the removable media and depending on the contents launches a dialog window which suggests the most appropriate programs to reproduce the content. If the default is chosen the dialog window will not show again thanks to AutoRun and the AutoPlay “memory”.

Important milestones
  • In 2005 USB drives became popular and malware started using them to propagate.
  • Even three years after malware started actively using this method to infect customers, Microsoft refused to accept the reality of the problem and continued offering AutoRun enabled by default in the Windows OS’s. However in 2008 Microsoft added an option for disabling AutoRun via policies or manual registry entries. However the workaround provided did not work. Even when disabled users were still open to attack from the AutoRun infection vector.
  • In July 2008 Microsoft published MS08-038 which “fixed the broken fix” but this was only available via Windows Update for Windows Vista and Windows 2008. Instead of patching XP users as well, it kept the problem unsolved in what some might consider a business strategy to sell more Vista licenses.
  • Towards the end of 2008 Conficker showed up taking advantage of the AutoRun feature in a never seen before manner. It created an autorun.inf file whose content looked like garbage yet was fully functional. All the Microsoft recommended workarounds to date via NoDriveTypeAutorun policies continued to be useless against malware exploits.
  • In early 2009 and due to Conficker’s success Microsoft corrected a bug (CVE-2009-0243) which fixed portions of the previous problem and which was pushed out automatically to all Windows XP users. Amazingly it wasn’t considered a “security patch” and does not have an associated Microsoft Bulletin. In addition the patch modified the behaviour of AutoRun and after applying it created a new registry entry which was required to be manually configured correctly. Effectively AutoRun continued being a problem for the vast majority of users.
  • In mid 2009 there seems to be some light at the end of the tunnel and Microsoft decides to improve the security of AutoRun in writeable removable media by preventing the AutoPlay dialog window in USB drives. However this is only included by default under Windows 7. Windows XP users, still the most widely used platform by far, had to manually download and install KB971029. This move was effectively useless from the point of protecting XP users from malware infection. Again some might consider this move a business-driven decision to “keep security low in XP in order to drive sales of the more secure Windows 7″.
  • In July 2010 Stuxnet shocks the world. It is able to propagate via USB drives without requiring an autorun.inf file and using a zero-day vulnerability in .LNK files which allows for code execution even with AutoRun and AutoPlay disabled, which Microsoft promptly patches.
  • Finally in February 2011 Microsoft decided to push an update to fix the problem for Operating Systems prior to Windows 7.
It has been a long and tedious road to have this wide open door finally shut down. The main question that comes to mind given the technical simplicity of the fix is “why wasn’t this issue fixed before?“. Why has Microsoft allowed its users to become easily infected by malware for years when the solution was readily available? Of course the real reasons might never see the light of day. Instead arguments such as “improved usability and portability” will probably take the spotlight. But how about the security implications of the dozens of millions of infections which have siphoned credentials, money and personal information from users during all these years?

As a side note, there are still many infected and unpatched machines out there so be sure to apply the Microsoft patch and use something like USB Vaccine to provide an additional layer of protection.

NOTE: this post is based on the original published by Hispasec .

Panda Antivirus Command Line Scanner 9.5.1.2

February 10th, 2011 5 comments

We have an updated version of Panda Antivirus command-line scanner available, version 9.5.1.2.  It can be downloaded from http://research.pandasecurity.com/blogs/images/pavcl.zip. The package includes a signature file (pav.sig) from today. In order to download updated signature files you can use a current license to any Panda products (except Panda Cloud Antivirus) to access the updates available a http://acs.pandasoftware.com/member/pavsig/pav.zip with the license credentials.


Possible parameters:
-auto Scan without user intervention.
-nob Do not scan boot sectors.
-lis Show virus list
-del Delete infected files.
-cmp Search for viruses into compressed files.
-clv Disinfect the viruses found.
-exc: Use exclusion list
-ext: Use valid extension list
-help Show help
-heu Activate heuristic detection method.
-heu: Activate heuristic detection method with level (1-3).
-onlype Use only PE Heuristic during analysis
-nbr Does not allow interrupting the program with Ctrl-C.
-nomalw Do not detect Malware
-nojoke Do not detect Jokes
-nodial Do not detect Dialers
-nohackt Do not detect Hacking Tools
-nospyw Do not detect Spyware
-nof Do not analyze files
-nocookiesDo not detect Tracking Cookies.
-nor Do not generate result files.
-noscr Do not output to console.
-nos Deactivate sounds.
-nsub Do not scan nested subdirectories.
-path Scan the directories specified in the path environment variable.
-sig: Alternate location for signature files
-ren Rename infected files.
-rto Restore original name for renamed files
-rpt: Report file
-save Saves the parameters to a file for its use the next time it is run.
-esp Change language to SPANISH.
-eng Change language to ENGLISH.
-aex Scan all files, independently of their extension.
-info Show configuration status information.
-no2 Do not perform the second action
-loc Analyze local drives
-all Analyze all drives

Categories: Heuristics, Malware, Utils Tags: ,

AV-Test.org 2010 Test Results

January 31st, 2011 2 comments

The independent AV testing organization AV-Test.org recently released the last results of its monthly “Full Product Tests”. The Full Product Tests are a comprehensive look at anti-malware products’ ability to protect end users in real-life situations. It covers three main areas of each product: Protection, Repair and Usability. Under each area there are multiple sub-tests, such as signature detection, behavioural or dynamic detection, etc. The detailed results are available at www.av-test.org/certifications.

In order to gain certification a product has to achieve a minimum score of 12 or above. The results are very revealing, with many products not reaching the mininum score nor the certification. We are happy to announce that in the 3 quarters that AV-Test.org has conducted these tests, Panda Internet Security has achieved the certification in all cases.

On a related note, AV-Test.org recently surpassed the 50 million unique malicious sample mark. This is aligned with what our Collective Intelligence servers have analyzed and processed automatically, which is up to 146 million files (both good and bad files).

Vodafone distributes Mariposa – Part 2

March 17th, 2010 7 comments

It seems that my original post Vodafone distributes Mariposa botnet caught a lot of attention. It was very interesting to see the reactions from the different actors. On the one hand Vodafone called it an isolated incident, deleted all posts on their forum from users asking about the incident, and then two days later announced the end of life of the HTC Magic. On the other hand reactions from users all over the blogosphere ranged from applause for uncovering this to accusing us of making it up, along with the inevitable and always amusing Android vs. iPhone fanboy quarrels.

However it also caught the attention of an employee of a different IT security company here in Spain, S21Sec, which specializes in researching banking trojans & vulnerabilities. This guy had also purchased an HTC Magic direct from Vodafone’s official website the same week as my co-worker. He hadn’t connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding.

htc-magic-sd-autorun

He immediately contacted us and was kind enough to send us the microSD card and allowed us to connect to his PC to analyze what had happend. According to the dates of the files, it seems his Vodafone HTC Magic was loaded with the Mariposa bot client on March 1st, 2010 at 19:07, a little over a week before the phone was delivered to him directly from Vodafone.

This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled (download USB Vaccine to disable autorun if you haven’t done so yet).

The Mariposa botnet client itself is exactly the same as reported last week, with the same nickname and same Command & Control servers.

00129953  |.  81F2 736C6E74  |XOR EDX,746E6C73 ; â€tnls”

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

If these are not enough coincidences, there was also more malware in the SD card in addition to Mariposa. I also found a Win32/AutoRun worm in the following location of the phone’s card:

I:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe

And for those conspiracy theorists amongst you (bess you!), the AV that he has installed was not Panda but AVG.

htc-magic-avg

So what conclusions can we draw from all this?

  • Vodafone stated it was an isolated incident, but that theory is losing ground as quick as you can say “p0wn3d”
  • Originally I had thought it was an issue with a specific refurbished phone as well. But having the exact same botnet client with the exact same characteristics, with such little time difference between the malware being loaded and delivered to the client and all happening during the same week, makes me think this might be a bigger problem, either with QA or with a specific batch of phones.
  • If you’re in Europe and you’ve purchased a HTC Magic from Vodafone a few weeks before or after March 1st 2010, I’d double-check my PC and my HTC’s microSD card if I were you.

The lesson to be learned here could be: either stop pre-loading malware into the phones or at least stop selling them to employees of IT security companies ;)

Categories: Malware, News Tags: ,

Vodafone distributes Mariposa botnet

March 8th, 2010 41 comments

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.
0-pic-htc-magic-vodafone

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.
1-pic-htc-drive
2-pic-autorun

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953  |.  81F2 736C6E74         |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.

6-pic-comm-candc

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days :(

Spam Honeypot Catch

February 3rd, 2010 4 comments

Last week I wrote about an Akismet modified plugin for WordPress which we are using as a blog comment spam honeypot. Recently the honeypot caught an interesting comment whose content was only a link to a website:
hxxp://krojamsoft.com/confickerwormremover.php (do not visit this link)

Basically this site is advertising a program that removes infections from the Conficker virus. It allows you to download the supposed “remover” but all this does is show you a window where you can enter the “removal registration key” and prompts you to buy a key for $19.

Of course the entire thing is just a fraud. If you happen to fall for it, the only thing this program does is to launch a real Conficker Remover from a well known antivirus company, which you can get for free anyway.

If you do happen to suspect having an infection, make sure to scan your PC with Panda ActiveScan or simply install Panda Cloud Antivirus Free Edition, Editor’s Choice for Best Free Antivirus.

Categories: Malware Tags:

Blog Comment Spam Honeypot

January 25th, 2010 6 comments

One of the most common vectors for distributing malware nowadays is spamming blogs with comments pointing to malicious sites that host exploits, malware, rogue antiviruses or other types of scams.

In order to analyze the huge volume of spam comments that come in through our various Panda Blogs (PandaLabs, Panda Research, Panda Cloud Antivirus Blog, etc.) Iker from PandaLabs has developed a “blog comment spam honeypot” which is basically a modified Akismet plugin for WordPress. The honeypot basically posts everything that Akismet detects as spam into an XML which is then processed and all links are followed to detect malware, exploits, drive-by downloads, etc.

If you have a wordpress blog and would like to install the honeypot to send your trapped spam to PandaLabs for analysis, simply download and install the blog comment spam honeypot.

Thanks to Iker for all his work on spam research.

OT: Vacation

January 1st, 2010 12 comments

Happy new year everybody !

I’m taking some days off with the family. This is the view our from cabin :)

IMG_1872

I’ll be back in a few days…. maybe :)

Categories: Fun, Malware, News Tags: