Archive

Archive for the ‘behavior analysis’ Category

Q2 2011 Test Results of Security Suites

July 20th, 2011 5 comments

Recently both AV-Test.org and AV-Comparatives.org have announced respective results for their dynamic real-world or whole-product tests. Basically these AV tests try to replicate user experience by introducing malware to the test machine in pretty much the same way a regular user would encounter malware and get infected. We are very proud of the results of Panda Internet Security 2011/2012 as it shows consistency in providing top quality detection and protection, on top of better known security vendors such as Symantec, Avast, AVG, ESET, Trend Micro, Microsoft, Webroot, etc.

AV-TEST REAL-WORLD TEST – Q2 2011 RESULTS

In this real-world test results for Q2 2011 Panda was one of only 4 vendors to achieve a score higher than 15 points.

AV-COMPARATIVES WHOLE-PRODUCT TEST – JUNE 2011

In the June 2011 test Panda Internet Security achieved the first place in “blocking” rate without requiring any user interaction along with two other vendors.

Panda Collective Intelligence and VirusTotal

February 12th, 2009 21 comments

As you know we've been using Panda Collective Intelligence from-the-cloud-scanning technologies since about two years ago, initially in our online scanners ActiveScan and also in our Panda 2009 consumer products. Thanks to Collective Intelligence we are able to use complete automation (community-driven information, threat analysis, multiple technology checks, malware/goodware determination and signature creation) to protect against the newest and most dangerous variants faster than using the traditional signature approach.

I'm happy to report that we've now integrated the Panda Collective Intelligence cloud-scanning technology into the VirusTotal service. You'll notice it by the 10.x version numbering next to the Panda engine.

To see Panda Collective Intelligence in action let's look at a new malware that started spreading a few hours ago (MD5: a0713a3639c9d4901daf774022f4bfd2). It is an Adware/Antivirus2009 rogue antivirus. Let's run it through VirusTotal and see the results as of 02.12.2009 12:35:51 (CET):

 

Check the updated VirusTotal scan result here (search for a0713a3639c9d4901daf774022f4bfd2) to see how other engines add detection progressively.

Malware Prevalence August 2008

September 5th, 2008 Comments off

During the month of August
we've seen 8165 unique samples actively circulating and infecting users. These
figures come mostly from people who use our online scanner Panda ActiveScan and have a variety of different AV products
installed as well as from our behavioral sensors. The vast mayority of the people who use
ActiveScan are Symantec, Nod32, McAfee, Kaspersky and AVG users. Out of the total seen infecting
these users only a portion are new and not seen in previous months, of which 82%
are non-self-replicating Trojans while the rest are self-replicating viruses and
worms.  The following are the runtime
packing properties and most active families whose new variants have been making
the summer rounds.

 

August 2008 – Custom & Private
Packers

In our last
obfuscation study Packer (r)evolution we saw an increase in the use of private or customized versions of packers being
developed to evade AV signature detections. As a curiosity I've updated the
study to see how this trend is evolving. For this purpose our colleague Satur created a tool called "Detector" for advanced packer
identification which specializes on specific, generic and custom packer
identification but is also able to identify file infectors, polymorphism,
installers and much more. The results are pretty amazing. In April 2008 we
already saw an increase to over 30% of the packers being "private". This has
exploded now and in the August 2008 collection a whopping 75% of them are using
non-mainstream runtime packing.

August 2008 – New Variants of Self-Replicating
Virus/Worm Families

***        W32_Mandaph
*** W32_MSNPhoto
*** W32_Lineage
*** W32_IRCBot
** W32_Sohanat
** W32_Autorun
* W32_Bagle
* W32_Spamta
* W32_Socks
* W32_Sdbot
* W32_Rahack
* W32_Nuwar
* W32_MSNworm
* W32_Lineage
* W32_Kolabc
* W32_Gaobot

August 2008 – New Variants of
Non-Self-Replicating Trojan Families

*****  Spyware_Virtumonde
*** Trj_Lineage
*** Bck_IrcBot
*** Adware_Zenosearch
** Trj_dmRandom
** Trj_Agysteo
** Trj_Agent
** Adware_Netproject
** Adware_NaviPromo
** Adware_AntivirusXP2008
* VBS_Autorun.ABM
* Trj_Zlob
* Trj_Sinowal
* Trj_QQPass
* Trj_ProxyServer
* Trj_Proxy
* Trj_Passtealer
* Trj_Nabload
* Trj_Multidropper
* Trj_Mailfinder
* Trj_KillAV
* Trj_Gamania
* Trj_Exchanger
* Trj_Downloader
* Trj_DNSChanger
* Trj_Clicker
* Trj_Buzus
* Trj_Banker
* Trj_Banbra
* Trj_Alanchum
* Spyware_Vundo
* Rootkit_Lineage
* Dialer
* Bck_RedGirl
* Bck_Nuclear
* Bck_Hupigon
* Bck_Flooder
* Bck_Bifrose
* Bck_Agent
* Application_AntivirusXP2008
* Application_Antivirus2009
* Application_AntiSpyCheck
* Adware_Xpantivirus2008
* Adware_XPSecurityCenter
* Adware_XPAntivirusPro
* Adware_WinAntispyware2008
* Adware_VapSup
* Adware_RogueAntimalware2009
* Adware_RogueAntimalware2008
* Adware_MediaCodec
* Adware_JavaCore
* Adware_IEAntivirus
* Adware_IEAntiSpyware
* Adware_Antivirus2009
* Adware_Antivirus2008XP
* Adware_Antivirus2008Pro
* Adware_Antivirus2008
* Adware_Antispyware2008
* Adware_AntiSpyCheck
* Adware_Adsmart
* Adware_AVMaster

Categories: behavior analysis, Packers Tags:

Malware Prevalence May 2008

June 16th, 2008 Comments off

During the month of May we've seen a 346% growth over April of unique samples
actively circulating and infecting users (23.550 samples in May vs. 6.809 in April). Out of the total seen
In-The-Wild only a portion are new and
not seen in previous months, of which 78% are
non-replicating while the rest are self-replicating viral/worm
code. We encourage you to visit our Virus Encyclopedia to get detailed descriptions of each one of these.
 
New Replicating Malware

The ranking of new replicating viruses and worms this month is led by the W32/Lineage and W32/Autorun families. This last one consists of worms which replicate via USB devices and is the newcomer to the top of the list. Who said worms are
dead? The rest as usual is made up of MSN worms, spammer bots and an old acquaintance W32/Bagle still making the rounds.

****     W32/Lineage
****     W32/Autorun
***      W32/Sdbot
***      W32/Nuwar
***      W32/Mandaph
***      W32/MSNWorm
**       W32/Spamta
**       W32/Socks
**       W32/Nahkos
**       W32/IRCBot
**       W32/Gaobot
**       W32/Bagle
**       VBS/Autorun
*        W32/Wow
*        W32/VB
*        W32/Rxbot
*        W32/ProxyServer
*        W32/Perwall
*        W32/Mailworm
*        VBS/Solow

New Non-Replicating Malware

On the Trojan front, we've seen a strong increase in infections by Identity Theft Trojans (Sinowal, Banker, Agent, Dadobra, Banbra, etc.) while the pay-per-install adware/spyware affiliates are having a hard time maintaining their number one position. I guess it pays more to steal directly from consumers' bank accounts. The rest of the list is made up by spammer bots, rogue anti-spyware and other creatures.

****     Trj/Lineage
****     Adware/Netproject
***      Trj/dmRandom
***      Trj/Sinowal
***      Trj/QQpass
***      Trj/Nabload
***      Trj/Downloader
***      Trj/Banker
***      Trj/Autorun
***      Trj/Agent
***      Spyware/Virtumonde
***      Bck/IRCBot
***      Adware/VapSup
***      Adware/NaviPromo
**       Trj/Spambot
**       Trj/Ranky
**       Trj/Qhost
**       Trj/Dadobra
**       Trj/Buzus
**       Trj/Banbra
**       Trj/Agysteo
**       Generic Malware
**       Bck/Sdbot
**       Bck/Hamweq
**       Bck/Agent
**       Adware/VideoPlugin
**       Adware/BHO
*        Trj/WmaDownloader
*        Trj/VBbot
*        Trj/Spy
*        Trj/Spammer
*        Trj/Passwordstealer
*        Trj/Multidropper
*        Trj/Mitglieder
*        Trj/Killfiles
*        Trj/Dropper
*        Trj/DNSChanger
*        Trj/Clicker
*        Trj/Busky
*        Trj/BedeTres
*        Generic Trojan
*        Dialer
*        Bck/VBBot
*        Bck/Turkojan
*        Bck/Tiny
*        Bck/Peacomm
*        Bck/Nepoe
*        Bck/Hupigon
*        Bck/Gaobot
*        Bck/Dbot
*        Application/WinSpywareProtect
*        Application/VirusHeat
*        Adware/Zenosearch
*        Adware/Yazzle
*        Adware/WinSpywareProtect
*        Adware/WinReanimator
*        Adware/WinIFixer
*        Adware/WinAntiVirus2007
*        Adware/VirusRanger
*        Adware/VirusHeat
*        Adware/VideoKeyCodec
*        Adware/VideoAccessCodec
*        Adware/UltimateDefender
*        Adware/SecurityError
*        Adware/SearchPorn
*        Adware/RussiaPorn
*        Adware/PCCleaner
*        Adware/MalwareAlarm
*        Adware/Lop
*        Adware/Ivideo
*        Adware/BraveSentry
*        Adware/AntiSpywareShield
*        Adware/Alexa
*        Adware/AdvancedXPFixer
*        Adware/4Porn
 

Categories: behavior analysis, Stats Tags:

New Malware Prevalence April 2008

Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.

 

New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).

Prevalence	Name
**** Adware_Netproject
*** Spyware_Virtumonde
*** Adware_VideoAccessCodec
*** Adware_Netproject
*** Adware_NaviPromo
** Trj_Nabload.DEX
** Trj_Mitglieder.TJ
** Trj_Lineage.IGA
** Trj_Lineage.IDJ
** Trj_Lineage.IDE
** Trj_Lineage.HZI
** Trj_Downloader.TIN
** Trj_Downloader.THP
** Trj_Downloader.TCC
** Trj_dmRandom.TW
** Trj_Banker.KWQ
** Trj_Banker.KWP
** Trj_Banker.KWO
** Trj_Banker.KWH
** Malicious Packer
** Adware_WinReanimator
** Adware_VirusHeat
** Adware_VideoPlugin
** Adware_VideoAccessCodec
** Adware_VapSup
** Adware_UltimateDefender
** Adware_Suurch
* W32_Lineage.ICJ.worm
* Trj_Zlob.IF
* Trj_SysW.G
* Trj_Spammer.AHH
* Trj_Spammer.AHD
* Trj_Spamine.G
* Trj_Sinowal.VKF
* Trj_Sinowal.VKE
* Trj_Sinowal.VKB
* Trj_Sinowal.VJZ
* Trj_QQPass.BGT
* Trj_QQPass.BGN
* Trj_QQPass.BGM
* Trj_QQPass.BGL
* Trj_Nabload.DEU
* Trj_Nabload.DET
* Trj_Multidropper.RMN
* Trj_Mitglieder.TI
* Trj_Lineage.IFH
* Trj_Lineage.IFG
* Trj_Lineage.IFF
* Trj_Lineage.IFE
* Trj_Lineage.IFC
* Trj_Lineage.IFB
* Trj_Lineage.IEY
* Trj_Lineage.IEW
* Trj_Lineage.IEU
* Trj_Lineage.IEM
* Trj_Lineage.IDV
* Trj_Lineage.IDE
* Trj_Lineage.ICA
* Trj_Lineage.IAN
* Trj_Lineage.IAL
* Trj_Lineage.HTK
* Trj_Lineage.HNA
* Trj_Hosts.V
* Trj_Hosts.U
* Trj_Gamania.GS
* Trj_FireByPass.BP
* Trj_Exchanger.D
* Trj_Downloader.TME
* Trj_Downloader.TLU
* Trj_Downloader.TLL
* Trj_Downloader.TJR
* Trj_Downloader.TJF
* Trj_Downloader.TJE
* Trj_Downloader.TJA
* Trj_Downloader.TIL
* Trj_Downloader.TIK
* Trj_Downloader.THZ
* Trj_Downloader.THI
* Trj_Downloader.TEG
* Trj_Downloader.TDA
* Trj_Downloader.TCQ
* Trj_Downloader.TAU
* Trj_dmRandom.UB
* Trj_Dadobra.AOR
* Trj_Busky.DE
* Trj_BHO.AT
* Trj_Banker.KXI
* Trj_Banker.KWX
* Trj_Banker.KWV
* Trj_Banker.KWR
* Trj_Banker.KTU
* Trj_Banbra.FQI
* Trj_Banbra.FQB
* Trj_Banbra.FON
* Trj_Autorun.TS
* Trj_Autorun.JN
* Trj_Agent.IPR
* Trj_Agent.IPI
* Trj_Agent.IOH
* Trj_Agent.IOD
* Trj_Agent.IOB
* Spyware_Virtumonde
* Generic Malware
* Bck_Sdbot.LUN
* Bck_SDBot.LUF
* Bck_SDBot.LTW
* Bck_Sdbot.LTR
* Bck_PoisonIvy.U
* Bck_Oderoor.Q
* Bck_Oderoor.P
* Bck_LanMan.CN
* Bck_IRCBot.BYY
* Bck_IRCBot.BYO
* Bck_IRCBot.BYI
* Bck_IRCBot.BYH
* Bck_IRCBot.BXW
* Bck_IRCBot.BXU
* Bck_IrcBot.BXT
* Bck_IRCBot.BXL
* Bck_Hupigon.LAB
* Bck_Agent.IPD
* Bck_Agent.IOG
* Application_VirusHeat
* Application_SpyShredder
* Application_PCCleaner
* Adware_Zenosearch
* Adware_XXXHoliday
* Adware_WinSecureDisc
* Adware_WinReanimator
* Adware_WinIFixer
* Adware_WebHancer
* Adware_VirusIsolator
* Adware_VirusHeat
* Adware_VideoPorn
* Adware_VideoKeyCodec
* Adware_VapSup
* Adware_TopSpyware
* Adware_SpywareSoftStop
* Adware_SpyAway
* Adware_SecuritySystem
* Adware_SecurityError
* Adware_SearchVideo
* Adware_PCCleaner
* Adware_MalwareAlarm
* Adware_Lop
* Adware_ChristmasPorn
* Adware_BaiduBar
* Adware_AntiSpywareReview
* Adware_Alexa

 

New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).

Prevalence	Name
*** W32_MSN.J.worm
*** W32_Lineage.HXI.worm
** W32_Nuwar.SS.worm
** W32_MSNWorm.EJ.worm
** W32_Lineage.IFX.worm
** W32_Lineage.IEN
** W32_Lineage.ICM.worm
** W32_Lineage.IBW.worm
** W32_Lineage.HZE.worm
** W32_Bagle.SR.worm
* W32_Wow.SI.worm
* W32_Virutas.AB
* W32_VBS.H.worm
* W32_VanBot.AE.worm
* W32_UsbStorm.K.worm
* W32_Thanks.B.worm
* W32_SundMan.A.worm
* W32_Spamta.AGD.worm
* W32_Sohanat.EX.worm
* W32_Sohanat.AS.worm
* W32_Socks.C.worm
* W32_Socks.B.worm
* W32_SDBot.LUI.worm
* W32_Sdbot.LUB.worm
* W32_SdBot.LTV.worm
* W32_Sdbot.LTT.worm
* W32_Sality.AA
* W32_QQRob.OS
* W32_Oscarbot.TK.worm
* W32_Nuwar.TC.worm
* W32_Nuwar.SV.worm
* W32_Nuwar.SR.worm
* W32_MSNworm.EK.worm
* W32_MSNworm.EI.worm
* W32_Mabezat.C
* W32_Lineage.IFI.worm
* W32_Lineage.IEZ.worm
* W32_Lineage.IEN.worm
* W32_Lineage.IEG.worm
* W32_Lineage.IDS
* W32_Lineage.IDR.worm
* W32_Lineage.IDI.worm
* W32_Lineage.ICT.worm
* W32_Lineage.ICO.worm
* W32_Lineage.ICL.worm
* W32_Lineage.ICJ.worm
* W32_Lineage.ICB
* W32_Lineage.IBZ.worm
* W32_Lineage.IBX.worm
* W32_IRCBot.BYQ.worm
* W32_IRCBot.BYL.worm
* W32_IRCBot.BYC.worm
* W32_IRCBot.BYB.worm
* W32_IRCBot.BYA.worm
* W32_Gaobot.QGN.worm
* W32_DengDun.A.worm
* W32_Brontok.JL.worm
* W32_Bagle.SN.worm
* W32_Autorun.TU.worm
* W32_Autorun.TK.worm
* W32_Agent.INI.worm
* W32_Agent.ILD.worm
* VBS_Sasan.A.worm

 

By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.

UPX		581
Upack 302
'Private' 150
FSG 101
PECompact 94
AS-Pack 88
EXECryptor 62
Themida 53
Multi-layer 38
Nspack 38
ASProtect 37
nPack 22
Adware_Lop 17
RLPack 16
PKLite32 14
tElock 14
UPolyX 13
Wsnpoem 11
Armadillo 8
MEW 11 SE 7
Thinstall 7
Expressor 6
Cexe 4
PolyCryptA 4
PUSH/RET 4
PE Crypt 3
Virtumonde 3
YodaProtect 3
DalKrypt 2
Molebox 2
PESpin 2
Petite 2
CryptFF.b 1
NiceProtect 1
DragonArmor 1
EPProt 1
Exe32pack 1
Kkrunchy 1
MaskPE 1
Morphine 1
NTKrnl 1
PCShrink 1
PEncrypt 1
PEP 1
RCryptor 1
RPCrypt 1
SDProtect 1
SimplePack 1
UltraProtect 1
WWPack32 1
yzpack 1
Categories: behavior analysis, Stats Tags:

Packer (r)evolution

March 19th, 2008 8 comments

We
know for sure that cyber-criminals use private tools to check AV detection prior to releasing new malware in the wild, making sure it goes undetected by
AV signatures at the time of release. As AV companies identify new packers and
are able to inspect inside them (or simply identify the malicious packer itself),
the bad guys are releasing those which are not detected by most AV.

 

This
has transformed the packer world significantly. The "big name packers" are
decreasingly being used by malware. By contrast new packers types are surging
which have two main characteristics: (a) they are not widely used in order to
stay below the radar and (b) they use obfuscation or anti-debugging techniques.


What
we're seeing is that:

  • Increasingly,
    malware families use their own 'customized' or ‘private’
    packers, which are not recognized by most AV engines.
  • There's
    a large variety of packers, each with its own little variations, being
    used by a reduced number of malware variants.


The
strategy these criminals are following is to quickly develop customized
variants of packers and use them in very few samples. By the time the AV
companies identify the samples and add the unpacking routine to their engines,
they already have a new batch of packing variations in store which is being
applied to the next batch of samples.


As
an exercise we’ve analyzed all the samples Panda has seen in-the-wild (actively
infecting two or more different sites) since August 2007 to March 2008 and
looked at the ‘big name packers’ used by these:

 

It’s
interesting to see how the ‘big name packers’ such as UPX, PECompact, Themida, PEtite
and NSPack are dropping in use, while smaller packers such as nPack, PolyEnE and
EXECryptor have increased in a significant way.

 

But what’s most interesting is what is not seen in the above summary
chart, and that is the ‘customized’ or ‘private’ packers. We know for a fact
that approximately 90% of malware uses some sort of packing or obfuscation
technique, yet the proportion of private, non ‘big name packers’ is increasing
rapidly.

Could
this be the start of the
long-tail of packers?

But
when we try to analyze the true reasons behind this evolution in packer use
that’s when it starts getting really interesting. Other than the obvious reason
which is that bad guys are trying to make our jobs harder at the lab, how come
they started creating customized and private packer versions on a very regular
basis?

As
this is a cat and mouse game, the mice’s next move is directly determined by
the cat’s strategy for catching the mice. If we apply this example to the
packer/malware world, there are two main events in the AV industry which I
believe have driven malware authors to go into ‘packer-craze’:

  1. The
    addition of many unpacking routines in AV engines as new packers emerged.
  2. Starting
    to detect malware based on its packing properties without unpacking it
    (multi-packed files, packers used exclusively for malicious purposes,
    etc.).

Now
I’m not saying the above actions are wrong. They were necessary at the time in
order to correctly protect customers and continue being necessary today if we
want to keep the pace.


I
remember a conversation with my colleague Mark from Symantec last year where we
talked about precisely this issue. If we start detecting all packers
proactively, what will the bad guys do next? I guess we’re about to see as the
packer problematic has completely blown out of proportion.

Categories: behavior analysis, Packers Tags:

Think you’re protected? Think again

October 17th, 2007 1 comment

For many years the security industry has been saying that in order to be correctly protected, users should have an anti-malware and firewall solution installed and up-to-date with the latest signatures at all times. However malware today is really specialized in bypassing signature and heuristic detection and effectively infecting users. We all know that users with outdated signature databases are at risk. But how about users with the latest and completely up-to-date signature files? How protected or unprotected are they?

We have conducted two studies in consumer PCs and corporate networks, auditing over 1.5 million PCs and 1,200 networks respectively. We audited computers protected by over 40 different security vendors to see if they were at risk even if they were protected by the products' latest and up-to-date signature database.

Of the 1.5 million home PCs, only 37.45% were correctly protected with an active anti-malware solution with the latest signature database. Of these protected PCs, 22.97% still had active malware infections. One could argue that the sample selection is biased as people who scan their PCs are suspicious that something is wrong. But even taking this important fact into consideration, the results we found still indicate that a significant portion of PCs with correctly installed up-to-date protection are infected by malware.

In the corporate study a total of 1,206 companies' networks were audited. These networks were protected by a variety of different security vendors and in 69.34% of the cases they were correctly protected (active resident driver with the latest signature database). However out of the companies with more than 100 workstations audited, we found malware actively infecting computers in 71.79% of the networks.

Almost half of the infections where due to Trojans, Rootkits, Downloaders, Spyware, Bots and Banking Trojans. There is also a large portion of Adware infections as it is usual to see Trojanized or Botted machines to also host Adware or Rogue Anti-spyware. We believe this has a lot to do with how malware writers make money with pay-per-installs of unwanted programs on compromised machines.

We used a very restrictive definition of infection for the purposes of these studies. Only malware actively running in memory was considered an infection. Latent malware, i.e. malware quitely stored in a .PST file or hard disk directory, tracking cookies and jokes were not considered as infections.

The objective of this study is to show that anti-malware, and even complete HIPS solutions, are not enough to protect against today's threats. New approaches to proactive protection such as runtime behavioral analysis and telemetry from the community are absolutely necessary layers in order to protect customers more effectively and efficiently.

The complete study can be downloaded from here.

Categories: behavior analysis, Malware, Stats Tags:

Mal(ware)formation statistics

May 28th, 2007 7 comments

While catching up on an old but excellent post by jason geffner on reconstructing import tables I remembered that I've been wanting to study the real impact of packers on the latest malware received at our labs. Many of us AV companies are now more proactively detecting packers as malicious. Although this issue was discussed at length at the International Antivirus Testing Workshop 2007 in Iceland earlier this month, no real conclusion was reached as there is still a major unknown which is the use of packers in goodware and the negative impact on false positives this approach might have.

When it comes to the use of packers in malware here are some stats on the new unique sample submissions we received during the last month (samples seen in previous months were discarded for the study). Using PEid with a customized database of packing signatures (available here), a purpose built emulator and some generic unpacking routines, we found that 79% of new malware is using some type of packing technique or other.

For the study I've grouped together different versions and modified routines of packers, as its common for malware writers to slightly modify known packing algorithms to evade detection. So for example all different versions of UPX plus all modified (or private) UPX routines are grouped under the common "UPX" term. The same applies to the rest of the detected routines.

For those interested in the detailed data-set you can find it here.
Categories: behavior analysis, Packers, Stats Tags: