The last few weeks Prevx has been in the news for throwing the spotlight on a new Trojan called "Limbo 2". This Trojan, being very sophisticated in its operation, brought a lot of interest from the media because of the author’s guarantee that it will remain undetected by large antivirus companies, as each and every version is personally customized and therefore unique. This Trojan is a perfect example of a point we have made here at Prevx since launch, malware has firmly moved on from simply being a nuisance to being a professionally run industry, focused on providing the best possible product with a high ROI.

However, this is something that many fail to acknowledge. The Trojan is designed for maximum effect, stealing personal details to make the owner cold hard cash, as opposed to being an exercise in gaining kudos when it infects its millionth victim. Yet, despite this marked professionalism on behalf of the malware writer, it seems that many in the industry would rather bury their heads in the sand, this post by Mcafee being a case in point here.

I particularly like this comment:

"Limbo 2 does no such thing. It’s a simple PWS-Banker Trojan as far as security software is concerned." -- Alyssa Myers, Avertlabs

I doubt consumers out there will think the same once their machines have been infected with this Trojan or any similar Trojan while protected by McAfee’s Internet Security Suite, which in spite of its claims doesn’t protect against Limbo 2. Below we see the key features of Mcafee Internet Security Suite, of course if Mcafee say it’s a "simple PWS-Banker" it should detect it without issue, Right? Hmm. Wrong.

10-in-1 Prevention and Protection

• Safe Search, Safe Surf. McAfee® SiteAdvisor™ adds ratings to websites to help you avoid online dangers.

• Home License Subscription Service. Automatically delivers the latest software features and threat updates and lets you easily manage security subscriptions for all your PCs.

• Stops Viruses. Blocks and removes viruses and even stops them before they even get to your PC.

• Stops Hackers. Protects and conceals your computer from hackers.

• Blocks Spyware. Blocks spyware before it installs on your computer and removes existing spyware.

• Improves PC Health. Cleans clutter off your computer so it stays healthy and secure.

• Secures Your Identity. Guards your identity from online fraud scams and identity thieves.

• Prevents Spam & Email Scams. Shields you from junk email.

• Protects Children Online. Filters offensive content, pictures, and websites.

• Backs Up & Restores Files. Automated back-up and one-click restore to protect your photos, music and important files.

Funny, I thought the Blocks Spyware claim above sort of implies it should stop Limbo 2 before it even installs. Hmmm, a bit of a disagreement between Alyssa and McAfee’s marketing blurb here.

The reality is, Limbo 2 is just another in a long line of powerful malware technologies that walk right thru the top security products as if they weren’t there. And because these products don’t detect infections like Limbo 2 the user thinks they are completely safe, exposing more and more of their information.

It is time for the major security vendors to come clean. In McAfee’s case maybe the marketing guys should get a view on how their products work and what they are meant to stop.

There is a lot of blind consumer faith in the large vendors, most people feeling comforted by the power of a big brand. Simply by saying "if it’s out there we will find it" will make most people reach for the well -known red or yellow box when their renewal period next comes around. However, highly advanced low-level Trojans like these, which cost thousands of dollars each, simply won't be spammed out to 10 million people a day and will therefore continue to remain below the radar. Is something which has only infected 50-100 people and is continually changing ever going to be important enough to warrant a signature update? It’s a numbers game right?

As long as the current product is making money, looks nice and doesn’t crash their computer consumers will continue using it with a warm and secure glow,, unaware that somewhere in Eastern Europe their bank details are being hawked on an illegal forum for 10% of the account balance. It seems to me that the large AV companies could learn a lot from watching how their adversaries operate, because at least their product comes with some kind of guarantee.

/Rant over

Comments (3) »

Some days ago online media reported some spare news about a new malware that could infect multimedia files, without writing any technical details. Let's see something more in detail.

This malware, that some security companies decided to detect as worm while in my opinion it should be detected as a trojan, has been called Trojan.GetCodec.A and it makes use of a singular infection technique.

This trojan, after it gets executed, enumerates all files inside the system looking for those files that have .MP2 .MP3 .WMA .WMV .ASF extensions. If a file with this criteria is found, then the malware checks if it's already infected or not by analyzing its ASF header looking for a specific script.

Windows Media is using the Advanced Systems Format (ASF) as a multimedia format. That is in plain words a special format that can contains audio and video streams together with other informations like executable scripts or metadata. All these informations are then processed by Windows Media Player.

This trojan alters the header of an .ASF file - .WMA and .WMV files are already coded in the .ASF format - by adding a special script that makes Windows Media Player to connect to a specific website and download another malware disguised as a fake codec needed to play the multimedia file.

If the trojan finds a file with .MP3 or .MP2 extension then it converts them to a .ASF format. After it converted the target multimedia file and left the extension and file name as the original one, the downloader script is added to the header of the .ASF file just created.

The script added by the trojan utilizes URLANDEXIT command to makes Windows Media Player connect to a website and download the fake codec. Microsoft allows to disable this command by changing the value URLAndExitCommandsEnabled to 0 (it's 1 by default) under:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences.

This infection technique is quite interesting if you think about Peer2Peer. Millions of MP3 files are shared everyday and millions of users use Windows Media Player to listen music. This trojan can potentially starts a new trend of infections that attack multimedia files. Until now audio and video files have been relatively harmless, except malformed files that exploit some player bug or fake .ASF files that contain only a link to a malware website without having any audio stream inside.

Anyway, a mass infection like the one followed by this trojan could potentially start a widespread and dangerous new trend.

At the present user's interaction is needed to get the fake codec fully working, but no one can exclude something worse in the near future.

Comments (4) »

Recently, some articles have been published after Hack in the Box Security Conference 2008 presentations have been revealed. One of the most interesting topics that will be shown at the conference will be the presentation given by Kris Kaspersky.

Kaspersky (who has nothing to do with Kaspersky Labs) will be presenting his research and proof of concepts on how to exploit Intel CPU bugs to make an attack regardless of the operating system or if applications installed are all updated or not.

As Kris Kaspersky has written on his abstract, Intel CPUs have exploitable bugs. When CPUs came out from the development cycle, some bugs can exist of course, someones have been fixed, someones have not.

Now, Kaspersky has stated that he could subvert the Operating System regardless of all security countermeasures installed by driving applications to execute specific sequences of Intel CPU instructions.

Reading on some international boards, I've seen a lot of users quite worried about this presentation and what the consequences will be after that.

I wouldn't want to minimize the problem, but at least just write down some thoughts of mine.

Everyone is worried about what Kris will release to the public and I can understand this. But every year, at every security conference, there are really interesting presentations and lot of experienced people talking about theorically serious threats. But this doesn't necessarily mean that an exposed PoC will become a serious threat in the wild. Many of these PoCs require high levels of skill (which most malware authors do not have) to actually make them work in other contexts.

And, I feel sorry to say this, but being in the security industry my thoughts are: do malware writers really need to develop highly complex stuff to get milions of pcs infected? The answer is most likely not.

There are a massive amount of PCs infected by very simple malware and a number of these infections are caused because of users being social engineered to download a file or click on a link - hardly the "highly complex" spreading or infecting mechanisms some of these PoCs use.

Has anyone heard about Shadow Walker rootkit? It was really an interesting presentation attended by Sherri Sparks and Jamie Butler at Black Hat Conference 2005 in Japan. It was really a cool rootkit in theory.

Who hasn't heard about BluePill project developed by Joanna Rutkowska and Alexander Tereshkin? A new concept of rootkit basically undetectable (let's not talk about "how to detect bluepill" dispute). A cool project in theory, even with available sources online.

Why we haven't seen any of these PoC applied to ITW threats? Because they need a lot of efforts and highly skilled people to be developed and at this moment malware writers have understood that's far easier to infect milions of pc. It's user's fault, it's maybe our fault too. The truth is that there's still a lot to work for malware writers on user's layer (no, not user mode layer, human's layer) and on the OS layer, I think they wouldn't move far from here.

All this basically to say: yes, Kris Kaspersky's presentation will be interesting and everyone - from both security industry and darkside - will listen to it carefully. But don't make the error to be worried about something that could potentially become a threat and don't realize instead that there are at the present other serious threats that are left free to do their dirty job.

Add Comment »

Never mind what your antivirus can stop, it's what it can't stop that matters

Yesterday we launched a series of new freely available daily charts showing the break down of malware we detected the previous day on PCs running top brand antivirus and PC Security products. The charts are updated around midnight GMT every day allowing you to track the performance of your specific brand of security products versus their competitors. The charts highlight some very interesting and surprising strengths and weaknesses between various brands.

To access the Antivirus Performance charts, either visit our home page and click any of the vendor names, or for information about malware detected on PCs running specific brand products you can use the following links to go straight to that vendor's chart:

Antivirus Breaches Yesterday By Antivirus / PC Security Vendor

AVG

Avast

Symantec / Norton

McAfee

Microsoft / Defender

Trend Micro

Kaspersky

Eset NOD32

Panda Security

Avira

Other Security Vendors

As interest in real World metrics about antivirus and end-point security product performance grows we will add more detailed analyses and trend charts too.

Draw your own conclusions

I'll leave you to draw your own conclusions from the data, but can you spot the two vendors with the weakest protection against rootkits? Or the three vendors with the weakest detection of Targeted Information Stealing trojans? Or how much safer you would be if it was easy to run the two top performing Security products on the same PC?

Knowing your Antivirus, PC or end-point security weak spots seems kind of fundamental.

Thoughts?

Comments (3) »

Last week Friday the website of a popular charity in the US was hacked. You might say "whoa Jacques that’s amazing, and your point is ?". Well, let me explain why I think this is more relevant than many other simple intrusions. I'll try and set it out using examples of data that I have obtained, and make some assumptions. If you agree with them, that’s great, if not let's discuss!

The website in question is Tricolumbia.org.

A quick briefing about what tricolumbia is all about:

"The Columbia Triathlon Association (CTA) is a 501c-3 non-profit organization based in Columbia, Maryland and incorporated in 1988. The organization plays an active role in Columbia and its environs and actively supports several local charities."

All in all it seems like a good cause worth supporting. Of course criminals have realized that there might be juicy rewards hidden on the servers of tricolumbia. On Friday of last week a hacker called cyb3r d3m0n managed to compromise their security and gather some useful information.

This information was made available to the underground and circulated via some of the forums to anyone who had good enough contacts to gather it.

I managed to get a copy of this database, and did some analysis on it. It only occurred to me yesterday that there might be more interesting information in this database then what I first thought.

My train of thought was as follows :

Maryland.. When I think of Maryland, and that part of the US, I think Government.

So I imported a couple of thousand records from the database and looked at them.

I managed to find fully qualified address details, and all relevant contact information for 54 government employees, ranging from the SEC, Pentagon , DHS, USDOJ and a few others that would make people think "Hmm that’s interesting".

Now, This is interesting, on its own, however, there is more. In this database there is a field which is encrypted called "site Password". We all know that it’s very easy to crack these methods of encryptions, so my thoughts were the following.

A database with nearly 9000 records.. How many of these 9000 people use the same password for everything they do online? 1 - 50 .. 100 ... 1000 ? I don't know but i think there would be more than just one.

So after looking at all this data my conclusions are the following.

a) Targeting Non profits FOR profit will become a new trend. Potentially useful information can be obtained from hacking these websites to aid further crime such as Spearfishing (Targetted Phishing email where they have your name address telephone # etc.) , PayPal account compromises and ID Fraud (Yes there is enough information in this database to be able to hijack an identity).

Reasons: Non profits do not have large IT Security budgets, making them soft targets.

b) People use the same password for many things online, thus making it a viable target for getting access to people's passwords, say PayPal!

c) In this specific case, there were more than 50 government employees data at risk. In theory a determined attacker could use this information to gain further access into these employee's employers systems using the data at their disposal.

Below is a dump with some obfuscated data from the various .gov email addresses to give you an idea of what was at risk.

• annapolis.gov
• ars.usda.gov
• bop.gov
• cap-police.senate.gov
• cbo.gov
• central.unicor.gov
• dc.gov
• do.treas.gov
• epa.gov
• fcc.gov
• fda.hhs.gov
• fdic.gov
• fhwa.dot.gov
• fws.gov
• gpo.gov
• howardcountymd.gov
• mail.house.gov
• mail.nih.gov
• nasa.gov
• ncua.gov
• niaid.nih.gov
• nidcd.nih.gov
• nih.gov
• nist.gov
• nnsa.doe.gov
• nps.gov
• psc.gov
• sec.gov
• ssci.senate.gov
• usdoj.gov
• usg.gov
• usss.dhs.gov

Which one do you think is the most viable and high value target? Hard to decide.

If you are reading this and are a member of tricolumbia.org my best recommendation is to get in contact with your relevant credit reporting agency to take the necessary steps to prevent Identity fraud. Also I'd suggest changing all your passwords.

Comments (1) »

How serious do you think an infected PC is?

I wanted to draw attention to the recent plight of Michael Fiola who could easily have served 5 years in prison for a crime committed, not by him but by a Trojan that had infected his PC. Mr Fiola is your typical PC user according to comments by his wife, but a while ago he was given a replacement PC by his employers. That PC happened to be infected with a Trojan. Over the next few weeks the Trojan set about visting child pornography web sites and downloading the type of content that is almost universally condemned. You can read more of the detail here but the short of it is that Mr Fiola lost his job, all of his friends and ended up one decision away from prison. Fortunately, his wife stood by him and computer experts were able to prove that he would have had no knowledge of the child pornography content and that the Trojan (or its authors were the true criminals).

My point is that here is another horrifying real life example of why malicious software is something that should not be treated lightly. It can steal your information, money and even implicate you in all sorts of serious criminal activities as Mr Fiola found. But every day we find people's attittude to malicious software quite surprising, it is viewed by many as a bit like catching a cold.

Trojans with the characteristics of that which infected Mr Fiola's PC are sadly becomming commonplace. Also there is a disturbing trend towards bundling more and more infections into a single attack, or for one or more infections to act as a distribution network for many other previously unrelated infections. This means that two people who think they have a similar infection might find a totally different mix of secondary infections on their PCs.

On a lighter note, we see about 5,000 new PC users everyday who find serious infections on their PC with Prevx CSI. You'd think they'd want to fix their PC pretty quickly and most do. But about 2,000 users will spend 2 or 3 days searching for free license keys to avoid having to pay for a security product that will fix the problem. Ironically, while searching for the free key they are often being invited or drawn to the very web sites where they are most likely to pick up further infections.

Some rudimentary analysis of this issue produce some worrying facts. It highlighted that more than 80% of web sites openly promoting free and often fraudulent license keys for security products from the top ten vendors were in fact distribution outlets for a wide range of malware. Often the file that was supposed to contain the free license key(s) was actually a dropper for pretty nasty malware. Not what the bargain hunters expected!!!

Below is a list of BOGUS Prevx CSI License Keys recently advertised on the Web. Obviously, none of these keys worked but they look authentic. If you google any of them you will find the sort of web sites trying to lure people in need of security using supposed free use of one or more Prevx product but delivering anything but.

6E124B72-E84B-4739-877F-1C300E7FEE70

9EF8163B-1514-4379-88D2-47F5579EE713

B837FDCE-DB6D-41BA-9061-5E3E03B8C105

A77909D2-D790-48EE-B025-6340E3B36E2C

9286B4FB-1CFF-4C3B-96A7-6B17F0C33356

15CFA07B-D095-40B8-B62E-6FC2588EA64F

1245CA96-250A-4116-AE63-77B2726952D7

870CA263-67EC-4A89-879F-93C6F75BFBDB

A4D05E3E-72B4-45D5-B3AB-9C269CDF7E98

0A3E2A9A-2F5D-468C-915C-AFD4408B5BE6

F785C147-90AB-4844-A6CA-C35DE198BE33

6D0F3360-0B59-444E-AAA7-C4EBDF871E0E

A7B9B301-DD18-4AA8-BFC1-D15F93C186EE

7B0EDFC2-9999-4EB5-A1F5-DBB6E2585557

95808C0C-8F69-4388-A269-F70E319F4D79

A176D598-0C48-44FC-83BE-F80B85CBA06C

FD85C147-90AB-4844-A6CA-C35DE198BE33

Add Comment »

A group of phishers have made available their scam pages to be used by the masses. A message posted on one of the underground forums consisting mainly of trojan writers, spammers, fraudsters and generally pleasant people encouraged more people to start phishing for logins. These scam's are available to download, and are well put together and tested.

These sites are all premade, containing all the relevant backends and server side code to make them work. All you'd need to start profiting from this is the ability to execute the included create scripts to make the database schema, a few email addresses (maybe 10 - 20 million ?) and a bit of patience.

Speaking about email addresses, you might think it would be hard to find a couple of hundred million addresses. Well, its not. You can buy them from your friendly email address vendor on a specific underground forum for a few hundred bucks.

Some examples of the premade scams available to download.

Index of what’s available

A myspace login phish

A Wow login phish

I didn't forget to show the entry posted by a member of the forum touting his wares. He is selling hacked email database of the following websites. The numbers next to the name is how many email addresses of registered users he is selling.

This will take a big botnet a day or two to send out.

He is also selling Paycom email addresses. Look at how many there are for each country, you can certainly do some nice spear phishing with those!

Comments (2) »

Yesterday we detected a remote SQL injection attack on a UK Home Office crime reduction website. Fraudsters used the exploit to host an Italian phishing website. The aim of this attack was to trick clients of a well known Italian bank into handing over their Internet login credentials.

Daily, we are seeing more and more phishing attacks. We advise internet users and online banking users in particular never to enter their credentials into any website which they were taken to by an email or instant messenger link. Always check that the website address is what you would expect ( i.e www.prevxxx.com and www.prevx.234234.com are not the same as www.prevx.com - this looks obvious but you wouldn’t believe how many people fall for it). Also, you should always check for https (and certificate information) when entering confidential information.

To read more about the attack please visit The Register who reported the story.

Add Comment »

CISO s are being tasked to implement improved procedures surrounding breaches in end-point security. I am sure this comes as no surprise but it does point to a growing acceptance that end-point security is struggling to keep companies and their data safe.

I'd like to ask how CISOs expected to know if and when a breach in end-point security has occured? There are three scenarios to consider. The first and most common scenario will be that an antivirus scan detects an infection probably as a result of a signature update allowing it to detect a prior breach. The second is where a user or support team member discovers a breach that was undetected by the end-point product set. The third is that a breach has occurred but has yet to be discovered.

However a breach is discovered, it is virtually impossible to discern when most breaches actually happened. This leaves CISO s exposed. Without knowing when the breach occured it is impossible to accurately assess the exposure to, and potential for data leakage. There is a massive difference between a keylogger that has been active for a day and one that has been active for months.

This brings us to the crux of thoughts on this. Surely, we need to be checking for breaches continuously. Frequent monitoring for end-point security breaches allows us to find more breaches, reduce the window of exposure to malware and more accurately assess when the breach occured. As end-point security is focussed on preventing breaches it is a condradiction to expect the same product to monitor itself for breaches. Sure signature updates will allow end-point products to detect some prior breaches but this is quite hit and miss. Then there are further practical issues like the convenience and performance impact of performing ever more frequent antivirus scans.

There is a good article from Forrester Research that sheds some other interesting angles on Security Breach Measurement and Management.

CISOs looking for tools that can monitor, identify and fix breaches in end-point security should also take a look at Prevx CSI-Enterprise, this is exactly what it was designed to do.

Add Comment »

OK, it might have taken some time for people to acknowledge Prevx CSI's capabilities. But on a day to day basis it is being used by thousands of people looking to find and fix infections that had been missed by their existing PC security. In that last few months we have also seen a growing trend of Prevx CSI being downloaded and run by major corporations who promptly come back to buy clean up licenses. What is amazing are the types of infections we are seeing that are bypassing top name corporate antivirus and end-point security products. These include the usual suspects, but we are also seeing a significant number of rootkits such as MBR and Rustock as well as blended infections where rootkit components have clearly been dropped by more common place infections such as Lop and ZLOB.

I think businesses will be excited to hear about Prevx CSI Enterprise it is a really neat product that will let businesses of any size quickly check for malware that has bypassed their existing security. We all know that no one product can detect 100%, or even close. But CSI-Enterprise let's you get the benefits of a second opinion. We may not catch every single infection either, but we do catch more than most and more importantly we tend to fair even better at catching malware in its early life time.

I wanted to let you all know that we are offering a Free Trial license of Prevx CSI-Enterprise so you can see for yourself the real benefits of a second opinion. The trial program gives you access to the full function product, including cleanup. It is really simple to install. During it's beta trials many testers installed it and ran it on hundreds of end-points in a few minutes. One beta tested has suggested that CSI-Enterprise would be great to allow them to implement Service Level Agreements with existing security vendors based on the stats like breaches/infections per quarter. It's also got plenty of really neat features:

Centrally controlled

Neat reporting console

Runs alongside any other end-point security apps

Single touch point to our threat database

Scheduled scan and remediation capabilities

Centralised whitelisting and blacklisting overrides

SMS Phone or email alerts on finding new malware

And it's really fast and only consumes end-point resources while the scan is running which takes about a minute like regular CSI

CSI Enterprise is a great tool to help with Compliance too

So let's see how existing corporate end-point security stands up to a CSI-Enterprise second opinion. We firmly believe that around 40% or more of those who will try CSI-Enterprise will find active malware on one or more end-points. I'll be sure to let you have some headline stats from what people find and say about their trial experiences.

BTW, to those large enterprises using the consumer version of Prevx CSI to detect and remediate individual PCs, you'll find CSI-Enterprise so much easier and faster. ;-)

Add Comment »