April 2011
Contents
1. 38 o Ms i i l T i P qvo u e S S OG qu qq g ESA DL S E g OC SS S So gy yS ak e S e K SS na S amp Ss SY uu wx OS s B uua Q e SS O o QS x S amp Y N s Q S o Q Q S Q Sw 9 g p e S S g 9 o Y O o x o RS e gt SO o SF KF KF KC SF SF KF XK FSF SF SF FSF EF ut FSF FS Sf F uo S s E SL e S RS J o S amp 9 S eS 9 S Q V S v eS v Vv O o Q Ae S 9 ev pP eg K e y d qe CO E E S b T o S K c y 9 AO g O Y Some values exceed chart area Please refer to text for full product names of keeping all scores above 90 The WildList caused no difficulties and without a single alert in any of the clean sets BitDefender proves well worthy of a VB100 award The company has a respectable record of seven passes and two fails in the last two years with three comparatives not entered four of the last six tests have been passed from five entries Bkis BKAV Professional Internet Security 3245 Definition version 3245 engine version 3 5 6 pattern codes 3 337 949 rapid with only one step covering the install location and creation of desktop shortcuts A reboot was needed after the fast copy process but nevertheless the whole thing was completed in excellent time The interface is a hot and fruity orange colour and provides fairly simple access to a reasonable level of options covering the basic requirements but not much more As in recent tests stability was excellent with no2. Defaul Warm 250 23 20 02 15 11 19 55 37 04 17 98 1642 04 42 84 39 73 23 95 8 61 4926 11 1642 04 1642 04 17 91 19 39 20 79 15 74 14 53 9 57 1642 04 17 41 3 21 7 61 20 27 38 19 292 97 9 93 14 88 4926 11 4926 11 492 61 13 50 16 76 All files 17 55 5 38 99 U o 36 22 6 51 34 94 17 98 28 98 42 84 40 05 24 88 8 51 28 6 ON hw o 32 41 17 35 19 22 20 87 15 74 14 32 9 77 33 06 16 48 3 20 1 29 3 16 i94 19 86 9 85 14 79 20 19 19 09 20 61 11 87 16 76 ON O Em Media and documents Default Cold 7 16 10 10 29 60 17 68 3 11 20 21 11 90 13 90 17 05 19 87 9 81 3 87 13 58 14 40 19 71 15 22 10 45 16 58 13 66 17 05 6 52 7 61 10 02 3 30 4 95 0 49 10 83 7 03 10 83 10 41 18 93 19 39 9 47 2 42 16 03 All Warm files 7 76 10 59 3 48 17 68 3 11 18 08 11 90 s 17 05 19 87 T T oo oc pafos ERE 1705 1328 10 59 10 45 16 58 16 93 16 03 13 66 18 93 17 05 T ETT 13 14 10 02 EAS T EAD se aus 6 20 sur 103 12 4 1041 1202 25 17 94 ERE i unius Ne jMiejola Other file types efault Cold 7 51 10 40 27 74 13 04 2 04 24 59 12 88 6 33 16 39 17 45 11 15 3 04 13 04 15 46 Default Warm 135 25 10 61 28 47 13 04 2 38 24 04 12 88 216 40 15 03 17 45 11 39 3 07 541 00 270 50 Y All files 5 10 71 2 75 13 04 2 04
3. E System drive B Archives defaults cold DArchives defaults warm D Archives all files E Binaries and system files defaults cold E Binaries and system files defaults warm m Binaries and system files all files E Media and documents defaults cold m Media and documents defaults warm E Media and documents all files E Other files types defaults cold E Other files types defaults warm E Other files types all files mmm 01 i DJ i h A J O EE ee CEN TN EN E AS co Qro A JJ A e o A PE A PE ll il ll o e o o a e SU x i S S SS as 2T S d e d UN P S a m d d SN NP d SS gt 9 R X o EN e S S y E i d amp v gt e OS S e N xd C Kd y Some values exceed chart area fairly plentiful however once dug out and stability was excellent Logging was in a rather gnarly XML format nice for displaying to the user but awkward to process with our standard scripts However some smart result caching meant that many tests powered through in excellent time and the full test suite was completed in under a day Scanning speeds were quite good and on access lags a little heavy at first but much quicker once the product had familiarized itself with things RAM use was higher than most but CPU use was very low and impact
4. Diera Defender o ioo sis sors o rooe sro 3629s yema o iooos ner 16s a soos 5596 35s Scan inemetSecuriy o ooo s www o wooos 12 vo esernop o ooe 72 sas o oos esi 3929s Fie tTwiver E oren e24 2 aon 03 5 oro sene io Foret Foricien o moo 382 osos o mooos 2923 ors 1 mirer O roo isa 90 77 o oos 0s 7526 Secure Cienc Seay o moo m es o ioooos vo 90 5 EXA hes sor yb VIRUS BULLETIN On demand tests contd viruses sets roses o umo usos o uos www usw gt xmwisedy o moss we 95928 o unos oss ws weenie 0 pexes ve os a uox m 990 Rings 701 Sie a 00008 eo 35008 407 osme os ease Lape santas o promos ws sso o pams so co a Mm Na B O a a E I a A a a PC Tools LS 2011 0 100 00 312 98 44 0 100 00 93 85 EPT NON TACO DE E73 caca b mines o al Please refer to text for full product names 6 29 30 VIRUS BULLETIN fairly usable and it responded well even under pressure no stability problems of any kind were observed during the full test run which completed in good time Scanning speeds were pretty good and on access lags were not bad either while use of RAM and impact on our activities set were about average and CPU use was fairly low Scores were just about reasonable with a
5. Pa S S gt vi Ea pt lt lt pcd lt p lt lt lt lt T lt 4 8 lt lt O O O O O O O O O O O O 4 8 O O lt e 9 gt o0 yo yo E T 2 z zi ES a E o 3 S 2 st S t D d 3 c N 5 E ON g vo da o O z gt eb X ES D 5 c O S 5 T Y un e F gt gt ci faa E a 3 E S gt T e z zo a gt z A ET O T s 15 Z 9 5 3 A A N lt O f D 2 S z s al del IS JS S el lt fal al al el Ts lel fe 8 l2 A 2 se alla al E T m z lt 2 gt EJ o A 2 12 El lel fel el 8 sl sl rst sl fol sal 38 ISi lal ds gt gt a e s E O O O O D D O cd O om a 6 D D D 5 gt A DN DN n Oo a O z T E 2 aD ob ob ob 3 lt gt D 2 2 3 Z Z 3 T S S 3 o 8 5 a om om om 3 O lt 2 x x x x x x x x x 4 Z Z e i Detection of EICAR test file up to ten levels of nesting X No detection of EICAR test file XN Default settings all files 1 9 Detection of EICAR test file up to specified nesting level EXT Detection of EICAR test file with randomly chosen file extension Please refer to text for full product names 55 VIRUS BULLETIN EXI T va v S gt v 2 E HA ZIP ZIPX TGZ RAR LZH X LE ES X FEH E X 1 put x x Ji NN 1 1 1 bxr x l Ll wn gt x X 1 X OD OD x M TES HE ee ENT M pop Vv v ee E ce RE A o x ws x OO
6. Scanning speeds and on access lags were decent to start with both speeding up hugely in the warm sets and while RAM and CPU consumption were perhaps a little above average impact on our new sets of standard activities was minimal Detection rates were decent as ever with solid scores in most areas and the WildList caused no problems The clean sets were also handled well with only a single item labelled as adware and a VB100 award is duly earned by Agnitum This brings the company s tally in the past two years to seven passes and one fail with four tests not entered all of the last six entries having resulted in passes AhnLab V3 Internet Security 8 0 4 6 Build 925 engine version 201 1 02 23 31 ItW 100 0096 Polymorphic 99 9996 ItW o a 100 0096 Trojans 94 0596 Worms 8 bots 98 35 False positives 0 AhnLab is a T pretty regular X participant 5 in our comparatives and the company s VIRUS RAP 88 3 generally well behaved the occasional wobbly month notwithstanding This month s submission was a 155MB executable including latest updates and ran through its installation process fairly uneventfully An option to apply a licence was declined in favour of a trial version and we were also offered the choice of including a firewall this was not enabled by default so was ignored The process completed in under a minute and needed no reboot The product is reasonably clean and efficient looking
7. This was helped by some good use of result caching to speed up repeat scans of previously checked items and the product powered through the speed tests in excellent time showing very light lag times on access too With RAM use not too high and CPU drain fairly noticeable the set of standard tasks ran through almost as quickly as on the baseline systems Scores were excellent across the board with impressive reliability throughout the reactive part of the RAP sets and vb APRIL 2011 only a slight decrease in the proactive week The WildList and clean sets presented no problems and AVG easily earns another VB100 award making 11 passes in the last two years with just one test not entered Avira AntiVir Personal 10 0 0 61 1 Virus definition file 7 11 03 177 Itw 100 00 Polymorphic 100 00 ItW o a 100 0096 Trojans 98 51 Worms 8 bots 99 45 False positives 0 Avira continues 5 to thrive with X its combination 5 of efficiency and superb detection rates its free product VIRUS snapping RAP 96 0 at the heels of a couple of others already looked at this month The product has a soothing longevity of design with changes introduced slowly to give an impression of evolution rather than sudden and drastic renewal The current iteration of the free for home use personal edition was supplied as a 48MB installer with an additional 38MB of updates which were simple to apply using a standard built in pr
8. product based on the GFT Sunbelt VIPRE engine and this one combining the might of G DATA with its own anti spyware expertise in several recent tests The Total version has had some unlucky results recently and has yet to achieve a VB100 award despite some very strong performances This month the standard product is absent pending fixes to some issues coping with the heavy stresses of our tests but we were pleased to see the Total offering return for another stab The installer is something of a beast at over 450MB but that includes all required update data for all the engines The set up process runs through a number of stages including the options to include parental controls and a data shredder system and setting up some scheduled scanning vb APRIL 2011 and backup tasks before the main installation This runs for a minute or so followed by a reboot The interface is very similar to G DATA s with a few extras and a little rebranding and as such proved a delight to operate with its excellent level of controls and solid reliable running even under heavy pressure All tests were out of the way well within the allotted 24 hours Scanning speeds were not super fast to start with but benefited hugely from the smart caching of previous results and on access lag times were not too heavy either Use of RAM and CPU cycles and impact on our set of activities were perhaps slightly above average but not too he
9. RAP 89 1 The interface is stern and sober with little unnecessary flashiness providing easy access to standard tasks and settings with some extreme depth of fine tuning also available if required HIPS and live online lookups are included but not covered by our testing at the moment the live component had to be disabled to avoid delays in our tests Stability was solid with no problems under heavy pressure and testing ran through in decent time Speed times and on access lags were good with default settings where only a preset list of extensions are covered With a more in depth set of settings only the archive set was heavily affected the others still getting through in good time Resource consumption was low and our suite of standard tasks ran through quickly with little time added Detection rates were solid with good coverage across the sets and a slow decline into the most recent parts of the RAP sets The core certification sets proved no problem and Sophos comfortably earns another VB100 award The company s recent records show only a single fail and 11 passes in the last two years with all of the last six tests passed with flying colours SPAMfighter VIRUSfighter 7 100 15 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW 0 a 100 0096 Trojans 86 37 Worms 8 bots 95 91 False positives 0 The people behind VIRUSfighter specialize in fighting spam as the company name makes admirably cl
10. weaknesses but it 1s possible to use them together to create an effective anti phishing mechanism that targets a specific case Obviously this is a special scenario It doesn t solve the overall problem of phishing which is still with us today we even have an organization the Anti Phishing Working Group that was formed in an effort to address the problem Furthermore this technique doesn t address the issue of when the phisher uses visually or phonetically similar domains to the one that s being spoofed for example state gov wa com br which don t publish SPF records but which look like a domain that the organization in question might use However this solution does stop spammers who attempt to spoof either the P1 From address or the P2 From address when the targeted domain has published SPF and or SenderID records This scenario occurred so often that we were driven to come up with a response to it It s true that SPF and SenderID each have their limitations but it is equally true that they have their place in an anti spam environment We have the evidence to prove it REFERENCES 1 Zink T What s the deal with sender authentication Part 1 Virus Bulletin June 2010 p 7 http www virusbtn com pdf magazine 2010 201000 pdf 2 Zink T What s the deal with sender authentication Part 2 Virus Bulletin July 2010 p 16 http www virusbtn com pdf magazine 2010 201007 pdf 3 Zink T What s th
11. 18 12 5 0 16 N N po oo coy gt 1 alu a 2 8 Uy O I 13 04 NA 16 39 216 40 14 82 14 24 9 25 11 27 12 88 12 88 7 90 7 36 11 76 2 49 4 19 11 76 5 30 14 62 15 91 54 10 54 10 10 02 2 13 13 87 14 82 9 33 11 04 13 36 9 93 5 76 135 25 12 58 2 36 4 24 19 32 11 89 5 33 14 82 16 91 1082 01 1082 01 36 07 2 13 14 24 12 58 2 11 27 12 Nn gt Ie 2 co lo OS 1c 6 36 m a ON B m vw On m N 11 76 2 29 14 62 15 91 10 93 10 50 10 02 Go 13 87 N a UN lt Z O B On demand throughput contd drive MB s T T 7 1 Please refer to text for full product names WN ON NO Oo fN a oljeoe m9o 5 z biIN aio a o Ola 8 NO ON A Archive files D 6 67 6 4 64 6 47 2 74 5 63 2 48 2 53 2 64 4 02 4 4 09 26 19 26 11 14 11 40 3 100 24 103 82 1 efault Default All Cold Warm files oo 43 ioe Oo m ON 7 64 47 4 6 274 NA 48 Els N 53 64 02 NA 19 96 90 8 6 N J 3 3 90 100 24 O 561 530 NA NA 6 3 2 2 79 581 39 1 2 71 968 98 1 E N E 5 12 5 191 245 392 Ne 1 P ON 296 2 92 H 2 ARI 8 NA 12 43 y T 250 179 NP 7 4 02 02 1 39 0 84 Go N 79 E Go A Binaries and system files efault Cold Warm files
12. on its third attempt We look forward to welcoming the vendor to the test bench again Coranti 2010 Version 1 003 00001 AVG Internet Security 8 59 9 19 43 98 11 34 tW 100 00 Polymorphic 100 00 Avira AntiVir Personal 4 13 4 12 21 72 11 86 ItW 0 a 100 0096 Trojans 99 0096 Negative value recorded for busy CPU Coranti has had something of a rollercoaster ride in its first year of VB100 testing with some excellent VIRUS results tempered by the occasional false positive problem as is always a danger with the multi engine approach The name of the product has seen a few changes as well with the original Multicore moniker dropped in favour of a simple 2010 somewhat odd given that earlier products had been labelled 2011 o N o lt x 100 RAP 97 7 The latest version marks something of a departure as the Norman engine that appeared in earlier tests has been phased out in favour of what is referred to as the Lavasoft Ad Aware scanning engine this is presumably a combination of Lavasoft s in house anti spyware expertise and the GFI formerly Sunbelt VIPRE engine also included in Lavasoft s mainline Ad Aware solutions In addition to the Frisk and BitDefender engines retained from earlier incarnations this should make for a formidable product although the lab team did have some concerns based on stability issues encountered with Ad Aware and o
13. peux X B Suucures x En Eruns 3 IDA View PC text C8EBASC BL _2N 7RDbUiew PrepareER11RDbDatabaseRK8TDbQueryN9RDbRowSet7TAccessE text 7C8EBAh8 MOU R3 9 kextz C8EBAAA STR R3 R11 Huar_248 text 7C8EBRAS text 7C8EBANS loc 7CSEBANS text 7C08EBA48 LDR R8 R11 arg 8 text 768FBRAC BL Rarraybase count text C8EBAS LDR R3 R11 ituar_248 text 7C8ERAS4S CHP R8 R3 Cext 7C08EBA58 BLE loc_7C8EBABO text 7C8EBA5C SUB RO R11 text C8EBN68 BL 2N9RDbRowSet7InsertLEv text 7C8EBRn h SUB R8 R11 kextz C8EBA 8 LDR R3 R11 Harg 5 text 7C8EBR6C MOU R1 2 text 7 8EBA78 LDR R2 R3 text 7C8EBA74 BL sub 7C8EC558 text 7C8EBA78 LDR RO R11 Harg_8 text C8EBA7C LDR R1 R11 ttuar_2n8 RbbRowSetz InsertL void RDbUieuw MEMORY 00618690 DCB 3 CODE XREF HokiaUpdate WriteContactPhoneDB MEMORY 0061869 DCB DX x Genera registers X E IDA View R v WEHORY 86619691 DCB HEHORY 96618692 DCB HEHORY 86618693 DCB HEHORY 00618695 DCB HEHORY 88618696 DCB MEMORY 00618697 DCB MEMORY 00618698 DCB MEHORY 88619699 DCB HEHORY 88618696 DCB MEMORY 98678698 DCB NEHORY 06618690 DCB HEHORY 90618590D DCB MEMORY 0061869F DCB MEMORY 9061869F DCB MEHORY 886186608 DCB MEHORY 886186601 DCB 6 SA UNKNOWN 00518695 MEMORY 00618696 text 7C8EDA88 BL Rarraybase at m ES i gt text 7C8EBA88
14. which has a big market and therefore will continue to be a big target The X Factor Moving Threat Protection from Content to Context was a discussion moderated by Ambika Gadre of Cisco Systems with panel members Mary Landesman Cisco Systems and Patrick Peterson Authentication Metrics and Cisco Systems Spam volumes dropped dramatically in 2010 due to concerted botnet takedown efforts throughout the year However spam volume does not equate to risk level A decrease in spam does not mean there is less risk of malicious email It doesn t mean there is more risk either risk stays about the same For example December 2010 was the lowest point in terms of spam volume yet a very successful attack was carried out against gov and mil workers via an email disguised as a greeting card from the White House The email contained a link to view the greeting card which actually led to a variant of the Zeus trojan This particular variant harvested PDF DOC and XLS files from victim computers In the short time the attack was live attackers managed to accrue a few gigabytes worth of stolen data Over the last ten years malware has evolved from being prank driven to being profit motivated In the next ten years we are likely to see more malware used as a sabotage tool for political and global economic gain We cannot afford to approach the problem passively An active approach is required by all including deep analysis
15. However in that case cybercriminals cannot initiate authentication on demand and must wait for the victim to do it We would recommend the use of a smartcard based authentication a smartcard reader with its own keypad 1s attached to the PC To authenticate the end user must insert his smartcard into the reader and enter a valid PIN on the smartcard reader This unlocks a private key stored on the smartcard This key is used to sign an authentication challenge sent by the bank The signing process is done by the smartcard itself The authentication challenge is randomly generated and only valid for a given time frame In this scenario the PIN cannot be eavesdropped because it is entered on an uncompromised and secure device the smartcard reader The smartcard reader cannot be infected by a trojan such as Zitmo because it usually does not support installation of any additional software The signed authentication challenge cannot be replayed because it is valid only for a short time frame The cybercriminals The Android Market has been known to distribute several pieces of spyware which occasionally have been pulled out The Apple Store has had fewer security issues so far but it is often seen as so closed that it basically encourages end users to jailbreak their devices and then download totally uncontrolled software VIRUS BULLETIN cannot initiate the authentication because they need the victim to enter his PIN on the
16. Urgently requesting help from the submitters we were put in touch with a support operative who promised some details of changes to the WMI system which might help but when no further advice was forthcoming we resorted to further experimentation As usual in such circumstances Google was our friend leading us to the murky world of CA user forums Here we learned that a simple install bundle including all required updates etc can easily be created on the management system and copied over to clients manually perhaps it would have been easier had the original submission been provided in this format With this figured out the install actually proved rather simple with the standard half dozen steps of any normal installer and a reboot at the end All this was complete in under a minute albeit more than two days after first starting the process The client interface is clean and crisp a huge improvement over the previous edition with a good range of options laid out in a simple and accessible manner Despite the Flash underpinnings it seemed stable and responsive at all times and with the zippy scanning engine under the hood it made short work of most of our tests Again scanning speeds were quite good and file access lag times light but the performance measures showed quite a lot of RAM usage a fairly heavy impact on our activities suite and a massive amount of CPU use These figures looked so out of place when compiling the fin
17. lt RAP 93 3 The product family has evolved considerably over the years The rather modest title of this the vendor s business focused solution conceals the multi faceted nature of what is really a fairly complete suite including anti spam device control and intrusion prevention alongside the anti malware The installer is not too huge though at just under 150MB and is accompanied as usual by a large archive containing all updates for the company s wide range of products The set up process is fairly lengthy going through a number of stages including disabling the Windows Firewall the option to set a password to protect the product settings and analysis of applications allowed to connect to the network alongside more standard items like licensing updates and so on It requests a reboot to finish things off The interface is cool and stylish with perhaps a little too much emphasis on the funkiness an odd approach to blending text links and buttons is occasionally confusing but as a whole it is generally workable improving greatly with a little familiarity Fine tuning is provided in exhaustive depth with detailed reporting as well and things were generally smooth and stable At one point we observed the product crashing having snagged on a single file in the RAP sets but when the offending item was removed everything ran through without problems File access lags were low and scanning speeds pretty good impro
18. to a spammer s domain The user s computer has now become part of a botnet because they clicked on the link If you only use SPF as part of your spam filter then your filter will be prone to these types of attack Whether spammers spoof your specific domain intentionally or are randomizing the domains in the senders the fact is that SPF cannot prevent these emails from reaching your inbox I was left scratching my head How could we combat these types of spam messages using content filtering I started to investigate SPF and how it executes on the P1 From address The SPF documentation discourages the use of SPF on the P2 From address because while the P1 and P2 From addresses are often the same sometimes they are not and it is difficult to predict what will occur in the event that they are not the same Will a spam filter flag legitimate messages as spam 1 e generate false positives For example suppose that the state of Washington wanted to send out a large mail campaign to residents of the state who had opted in to receive special announcements e g about road repairs government office closures breaking news reports or results of legislative changes Rather than sending these out themselves the state might decide to use a marketing company say Big Communications Inc The marketing company wants the emails to look like they came from the state of Washington but needs to avoid them being marked as spam
19. 02 20 84 31 42 67 84 39 74 29 97 22 80 51 01 22 10 225 92 62 32 48 73 12 63 42 53 47 41 05 39 14 47 0 87 15 06 20 57 81 98 48 75 50 92 50 52 58 86 77 30 43 04 Default Warm 0 01 38 31 NA 34 40 1 90 41 83 0 49 3 12 2 97 0 01 68 30 3 44 21 47 4 08 28 64 18 87 34 45 61 43 48 60 76 95 3 42 47 11 83 41 3 34 0 01 2 29 17 24 0 02 46 84 2 61 2 45 4 89 81 38 42 56 files Default Cold 95 85 13 25 NA 28 62 4 67 17 13 69 16 29 92 36 85 66 54 135 87 84 70 38 06 39 81 49 16 49 66 19 30 106 85 9 26 63 28 93 68 28 47 Default Warm 12 34 67 78 NA 19 30 MSN 1 37 9 13 12 26 20 64 20 38 8 02 136 68 6 97 29 94 15 87 38 00 45 49 19 23 105 62 17 05 79 81 15 60 18 79 10 79 792 72 5091 26 145 16 5091 26 5812 35 150 91 101 03 276 88 273 68 5 89 20 88 64 73 94 92 38 81 25 86 69 19 69 24 102 09 181 23 22 48 5 33 10 06 24 52 86 35 1 45 13 84 6 73 6 71 25 17 190 86 211 55 s All Default Default files Cold Warm DW moras ETS TE 43 06 A Other file types All files 126 18 62 09 NA 40 88 5812 35 92 90 56 38 16 59 44 09 39 63 82 89 164 83 93 10 40 52 51 29 78 89 60 94 71 68 139 44 53 06 125 19 121 49 60 91 364 70 6 05 218 56 68 NA 58 53 26 79 NA NA 186 37 444 47 37 53 VIRUS BULLETIN File access lag time contd Cold Warm files Cold
20. 100 award last summer having first taken part in a comparative as long ago as 2001 but then disappearing for several years The achievement was repeated on Windows 7 in the autumn and now Ikarus returns to try to make it a hat trick PP 3 RAP 97 1 The product is provided as a complete CD iso image weighing in at 206MB with an extra 69MB of updates to apply as well The installation process includes adding the Microsoft NET framework if not already available This is handily bundled into the install package but adds several minutes to an already fairly lengthy task The interface has traditionally been a little wobbly particularly when first trying to open it but it seemed a little more responsive on this occasion It is pretty basic with not many menus or buttons but manages to provide a rudimentary set of controls to fill most needs When running under heavy pressure it is particularly ungainly flickering and juddering like a mad thing and often needs a reboot after a big job to get back to normal operation After one fairly reasonable job scanning our set of archive files things took a turn for the worse and even a reboot couldn t help With the OA module munching up RAM the interface refusing to open and several standard Windows functions failing to function we had no choice but to wipe the system and start again with a fresh operating system image This time it kept going despite the heavy load getting to the
21. 1092 Vulnerabilities NEWS NO MAIL FOR ALISONS ALBERTS ALGERNONS McAfee customers whose email address begins with the letter A may have found their inboxes unexpectedly quiet earlier this month when a flawed update script in the MX Logic managed email filtering service acquired by McAfee in 2009 prevented them from receiving mail According to McAfee temporary account verification issues were experienced by users with non alphanumeric email addresses and aliases up to the letter A The issue was identified and fixed within 12 hours This is not the first time an innocent letter has caused problems and red faces for a security firm in 2003 Trend Micro quarantined the letter P when a bug in an update for email security product eManager quarantined all incoming mail containing the letter P see VB June 2003 p 3 OLD BREACH REARS ITS HEAD The potential long lasting effects of a security breach were highlighted earlier this month when a small Illinois based bank revealed that customers payment card information had been compromised at card processor Heartland Payment Systems which suffered a breach back in 2008 It is thought that more than two years after the breach crooks are still working their way through the stolen card details While many of the cards will no longer be active after such a long period of time either because they have expired or because they have been cancelled the
22. Attacker and Eve the Eavesdropper to help less technical professionals get a grasp of this deeply technical topic Cartoons depicting these characters were played for entertainment throughout the conference week While the theme of the conference always reflects the world of cryptography the event itself has evolved into a very comprehensive forum discussing the latest in security technologies research forensics policies and regulations trends best practices business concerns and much more RSA generally attracts more than 12 000 attendees from around the world delegates can choose between 14 presentation tracks with over 250 speakers throughout the week In keeping with the times Cloud Security was a new track added this year An exhibition runs alongside the conference with over 330 exhibitors representing software hardware consulting government and non profit organizations The event also offers several keynote talks 17 this year many of which are given by representatives of the companies sponsoring the event THE KEYNOTES In a talk entitled Collective Defense Collaborating to Create a Safer Internet Microsoft s Trustworthy Computing Corporate Vice President Scott Charney suggested that we apply public health models to the Internet The worldwide health community has a solid programme in place for educating about health risks coordinating efforts to detect diseases and vaccinations to pr
23. Chinese security firm Kingsoft but so far there have been no signs of a merging of their solutions with Keniu still based on the Kaspersky engine The install package is a fraction under 100MB including all required updates and the set up process is fast and simple with only a few steps no need to reboot and everything done in less than a minute The interface is bare and minimalist with two basic tabs a few large buttons and a basic set of configuration controls With sensible defaults and smooth stable running the tests were out of the way in no time RAP 94 4 Scanning speeds were somewhat on the slow side especially in the archives set with archives probed very deeply by default RAM and CPU usage were on the low side and impact on our activities bundle was not too high Detection rates were excellent as expected from the solid engine underpinning the product with very high figures in all sets The clean set threw up no problems and the WildList was handled fine on demand but in the on access run a single item was marked as missed by our testing tool Suspecting an error we reinstalled and repeated the test this time finding several dozen items missed including the one not spotted the first time and the product s internal logs matched those of our testing tool Running a third install showed another selection of misses even more this time In the end no changes to the product settings or the way the test w
24. Room Capuzzo discussed the crime fighting Vidocq Society along with two of its members Bill Fleisher a private investigator and former FBI agent and Richard Walter a forensic psychologist who many consider to be the living Sherlock Holmes The Vidocq Society consists of forensic investigators prosecutors medical examiners police officers attorneys and the world s most successful detectives whose sole purpose is to solve cold case murders They are experts at decrypting crime scenes and mining data These retired professionals use the skills they gained throughout their careers for the greater good All their work is pro bono with the belief that virtue is its own reward The Society s success is due to having founded a network of the best of the best in criminal investigations These are brilliant people who study invisible links put puzzles together keep track of what could seem like meaningless files look for patterns and think about the psychology of what motivates criminals Their work closely maps to the anti malware industry s search for the bad guys on the Internet Parallels exist in how the bad guys hide their motives and how they try to conceal their guilt In fact the Vidocq Society has been enlisted to create a system that uses the same subtypes employed in murder investigations to evaluate Internet stalking and other cybercrimes They ve been able to determine that within 3 8 years a fantasy driven stalker
25. SUB RO R11 BB Modules n x text C8EBASE MOV R1 3 text 7C8EBA96 MOU R2 R3 Path Base Siz R text 7C8EBA94 BL _ZHN9RDbRowSet7SetColLEiRK TDeSC1 RDbRowSet SetCollL int Tdes 16 const amp B avkontep dll 70824000 text 7C8EBR9S SUB RO R11 text 7C8EBA9C BL 2N9RDbRowSethPutLEv text 7C8EBAAO LDR R3 R11 Hvar_248 text 7C8EBRAS ADD R3 R3 1 text 7C8EBARS STR R3 Rii ituar 248 text 7C8EBAAC B loc 7C8EBAhS Ltext 7C8bEBRBO text 7C8EBREU text C8EBABO loc _7C8EBABO ktext 7C8EBRBO MOU RG 1 text 7C8EBAB4 BL text 7CSEBRES LDR RDbRovSet PutLl void _2N12C1eanupStack13PopAndDestroyEl CleanupStack PopandDestroy int B T amp Cere dl 7CE3co00 Bi c sysbin NN okiallpdate exe 7CEE4COO BB smcm dl ENEEAAFO B senrit ell SAFES nhac m w AA mm am lt e 3 CODE XREF Nokialpdate_WritelontactPhoneDB Thread Decimal Hex Slate j Sh sor 1FB Ready iu i UNKNOWN X CBEBAO NokiaUpdete_WrieContectPhomeD6 1D6 B Hex View 1 E Stack view FGOIZORC 727 22 772 27 22 TTA 3 724 Teg tl 92429 T4282 ITA PIPES Te Pat Tree z691701C 2 VER He TROP A PET E AA 7 3 7 3 T ZC 1702 322 22 929 122729 221231220 22722522192 22 923 22 wae a ER don FONTES 97522292 cma Jue X6 een Cer vp ERGY qe vx cep Dp D 7t91704C EEES 77 77 77 77 77 77 77 77 77 77 77 77 7091705 CeCe ge pli ds Pene Ph sel ludere Sh ret ater ad ere iy panni ils at ey u
26. Warm files Cold Please refer to text for full product names Default Warm 106 77 19 20 8 52 26 13 22 02 55 14 12 61 2 20 3157 8 27 0 01 3 27 6 24 0 93 0 98 241 33 23 89 3 00 14 33 69 15 85 51 18 71 20 57 70 68 149 56 39 81 39 81 3 37 9 83 34 70 37 58 23 97 41 46 21 09 Archive files Binaries and system files Media and documents files ll Other file types Default Cold 140 87 Y 42 56 1 37 91 07 94 89 76 48 22 02 51 38 48 84 37 24 142 50 16 09 129 01 50 93 134 49 376 96 100 62 191 0 94 118 62 113 62 21 56 2052 68 30 33 03 51 48 51 48 15 12 357 61 73 84 194 21 351 52 59 38 16 06 Default Warm 139 85 8 63 6 76 35 57 11 38 15 78 15 62 13 20 12 38 23 24 29 14 7 04 1 25 27 61 374 82 9 59 8 49 7 16 119 81 108 05 11 81 11 38 67 85 55 79 53 68 53 68 7 07 16 18 62 14 14 66 18 60 56 60 16 12 fs 6 All files 140 87 42 56 73 19 102 60 76 69 75 63 28 45 51 38 48 84 37 24 142 50 59 80 129 81 50 93 134 49 376 96 100 62 61 88 55 83 NA NA 63 34 14 27 65 20 55 63 63 97 63 97 59 75 357 61 73 84 237 03 351 62 59 38 16 06 43 VIRUS BULLETIN File access lag time 300 E System drive E Archives defaults cold DArchives defaults warm D Archives all files E Binaries and system files defaults cold m Binaries and system files defaults warm E Binaries and system
27. a few worries as we prepared to try 1t out for the first time The installer was pretty compact at under 8MB although 60MB or so of updates were needed in addition The set up process presented a very large window but didn t have much to fill it with zipping through in no time at all and requesting a final reboot after only 10 seconds or so The interface is fairly nice and attractive in a dappled grey shade with large clear buttons and icons The layout is lucid and sensible The family relationship was clear in some areas with some sets of controls closely mirroring those in VIPRE but in other areas we actually found more detailed configuration available which was a pleasant surprise Speed measures ran through safely with an appealing animated graphic to keep the user entertained during the scanning process The expected slow times were observed over most file types although executables were well handled Lag times were pretty hefty too again with good improvements in the warm runs and with low RAM use and CPU drain not too high either the impact on our activities was pretty slight Detection tests proved rather more of a challenge though An initial run over the main sets was left overnight When it still hadn t finished at the end of the following day it was left for another night In the end it took 42 hours to complete and by the end the scanning process was using 1 2GB of RAM the test machine just about holding its own
28. and remaining responsive Unfortunately the scan seemed to have frozen at the moment of completion and failed to write any logs out to disk Scans were re run in a dozen or so smaller chunks each taking from four to eight hours and this approach produced much better results with no repeats of the earlier logging failure Moving on to the on access tests we saw similar problems to those experienced with other OEM versions of the same engine with any kind of stress causing an immediate collapse Detection seemed to stay up for a few hundred detections then either switched itself off silently or stopped detecting but continued to delay access to any file for a considerable period The set was broken into smaller and smaller chunks each one being run separately with the product given plenty of breaks in between to recover from the ordeal of having to look at a few dozen files Testing continued for several more days and in the end a complete set of results was obtained closely matching those of the VIPRE product with the same engine and updates but in massively less time This meant solid scores across the board with a great showing in the RAP sets and no problems in the core certification sets earning UnThreat its first VB100 award at D first attempt A lot of work was involved with perhaps 15 working machine days devoted to getting it through the full suite of tests we have to hope GFI Sunbelt passes on the improvements it h
29. fairly notable step down mid way through the RAP sets The WildList was handled without problems but both the clean set and the speed sets threw up a handful of false alarms including items from Microsoft a component of MySQL and the popular Joomla wiki system This was enough to deny ArcaBit a VB100 award this month leaving it with just one pass in the last two years from a total of five attempts AvailaSoft AS Anti Virus 1 0 0 1 ItW 91 43 Polymorphic 71 09 ItW o a 91 43 Trojans 37 35 Worms 8 bots 46 13 False positives 0 When newcomer AvailaSoft first came to our attention we noted some interesting test results quoted on the company s website two testing labs previously unknown to us were quoted as rating the product very highly indeed So far our attempts to contact these labs to find out more about their methodology and encourage them to join testing community endeavours such as AMTSO have gone unanswered AvailaSoft itself is based in Duluth GA USA with offices in several other regions and was founded in 1996 RAP 43 5 The install package weighed in at a very reasonable 61MB and after the minimum number of set up stages it zipped through its activities in double quick time with a reboot at the end Getting the interface up proved less speedy however as on boot up the test machine seemed to take rather a long time to get its act together we hope to add some boot speed checks to our test suite i
30. files all files E Media and documents defaults cold E Media and documents defaults warm m Media and documents all files Oo O Other files types defaults cold B Other files types defaults warm E Other files types all files Lag time sGB A AM 44 g g A o d X S g S eo a S e na S e ES gt eU JS SS qe S N ye x Y S S a x C o 7 A gt i se e o S ud S E er y D SO xO d a se E o NS v S X x9 qq AS x X c 9 X amp om o S Ss e c e cg e o Please refer to text for full product names showed some perfectly respectable scores with admirable consistency across the RAP sets The WildList and clean sets were well handled and a VB 100 award could finally be granted after several days of hard work Over the longer term CA s business solutions have a rather better record than its consumer ones with seven passes and three fails in the last two years two tests having been skipped the last six tests show two passes two fails and two no entries Central Command Vexira Antivirus Professional 7 1 38 Virus scan engine 5 2 0 virus database 13 6 217 Some values exceed chart area The installer submitted measured 65MB with an additional 69MB archive of updates to add in The set up process included all the usual steps split over rather more stages than most with the option to join a feedback system rather deviously hidden on the same screen as the EULA and checked by default Ru
31. heavy while RAM use and impact on our set of tasks were fairly low and CPU use not too high either Detection rates were respectable with no problems in the core sets and Logic Ocean duly earns a VB100 award on its first attempt McAfee VirusScan Enterprise AntiSpyware Enterprise 8 8 Scan engine version 5400 1158 DAT version 6266 0000 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 85 0496 Worms 8 bots 94 7696 False positives 0 McAfee has recently been X having a bit amp of a tough time handling some of the polymorphic VIRUS RAP 84 7 strains virusbtn com replicated in large numbers for our test sets However with a lot of work having been put into ironing out these issues things looked good for a return to form The product came as a 37MB installer with the DAT package measuring 85MB and the set up process was simple and straightforward with a reboot not demanded but subtly recommended The GUI remains grey and sober but efficient and simple to use A full and complete range of controls is provided as one would expect from a major corporate solution Running through the tests proved no great chore as stability was rock solid throughout and everything behaved just as expected Scanning times were pretty good to start with and sped up enormously in the warm scans Overheads were not bad either and there was low drain on CPU cycles and minimal impact on our set of activities Detection
32. http securityblog s21sec com 2010 09 zeus mitmo man in mobile i html 4 Tarasov D SMS Monitor User Manual http dtarasov ru smsmonitor_manual_en html 5 Apvrille A Zitmo Follow Up From Spyware to Malware September 2010 http blog fortinet com zitmofollow up from spy ware to malware 6 Campbell I Symbian OS Communications Programming Symbian Press John Wiley amp Sons Ltd 2nd edition 2007 7 BiNPDA SecMan Security Manager v1 1 2008 http free mobilesoftware mobilclub org software QuickHackKit php 8 Tarasov D Evil coding Symbian xakep magazine 3 2009 http www xakep ru magazine xa 123 096 1 asp in Russian 9 Bose A Hu X Shin K G Park T Behavioral Detection of Malware on Mobile Handsets 6th International Conference on Mobile Systems Applications and Services MobiSys 08 June 2008 10 Xie L Zhang X Seifert J P Zhu S pBMDS A Behavior based Malware Detection System for Cellphone Devices 3rd ACM Conference on Wireless Network Security WiSec 10 March 2010 11 Yan G Eidenbenz S Galli E SMS watchdog Profiling social behaviors of SMS users for anomaly detection RAID volume 5758 of Lecture Notes in Computer Science pp 202 223 2009 12 Enck W Ongtang M McDaniel P On Lightweight Mobile Phone Application Certification 16th ACM Conference on Computer and Communications Security CCS 09 November 20009 TECHNICAL FEATU
33. icons along the bottom and a slightly more sober display of status information in the main window Configuration is comprehensive and detailed with good attention paid to a logical intuitive layout and testing moved along nicely Scanning speeds were rather sluggish at first but after first sight of things some result caching came into play and the process sped up nicely On access lag times were impressively low and memory use was fairly low too with CPU drain and impact on our suite of standard jobs around average Detection rates were pretty decent with highly impressive scores in all sets a slight decline towards the newer end of the RAP sets still not taking things below 90 The WildList and clean sets threw up no issues and eScan comfortably earns another VB100 award having not missed a single test in the last two years 1t now has nine passes to only three fails a very respectable record of achievement ESET NOD32 Antivirus 4 Version 4 2 71 2 virus signature database 5901 20110223 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 89 29 Worms 8 bots 98 13 False positives 0 ESET has an even more X illustrious 5 history in our tests still holding onto its record for VIRUS the longest E A P 9 3 3 unbroken run of certification passes and indeed comparatives taken part in the vendor not having missed a test since 2003 The current product has been in stable form for so
34. includes an option to detect potentially unwanted items and needs no reboot to complete The product interface is similarly abrupt and to the point with a stark simplicity and minimal configuration but it manages to get the job done effectively The solution has a cloud component which had to be disabled for the purposes of the main test suite A few problems were encountered during the running of the tests with several blue screens observed when under heavy pressure This along with a tendency to lose or overwrite logs held us back a little indeed even when logging seemed to have run happily the process of opening the logs and exporting in the main interface regularly took so long that we gave up on it All log data is stored in Access database format clearly not the most efficient choice as even the most basic log with only a handful of detections recorded could take several minutes to convert into a displayable format For the most part we took the raw database files and ripped the data out ourselves With these issues slowing us down testing took perhaps 36 hours not too troublesome Scanning speeds were on the slow side with file access lag times fairly high and although RAM usage was perhaps just a fraction above average CPU use was fairly high too Impact on our set of standard jobs was around average for the month though Detection rates when full results were finally gathered and analysed proved
35. last year VIRUS BULLETIN On demand throughput contd 90 80 o Y o o E e Throughput MB s 0v o C o 0 0 0 1 1 1 l A P M n1 E gt EJE gt gt N o o i X3 NEN S S gw vo 26 qj P C e d S E ES amp d 4 a8 2 S S we ov S Q e lt A S O g lt D XV x e AY Q eo N S e Se Please refer to text for full product names Bullguard Antivirus 10 0 172 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 97 07 Worms 8 bots 99 63 False positives 0 Bullguard is an occasional to semi regular participant in our testing e N Q lt 100 with its iconoclastic VIRUS approach RAP 96 2 to interface design and general reliability making the product a welcome sight on any roster of submissions The latest edition came in as a 137MB install package with no further updates needed and ran through in very rapid time with just a couple of clicks required The whole thing was done within a minute with no reboot needed The GUI design is somewhat on the wacky side somehow blending cool and functional with warm and friendly but after a little exploration it proved perfectly usable Large buttons lead to an unexpected selection of main areas with asymmetry another odd addition to the mix Controls are
36. need to have better layers of defence It was unanimously agreed that the solution was not a technology fix but a framework model Better legal and international policy is required with a framework of rules norms and laws We need more discussion agreement and treaties between nations More countries need to talk with and trust each other so we can better deal with the cyber concerns together Arguably the most popular keynote was given by the former United States President and founder of the William J Clinton Foundation Bill Clinton President Clinton is a very passionate speaker who talked about the challenges surrounding globalization and our interdependence on programs that do not focus on our core values He spoke about the need to save our resources and focus on green technology to lessen our dependence on foreign oil Clinton said Throughout history everything that has value is subject to being stolen or altered Everyone in cyber security is like a modern day cop on a beat You are dealing with human nature and an inevitable tendency to try to take advantage of whatever the latest object of value 1s He also focused on the need to ensure that as we invent new technologies we have government policies in place and do our best to not repeat mistakes of the past INNOVATION SANDBOX The Innovation Sandbox is a forum in which new companies showcase their technologies and compete for the 17 1
37. not patching Add that to the rise in zero day threats and it is not a pretty picture Today there is more visibility of new vulnerabilities which helps to get the problems fixed sooner software companies are generally providing fixes for vulnerabilities faster but end users are not installing them in a timely manner Krebs indicated that he is underwhelmed by mobile threats New malware for Android is being seen at a rate of about one per week but he predicted that Windows Phone 7 will become a bigger target Further discussion centred on browser security with panellists asserting that if the browser is not secure the web is not secure and that innovation must focus on increasing browser security Kaspersky s Roel Schouwenberg presented a paper entitled Adobe Evaluating the World s Number One Most Exploited Software He reported that in 2010 Q1 48 of exploits used PDFs Although the number of exploits using PDFs decreased throughout the rest of 2010 Adobe s model to protect against persistent threats is not good enough Adobe needs to force updates by changing to an auto update model similar to that of Google Chrome where yb it is not possible to opt out Schouwenberg applauded Microsoft as a thought leader As the company has become more security focused and its products more locked down the bad guys have looked for other opportunities Schouwenberg predicts that 2011 will be the year of Java
38. of system logs and having the expertise to spot suspicious behaviour and deal with it appropriately The bad guys are looking for interesting people and have the ability to customize their attacks accordingly End users should understand how to recognize and report suspicious behaviour whether encountered via email or on the web Administrators should ensure they are providing active forensic analysis of their systems and that there are processes in place that empower security teams to take appropriate and timely action The Advanced Persistent Threats War Stories from the Front Lines panel was moderated by McAfee s Dmitri Alperovitch with panel members Heather Adkins Google George Kurtz McAfee Kevin Mandia MANDIANT and Adam Meyers SRA International The threats we see today are not always advanced but they are persistent Mandia commented that simply labelling an attack APT seems to get security professionals off the hook for not stopping it pre attack He also indicated that law firms and healthcare organizations appear to be the sectors that are least well prepared for these targeted attacks Kurtz asserted that all major organizations currently have a hacker on their network and that it isn t hard to get past layer 8 humans The panel recommended that IT officers create a social footprint of their executives and see who is trying to profile them and accessing their information Who is pulling down their bio
39. on our activities was quite low too Detection rates were superb with only the slightest decrease through the reactive weeks of the RAP sets and the proactive week achieving the enviable heights of more than 90 The WildList and clean sets caused no problems and a VB100 award is duly earned Bullguard now has four passes from four entries in the last two years having skipped the other eight tests with two of those passes coming in the last six tests CA Internet Security Suite Plus 7 0 0 115 AM SDK version 1 4 1 1512 signature file version 4209 0 0 0 ItW 100 0096 Polymorphic 99 9696 ItW o a 100 0096 Trojans 80 1896 Worms 8 bots 96 96 False positives 0 yb 39 40 VIRUS BULLETIN On demand throughput contd 100 90 80 70 60 EI Please refer to text for full product names CA s project to outsource the bulk of the work on its anti malware solutions seems to be more or less complete with the release of the fully reworked corporate product The consumer version SS has become a familiar sight in recent tests and has presented few major headaches to the test team April 2011 100 VIRUS virusbtn com RAP 78 3 As usual installation was performed online at the request of the submitters The main installer weighed in at 154MB and online updating took a few minutes The rest of the set up process was fairly bri
40. only one test machine at a time to avoid possible network latency issues We hope to expand on this selection of activities in future tests possibly refining the selection of samples to yb 25 26 VIRUS BULLETIN www virusbtn com reflect the platforms used in each comparative and perhaps also recording the data with greater granularity We had also hoped to run some trials of another new line of tests looking at how well products handle the very latest threats and breaking somewhat with VB100 tradition by allowing both online updating and access to online resources such as real time cloud lookup systems However when the deadline day arrived and we were swamped with entrants it was clear that we would not have the time to dedicate to this new set of tests so they were put on hold until next time The final tally came in at 69 products breaking all previous records once again Several of these were entirely new names indeed a couple were unknown to the lab team until the deadline day itself Meanwhile all the regulars seemed to be present and correct including a couple of big names that had been missing from the last few tests With such a monster task ahead of us there was not much we could do but get cracking as usual crossing all available digits and praying to all available deities for as little grief as possible Agnitum Outpost Security Suite Professional 7 1 Version 3415 320 1247 ItW 100 0096 Pol
41. or deny access only when submitting products for a large scale comparative it seems fairly obvious that this would be a useful thing to have available Presumably many of the companies producing security solutions these days putting products together based on engines developed elsewhere do not have access to malware samples to use for QA but that is a pretty poor excuse for not getting the QA done Stability of a piece of security software should not be undermined by having to work a little harder than usual and passing that instability on to the entire machine is likely to be pretty unforgivable to most users Logging is another area of difficulty and another one where testers perhaps have somewhat special needs However this is something else which is made very clear when submissions are called for testing and one which is clearly going to be important in a large scale test Inaccurate or incomplete logs of what has been Observed and carried out on a machine would be utterly O 80 VIRUS BULLETIN unacceptable in a business environment and most consumers would be unhappy to find that their security solution had fiddled with their system but couldn t tell them anything about what it had done or why The growing popularity of logging to memory and only outputting to file at the end of a scan seems targeted specifically at irritating testers The benefits are presumably in faster scanning times and less use of disk but presum
42. problems even under the heaviest strain and despite rather sluggish scanning times all tests completed within 24 hours as hoped On access lag times were fairly heavy and scanning speeds not too zippy except in the archive set where things were ii Oe PONIDORDUNC TORO not being probed too deeply While RAM usage was fairly ItW 0 a 100 0096 Trojans 99 48 low and impact on our suite of activities similarly good Worms amp bots 99 59 False positives 3 CPU use when busy was pretty high Bkis first appeared on the VB radar around a year ago and has rapidly gone from a fairly rocky start to achieving several VB 100 awards and some superb scores in recent months PP 3 The company s current Pro product came as a 212MB install package with no need for RAP 95 5 further updates The installation process was remarkably yb Detection rates were once again excellent with stunning scores across the sets Guessing from the rapid improvements since earlier entries however it seems likely that heuristic strength has been tweaked upwards to improve scores and at last this seems to have gone a step too far with a handful of false alarms generated in our clean sets including components of a common freeware file compression tool and an obscure part of Microsoft Office Bkis thus misses out on a VB100 award this month despite an impressive performance the Pro edition had passed all three of its previous entries in the
43. proceeds to create a series of threads for creating registry start ups see Figure 6 for downloading files and for accessing SMTP domains add more tricks in future releases PART IV FUTURE OF ADS MALWARE You might think that ADS is an old technology and therefore not really a threat Think again We haven t seen the end of exploits using alternate data streams D os 14 VIRUS BULLETIN The following are some common examples of ADS in everyday computing that we might not be aware of e Zone Identifier This is a stream generated by Internet Explorer and Outlook when saving files to the local disk from different security zones In other words whenever we download a file from the Internet the Zone Identifier ADS is added to the file Format downloaded filename Zone Identifier The usual content 1s ZoneTransfer Zoneld 3 encryptable This is an ADS attached to the Thumbs db file created when the Thumbnails view is selected in Windows Explorer The file size is usually 0 if it is not O this may be a sign that it has some malicious content Format Thumbs db encryptable favicon Whenever you add a link to your Favorites in Internet Explorer and the website has an icon the icon will be saved as favicon Format lt linkname gt ulr favicon Zone Identifier encryptable and favicon are normal alternate data streams that reside on our computers We don t usually not
44. process requires three or four clicks and a ten second wait then a reboot is demanded to complete the installation The interface is minimalist but provides a basic set of options including among them the choice to detect only Microsoft Office related malware something of a throwback to the past Operating is not difficult and stability is generally good but as usual during large scans of weird and wonderful malware the scanner occasionally died Its own friendly crash screen from which several sets of debug info were saved was presented each time it died mid task vb APRIL 2011 Scanning speeds were fairly good and lag times fairly low RAM consumption was a little above average but other performance measures showed a lighter touch Detection results were gathered easily enough after repeating several jobs and showed decent if not exactly mind blowing scores across the sets Once again there was a slight upturn in the proactive week of the RAP sets The WildList and clean sets were properly managed and Frisk comfortably earns VB100 certification once again The company s record has been somewhat patchy over the last few years with seven tests passed out of a potential 12 F Secure Client Security 9 9 01 build 122 anti virus 9 20 build 16701 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 96 45 Worms 8 bots 99 61 False positives 0 F Secure routinely qa submits a brace 5 of products th
45. respectable with an interesting upturn in the last week of the RAP sets A couple of items in the clean sets were alerted on as packed with Themida while VIRUS BULLETIN www virusbtn com another was labelled adware but there were no problems and the WildList was handled smoothly too A VB100 is duly earned improving Command s record to three passes and three fails in the last 12 tests with six tests not entered Comodo Internet Security Premium 5 3 176757 1236 Virus signature database version 7793 ItW 100 0096 Polymorphic 90 6396 ItW 0 a 100 0096 Trojans 92 23 Worms 8 bots 96 03 False positives 0 Comodo 1s a relative X newcomer 5 to our comparatives although the company and VIRUS the product H AP 8 4 8 have been around for some time The company s top of the line suite solution came as a 34MB installer but required full online updating on the deadline day The set up process was rather lengthy partly because it included an extra component called Geek Buddy a support and troubleshooting system covering all aspects of the computer with live chat and remote control by support staff Once the initial install and required reboot were out of the way this component had its own separate update process which seemed to require a full re download and re install just moments after the initial one Then another update process began Eventually everything seemed fully set up and up to date th
46. screen a additional time taken to perform our set of tasks fairly EULA install E insignificant CPU use when busy was sky high a result location confirmed by a repeat run of the full set of measures go with no Detection rates were excellent with rock solid scores in the RAP sets on access scores in the main sets seemed oddly lower than on demand but the WildList was handled fine in both modes and there were no problems in the clean sets either earning Check Point another VB 100 award The company s infrequent submission pattern generally only targeting our annual XP test means only two passes and one fail in the last 12 tests with the rest not entered Clearsight Antivirus 2 1 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 Another in the family of solutions based on the Preventon SDK and VirusBuster engine Clearsight returns for only its second attempt at VB100 certification having been denied it last time thanks to a minor technicality in what was clearly a solid product The latest version as expected was supplied fully updated in a 67MB installer Setting up followed a simple pattern yb reboot needed An Internet connection was required to activate the product and access full controls but all was over in under a minute VIRUS virusbtn com RAP 85 2 The interface 1s highly familiar by now this v
47. showing in the core sets earns Webroot a VB100 award the vendor s fourth from four entries in the last two years and perhaps its most exhausting for us so far CONCLUSIONS Another giant test with another record breaking roster of products entered and once again we considerably overshot our target completion date However the main cause of this was not the large number of products Nor was it the perhaps rather ambitious plan to introduce some new untried and rather time consuming performance measures into the busiest test of the year nor the absence of half the lab team through illness for the bulk of the testing period The main issue was with a handful of unruly unstable slow and unreliable products perhaps a dozen or so taking up the whole lab for a full two weeks The other 55 or so were completed in less than three weeks and had all products behaved as well as we hoped or indeed as well as the majority did we could easily have squeezed in another 30 or so in the time we had available The bulk of wasted time was the result of inadequate or unreliable logging facilities and lack of user controls Products which insist on quarantining disinfecting and so on by default are fairly commonplace it s a fairly sensible approach given the lack of interest most users display in their own security However even if most users are not interested in controls and would be unlikely to set their products to log only
48. taking place 4 7 August also in Las Vegas For more information see http www blackhat com and http www defcon org VIRUS BULLETIN The 20th USENIX Security Symposium will be held 10 12 August 2011 in San Francisco CA USA See http usenix org VB2011 takes place 5 7 October 2011 in Barcelona Spain The conference programme will be announced shortly at http www virusbtn com conference vb201 1 RSA Europe 2011 will be held 11 13 October 2011 in London UK For details see http www rsaconference com 201 1 europe index htm ADVISORY BOARD Pavel Baudis A wil Software Czech Republic Dr Sarah Gordon ndependent research scientist USA Dr John Graham Cumming Causata UK Shimon Gruper NovaSpark Israel Dmitry Gryaznov McAfee USA Joe Hartmann Microsoft USA Dr Jan Hruska Sophos UK Jeannette Jarvis Microsoft USA Jakub Kaminski Microsoft Australia Eugene Kaspersky Kaspersky Lab Russia Jimmy Kuo Microsoft USA Costin Raiu Kaspersky Lab Russia P ter Sz r McAfee USA Roger Thompson AVG USA Joseph Wells ndependent research scientist USA SUBSCRIPTION RATES Subscription price for 1 year 12 issues e Single user 175 e Corporate turnover lt 10 million 500 e Corporate turnover lt 100 million 1 000 e Corporate turnover gt 100 million 2 000 e Bona fide charities and educational institutions 175 e Public libraries and government organizations 500 Corpora
49. tests proved somewhat difficult as a number of our scripts and tools seemed to be being prevented from running No warnings were displayed by the product however and no log entries could be found referencing the actions carried out Delving into the controls we eventually found some settings to whitelist applications and added everything used by our tests but still they were not allowed to function properly In the end we had to completely disable the firewall portion of the product to get a simple job like fetching files with wget to work With this done we saw some decent scanning speeds especially in warm runs where unchanged files are ignored Lag times were very low too and resource use and impact on tasks were also kept to a minimum This did little good in our larger jobs but some special controls disabling the default quarantining action promised to speed things through and with these enabled we set off the main detection task with high hopes Close to 60 hours later it all seemed finished and we moved on to the on access tests These were performed on write as on read protection appeared not to be present Again it VIRUS BULLETIN took several days to complete the process of copying the main sample sets from one place to another Logs were at least comprehensive and complete though and results were finally harvested showing the expected solid scores declining slightly in the newer parts of the RAP sets A fine
50. than a minute run time with no reboot needed The interface is glitzy and shiny without overdoing things and has a slightly unusual but not unusable design Options once they have been dug out are fairly thorough and stability was good allowing us to zoom through most of the tests in good time We had some problems with some of our performance measures where some of the automation tools were apparently being blocked by the product and at one point a scheduled job we had prepared to run overnight failed to activate However it s possible that we missed some important step out of the set up procedure Nevertheless we got everything done in reasonable time Scanning speeds were OK in some areas but a little on the slow side in others while on access lag times were a little heavy Memory use was a little on the high side but CPU use was not too bad and our set of tasks was completed in good time Detection rates proved pretty decent across the sets and had suspicious detections been included in the count they would have been considerably higher The core certification sets were well handled and a VB100 is well deserved by Quick Heal The vendor s record shows ten passes and two fails in the last two years with all of the last six tests passed Returnil System Safe 2011 Version 3 2 11937 5713 REL12A ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 78 88 Worms 8 bots 91 46 False positives 0 We f
51. that I would be exposed to an increasing number of customer escalations This also meant that anything I couldn t speak confidently about would come back to haunt me In mid 2007 I was looped into an escalation for a new customer who was receiving a lot of phishing messages in which the attacker was spoofing the From address These messages were evading our filters and landing Domain that it works on Envelope sender P1 EISE ee or E envelope sender much less common How does it treat SPF records Works per normal ee oe SenderID record does not exist How does it treat SenderID records Works per normal Weaknesses Table 1 Comparison between SPF and SenderID Better at stopping phishing or spoofing that visually tricks the user The PRA derives from actual Resent headers and Sender and From headers this makes validation on forwarded mail theoretically possible Can stop some phishing good for some whitelisting Can prevent backscatter by only sending bounces to messages that pass an SPF check Can reject some messages in SMTP before accepting any data Doesn t catch phishing when the P1 From is Neutral or None and the PRA is spoofed Doesn t work on forwarded mail Prone to false positives when mail is sent on behalf of another Doesn t work on forwarded mail in people s inboxes Users were being fooled by the messages clicking the links and their workstations were being compromised This was
52. this detection took place at 8PM on a Friday and we had hoped to get a few hundred thousand more in the bag by Monday morning it was a bit of a disappointment to find it sitting there waiting for our decision when we got back after the weekend Repeating this job meant it took up more than double the expected 24 hour period even excluding the time we were out of the office RAP 67 7 Scanning speeds were pretty sluggish even with the fairly light default settings and turning on full scanning of archives resulted in a truly exhaustive and lengthy scan time On access measures showed some pretty heavy lag times too although memory use was low and other performance measures around average Detection rates were rather disappointing given the OEM engine included and we had to repeat things later on to reassure ourselves we had not made some mistake A second run showed the exact same set of scores however These were not too dismal but well short of what was expected and although the clean set seemed to be handled without problems a handful of items in the WildList went undetected and a VB100 award remains just out of reach for Hauri The product has been entered twice in the last year with a similar lack of success on each occasion Ikarus T3 virus utilities 1 0 258 Virus database version 77801 Itw 99 83 Polymorphic 95 58 ItW 0 a 99 83 Trojans 97 27 Worms 8 bots 99 43 False positives 3 Ikarus earned its first VB
53. was evident from the early call to the GetVersion API and a check on the AL register of whether the value is equal to 5 that the author s original intention was to infect files in Windows 2000 Now however Windows XP Windows XP 64 Bit Edition Windows Server 2003 and Windows Server 2005 R2 can also be infected since their version number also starts with 5 Infection routine Once it has ascertained that the OS can be infected StreamC uses the FindFirstFileA and FindNextFileA APIs to search in the current directory for executable files exe to infect If for instance calc exe is found StreamC checks if the file is compressed by checking its attributes for the value 0x800 VIRUS BULLETIN FILE ATTRIBUTE COMPRESSED The malware will skip further processing of calc exe if it is compressed but otherwise it will proceed to compress the file using NTFS file compression via a call to the DeviceloControl API Using the FSCTL SET COMPRESSION 0x9C040 IoControlCode and COMPRESSION FORMAT DEFAULT value calc exe is compressed in a default NTFS compression format Afterwards calc exe is copied to a temporary file While calc exe is stored away securely in a temporary file StreamC creates a copy of itself using the filename calc exe Afterwards the temporary file 1s placed into the malware s memory space and copied as ADS the calc exe STR stream contains the original contents of calc exe Note that the ADS naming con
54. we could finally get testing under way As we have come to expect with BitDefender products the interface has multiple personalities with different degrees of complexity depending on the skills and knowledge of the operator We opted for the most advanced mode of course which we found to provide an excellent level of controls in a nice usable style The simpler versions also seemed clear and well laid out and the styling 1s attractive Stability was generally decent although during one large scan of infected items there was a scanner crash with no log data to be found so nothing to show for several hours worth of machine time Nevertheless decent progress was made elsewhere and the full test suite was completed in good order Scanning speeds were OK with caching of results apparently no longer in effect on demand where it is perhaps of less use than on access Here lag times were very light indeed and did speed up enormously in the warm runs CPU use was a little higher than many this month but memory consumption was low as was slowdown of our set of tasks Detection rates were splendid as usual with excellent scores in the main sets and a very slow decline across the weeks of the RAP sets the proactive week a whisker short APRIL 2011 vb 35 36 VIRUS BULLETIN n E TOW o B On demand throughput MB s drive T ama va memet Seay 17 aee Ph ee mea 1s AVG inemer Seay 3 Avia AniVirPes
55. will move from stalking on the Internet to attempting to kill the victim As the Vidocq Society transfers its expertise to the cyber world we should expect to hear more from them A panel entitled Cyberwar Cybersecurity and the Challenges Ahead was led by James Lewis of the Center for Strategic and International Studies with panel members Michael Chertoff Former United States Secretary of Homeland Security Mike McConnell Booz Allen Hamilton and Bruce Schneier BT The panel was asked why there is so much attention on cyber war Schneier indicated that categorizing something as a RSACONFERENCE2011 VIRUS BULLETIN www virusbtn com war is sexier than categorizing it as a cyber attack it s what sells and allows for bigger budgets Overstating the threat is a good way to get people scared These are big terms and useful if you want to set up a cyber command The panel s consensus was that we are not engaged in cyber war at risk of it yes but the situation now while uncomfortable and dangerous is not war The Russian denial of service attack against Georgia was brought up as an example of where we have observed an aspect of cyber war Terrorists could be sophisticated enough to destroy major systems when we are facing an attack or one is under way what can our governments do We must create policies and procedures in advance With the entire globe riding on the same internet infrastructure we
56. 3445 229 30 41 1605 2070 2930 31 78 m _ 24 39 15 69 17 98 41 05 14 49 20 36 15 54 17 10 18 04 17 66 14 84 16 42 16 48 41 75 11 40 14 70 17 98 17 72 21 99 26 06 13 00 15 35 16 05 16 76 VIRUS BULLETIN Media and documents e C m 17 30 160 3 4 85 218 5 15 82 11 18 13 12 3 00 1 84 fault Default old arm 14 8 15 17 I O o 80 15 10 1 16 58 8 71 9 14 9 07 7 11 9 62 14 06 22 68 15 51 8 07 5 45 T2 11 50 11 18 6 93 6 85 10 69 8 53 10 45 3 01 12 66 18 35 13 74 1 87 12 27 6 79 1 06 11 84 23 05 8 94 7 42 104 54 13 82 120 23 16 14 3392 2 299 11 34 12 21 11 62 68 70 3392 11 29 9 36 9 01 3 05 14 31 21 86 13 74 1 87 12 66 7 05 1 07 11 29 160 30 All files 13 0 Oo 11 84 17 30 4 85 15 82 11 18 15 72 oo J NA 07 NO l1 NO 62 14 06 22 68 15 51 8 07 ma Mu NIIS Nn 22 11 50 11 18 93 85 10 69 33 JBE 81 Go UL NO 81 19 87 13 74 1 87 12 52 6 79 1 06 11 84 23 05 7 12 73 15403 14 82 17 45 10 02 10 71 12 44 14 24 16 15 6 44 11 76 23 02 12 44 11 89 12 30 11 89 10 82 10 50 13 53 12 58 12 73 12 16 Other file types efault Default Cold Warm 15 46 16 15 14 62 180 33 180 33 67 63 8 87 11 15 17 17 12 88 16 39 541 00 12 73 135 25 12 73 41 62 3 50 13 04 11 89 12 30
57. 4 Database version 6 16970 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 85 Worms amp bots 98 44 False positives 0 The second entry from PC x Tools is the E company s well known Spyware Doctor VIRUS brand which R AP 90 39 has a long history in the anti spyware field This also has a rather longer history in our tests than the 5 version dating back to 2007 The product itself is fairly similar in look and feel with the installer somewhat smaller at 185MB and the set up process running through the same set of stages successfully this time with no reboot requested at the end The interface is also similar although with fewer modules than the full suite edition and provides fairly basic configuration controls Speeds and performance measures were pretty comparable with slow cold speeds in the on demand scans and much faster in the warm runs Fairly heavy lag times were observed in the same sets as for the S product but less so in the sets of archives and executables and there was high use of memory and processor cycles and a fairly heavy slowdown when carrying out our set of tasks Detection rates were just about identical with solid scores in the main sets and decent coverage of the RAP sets declining from high levels in the earlier part to lower but still respectable levels in the latter half The core sets proved no problem and a second VB100 award goes to PC Tools
58. 43 28 49 18 12 02 8 07 5 79 3 40 7 67 4 87 5 79 7 46 9 41 7 46 11 04 14 24 10 40 2 03 8 14 7 31 2 03 8 07 5 76 3 99 6 01 3 96 11 59 67 63 All files 15 46 Nn 12 15 14 N AO N MTN po ISS 17 10 N 10 71 12 44 14 24 16 1 Kin 6 4 gt ON 11 23 02 1 Mio 44 5 79 J Go AS syi o 11 89 12 30 4 oo e oo oo NO AG NO 93 dod cA 10 N P K 12 1 N 58 oo N oOo ju Nn 76 U NO NO Go 12 12 16 6 37 VIRUS BULLETIN On demand throughput 100 E System drive m Archives defaults cold 90 O Archives defaults warm D Archives all files B Binaries and system files defaults cold E E Binaries and system files defaults warm i E Binaries and system files all files 80 LT l o al o o o O Media and documents defaults cold E Media and documents defaults warm BE Media and documents all files Bl Other files types defaults cold El Other files types defaults warm m Other files types all files Ml l Throughput MB s I o 6v o N o A o O A O O a pa po Mr A A a SSS
59. 5 65 11 56 99 60 68 65 88 61 98 AmaBitAraVir 06 29 65239 57 16 62 89 56 73 61 35 _ _ gt gt 0 15 cana MN EN prats ae oen ose ore mam oo luu OR TOA Exmeeeensaene mt mam mo ro re mor mass TO AE Emme t nne en rom rre umm men indu U wa se As Aon jube meo Tension annan _ saa osae oss osna serra mors muere s mss mos ms reas rove means oee pee pem mm men men Menus M xal ue e LEM oe a Hauri ViRobot Desktop 65 26 69 24 62339 65 61 74 07 67 73 ans T virusais usos soass soos sons oise ora Please refer to text for full product names 60 vb VIRUS BULLETIN Reactive And Proactive RAP scores Reactive Reactive Overall iolo System Shield 76 12 72 43 67 46 72 01 E 73 25 K7 Total Security E 86 13 78 12 75 25 79 83 82 20 80 42 RD tant ae ais ae ees oe ae gt gt gt AT IM Nx XL DE iawn Tansy A mess pss eos see vmm sms A IEA Pomona nae nam ame Toros ee mus Please refer to text for full product names D e 62 VIRUS BULLETIN Detection rates were uniformly excellent with only the tiniest number of samples not spotted and even the proactive week of the RAP sets covered superbly The WildList was demolished in short order and the only alerts in the clean sets were for password protected arc
60. 7 virus engine version 4 2 2571 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 07 96 Worms 8 bots 98 08 False positives 1 Fortinet s main business is in the appliance market but its client solutions have long been regulars in VB100 tests with some strong improvement in detection seen over the last few tests BP 1 The installer is a tiny 9 8MB supplemented considerably by 132MB of updates The set up process starts with a choice of free or premium versions then after a couple more clicks and a pause of 20 seconds or so it s all ready to go without a reboot Applying the updates is a simple and similarly speedy process RAP 88 2 The interface 1s efficient and businesslike with an intuitive layout and an excellent level of configuration as one would expect from a primarily corporate solution Operating proved generally easy and stable although at one point a considerable amount of work was wasted when the product appeared to delete all logs from the previous day despite having explicitly been told not to Even with this delay testing did not overrun by more than a few hours We also noted that the on access scanner is fired when browsing folders containing infected items with the scanner module which was rather confusing 57 58 VIRUS BULLETIN www virusbtn com Speeds and lag times were fairly average as were other performance measures with CPU use perhaps slightly higher than most De
61. 8 VIRUS BULLETIN title of Most Innovative Company Invincea took home the 2011 title for its fully virtualized browser and PDF reader that seamlessly runs a virtual environment separately from the desktop operating system This protects users against web borne and PDF embedded threats HIGHLIGHTS FROM THE TRACK SESSIONS With so many talks to choose from I decided to attend as many anti malware industry presentations as I could Under Hot Topics I found a panel entitled The Digital Apocalypse Fact or Fiction which was moderated by John Pescatore of Gartner with panellists Dmitri Alperovitch McAfee Bob Dix Juniper Networks Mike Echols Salt River Project and Justin Peavey Omegeo Key takeaways were that targeted attacks are politically motivated and are not sophisticated Attacks are focused on integrity and availability not on confidentiality with the integrity attacks the most concerning An APT attacker wants you like a dog with a bone It doesn t matter how long it takes they will keep trying Another panel also proved interesting Breaking News Up to the Minute Hacking Threats was moderated by investigative journalist Brian Krebs with panellists Eric Chien Symantec Wade Baker Verizon Business and Jeremiah Grossman WhiteHat Security Grossman predicated that in 2012 every website will be vulnerable Verizon has noted an upswing in customized malware and that organizations are simply
62. 89 OnlineGames Trojan 2 81 Injector Trojan 2 00 Sality Virus 2 30 Heuristic generic Virus worm 2 17 otartPage Trojan 2 0996 Kryptik Trojan 2 00 Small Trojan 1 77 Heuristic generic MISC 1 5496 Autolt Trojan 1 50 Hupigon Trojan 1 4996 Zoot Trojan 1 4696 Dropper misc Trojan 1 40 Heuristic generic Trojan 1 4096 Crack Keygen PU 1 33 frame Exploit 1 2896 Alureon Trojan 1 21 PDF Exploit 1 20 Bifrose Pakes Trojan 1 18 Virtumonde Vundo Trojan 1 12 Tanatos Worm 1 10 Virut Virus 1 07 PCClient Trojan 0 8996 Hoax mU 0 81 Others 18 28 Total 100 00 IEjgures compiled from desktop level detections Readers are reminded that a complete listing is posted at http www virusbtn com Prevalence vb VIRUS BULLETIN TECHNICAL FEATURE 1 DEFEATING mTANS FOR PROFIT PART TWO Axelle Apvrille Kyle Yang Fortinet Until recently malware on mobile devices had not been used for organized crime involving large amounts of money This changed when the infamous Zeus gang known for targeting online banking started to show a clear interest in infecting mobile devices and released a new version of their bot to propagate a trojan for mobile phones This two part series based on a paper presented at ShmooCon 201 1 presents an in depth analysis of the Zitmo trojan Last month 1 we presented some background information on Zeus and mobile malware and looked at how the attack behind Zitmo works In this
63. 998 sos Kasperty Imerese o 000 sos orose o oos aver 08a uses Puro ooo 168 sas o 00s sare rs ken Antvins fosse a soa o 0s sso 90 07 egenis o ooo sis osora o 0s sroo ses ES 86 49 EN 2 0 100 41 EN 15 95 McAfee VirusScan Enterprise 0 100 00 1047 94 75 Norman Security Suite 0 100 00 2394 88 00 Opener Secu ute roo e soos PC Boser Av Booer o moms e sss memaeviszu o TA sis E PC Tools 15 201 o iwooww 312 98 44 Pe Tools Spyware Doar o rooe 2 ose eewoAwws o fioo ess sora amosan o moms ioa 2s riek Heal rose 2o o 10x 2016 vao meum S emsaezn o 1000s 1867 90 76 Soin Proteina wows e sss Sophos Endpoint Secu and Comsat 0 moore 253 sezss ranger viruses o ronan s16 sors crusimbenviens AO CTA ss rs 5 Webroot Internet Security Complete 0 100 00 98 50 100 00 3381 91 99 Please refer to text for full product names 3 84 78 1 88 96 86 68 86 68 93 71 93 71 86 49 95 41 75 15 73 69 86 75 93 46 86 37 91 32 8 8 ele oleo le ERE EE e GEAR de 518 Q CO 34 VIRUS BULLETIN www virusbtn com Detection rates were pretty decent with an interesting two step pattern in the RAP scores and after a few unlucky months where settings of the on access component denied Avertive certification this time all went well i
64. ISSN 1749 7027 BULLETIN CONTENTS 14 16 COMMENT IE 6 5 4 3 2 1 NEWS No mail for Alisons Alberts Algernons Old breach rears its head VIRUS PREVALENCE TABLE TECHNICAL FEATURES Defeating mTANs for profit part two Hiding in plain sight CONFERENCE REPORTS Phighting cybercrime together RSA 2011 conference review FEATURE Sender authentication practical implementations COMPARATIVE REVIEW VB100 comparative review on Windows XP SP3 END NOTES amp NEWS APRIL 2011 IN THIS ISSUE COUNTDOWN TO ZERO With 34 5 of the market share in China Gabor Szappanos fears that IE 6 the browser with 473 publicly known unpatched vulnerabilities will not disappear any time soon page 2 MEETING OF MINDS Martijn Grooten and Jeannette Jarvis report on two important security industry events the first APWG eCrime Researchers Sync Up and the 20th annual RSA conference pages 14 and 16 VB100 ON WINDOWS XP With a staggering 69 products on this month s VB100 test bench the VB lab team hoped to see plenty of reliability and stability But while the majority of products were well behaved the team was woefully VIRUS disappointed by a handful of unruly participants John Hawes has all the details page 25 o N o lt VIrus COMMENT the outlook is alarming when you local prevalence in China which peaks at 34 5 Gabor Szappanos VirusBust
65. MS socket to receive all messages is not possible because the phone s built in applications are already using this method the trojan uses ESmsAddrMatchText but with a special trick see Figure 1 it specifies that the incoming messages to receive must begin with nothing This method works and actually receives all incoming SMSs Note this trick has also been explained in 3 In this article ARM assembly listings are all taken from Zitmo They use the following convention functions beginning with NokiaUpdate have been named and reverse engineered by us functions beginning with ZN have automatically been resolved by ZDA Pro they correspond to standard Symbian API calls Other functions starting with sub are usually not very relevant and have not been reversed Lines starting with a semicolon are comments Open socket RSocket Open RSocketServ amp uint uint uint BL ZN7RSocket4O0penER11RSocketServjj j STR RO R11 errcode store the return code LDR R3 R11 errcode CMP R3 0 if return code KErrNone BNE loc 7C90DAF8 jump to this location if error SUB RO R11 40x54 BL ZN8TSmsAddrClEv TSmsAddr TSmsAddr void SUB RO Ril 40x54 MOV R1 4 ESmsAddrMatchText Set socket family with SetSmsAddrFamily ESmsAddrMatchText NL ZN8TSmsAddrl6SetSmsAddrFamilyE14TSmsAddrFamily SUB RO R11 0x54 SUB R3 R11 0x24 MOV R1 R3 L8 set text to match to _L8 BL _ZN8TSmsAddr12
66. RE 2 HIDING IN PLAIN SIGHT Raul Alvarez Fortinet Canada Malware uses various different encryption techniques compression algorithms and stealth technologies to avoid detection by anti virus scanners Stealth technologies like rootkits are often used to hide malicious components from anti virus scanners In this article we will look at another lesser known stealth technology The alternate data stream ADS is an old Windows trick that can easily be exploited by malware authors to hide their files In this article we will look at the early use of ADS in a proof of concept virus StreamC at how a folder can be infected Rustock and at ADS in use in the wild today Joleee We will also discuss the future of ADS in malware PART I STREAM OF CONCEPT Windows introduced ADS with the inception of NTFS in Windows NT The NTFS file system 1s capable of supporting multiple streams of data one file that is visible to the user and several other files behind it But one of the drawbacks is that we can t transfer such a file to a non NTFS storage device such as a USB flash drive unless it is formatted as NTFS attempting to move a file containing ADS to non NTFS storage will result in only the primary file being copied and the ADS will vanish into thin air The concept Around the year 2000 a proof of concept virus let s call it StreamC was created with ADS and at that time it only infected files in Windows 2000 It
67. SetTextMatchERK6TDesC8 Figure 1 Assembly code to intercept all incoming SMS messages yes Parse commands Do command update settings yes Change admin no Release SMS to inbox Forward SMS yes Drop it to admin Figure 2 How Zitmo processes incoming SMS messages VIRUS BULLETIN Each time the mobile phone receives an SMS the trojan s socket intercepts it before it reaches the phone s inbox It reads its content in the socket RSmsSocketReadStream class in the API and processes it An explanation of SMS processing is illustrated in Figure 2 The trojan checks who has sent the incoming SMS There are three cases Sender is monitored If the SMS comes from a phone number the trojan is configured to monitor 1 e if the phone number is specifically mentioned in the trojan s phone number table or if the trojan is configured to monitor all incoming numbers the SMS is diverted to the administrator s phone number see Figure 3 The victim will never see this SMS in his inbox 2 Sender is administrator In this case the trojan parses the message body for a known command and processes it 3 Sender is neither monitored nor administrator This happens when the victim receives an SMS from somebody the malicious gang does not care about in which case the SMS is released to the victim s inbox the fact that the victim receives some SMS messages helps reduce suspicion or in other cas
68. Since SPF is the most common authentication technology they would do something like the following One dismissive argument I hear regarding SPF s ability to prevent spoofing by Hard Failing spoofed addresses is that all a spammer has to do to circumvent it is to send mail from a slightly different account say state wa gov ghsataw com This is true and spammers do this However they also spoof the actual domains and they do this a lot I have not measured which is more prolific but the spoofing occurs so often that it is a legitimate scenario that requires a solution 22 VIRUS BULLETIN SMTP Mail From tkgghsas wa state gov bigcommunications com P2 From communications wa state gov To tzink wa state gov Subject Latest results of bill 2101 Dear tzink wa state gov The results of Bill 2101 are in The legislature has voted to approve the use of 2 million to the University of Diamondville to study the effects of weightlessness on tiny screws This can have vast repercussions here in the future everything from watch making to watch repair Stay tuned for more updates Washington State Department of Communications Obviously the contents of the mail above are entirely fictional and far fetched and a government department might not outsource their communications However large corporations like Microsoft do If an SPF check in the above example were performed on the P1 From address the result would be an SPF Pa
69. VirusBuster Professional on UN tM lols z lt O Alala a zZ Aa 2 DIO S E 5 au gt 2 gt a ln o o e E Hlal c gt va Ioa ua S loa o d amp o lola a ln 2 lo lo Y S 6516 ls n C ololo e iS 18 lt 2 m 5 15 e O gt als n ln ln n a e a ese al o 7 n _ c lt 2 aa g e Jd ual c e Fe Fe UN UN UN c Dn E lt 3 n n gt EX Y N A alo e ne DN B c N Q aja tri O 3 lt T um 5 wl gt a c VIRUS BULLETIN settle down but in our haste a reboot was initiated which soon solved things With the interface fully functional the online update ran in reasonable time given that over 260MB of detection data was being fetched The interface is something of a joy being designed for maximum clarity and simplicity but at the same time providing an impeccably detailed set of configuration controls to satisfy the most demanding power user Examining deeply into archives on access was the only area we could claim to be lacking The scheduler received particular praise from the lab team for its nifty design Despite our earlier fears the product proved rock solid as far as stability goes and although the multi pronged approach inevitably affected speed over our large test sets it still got everything done and dusted in excellent time Scanning speeds over clean samples were a little on the slow side as were lag times on access Although RAM was a little higher than many a
70. XP from the package provided Instead it must be set up on a supported platform Windows 7 or a recent server edition and deployed from there In great haste as we needed to run an online update before the deadline day expired a precious machine was taken away from its usual duties and set up with Windows 7 Installing the management system is a rather complex process with a number of dependencies a guide tool helping by listing those not yet met These included the ISS system Flash Player for the interface and some changes to the firewall as well as the local password which didn t come up to the product s safety standards With the system installed we then faced further hurdles with the licensing VIRUS BULLETIN scheme which appears to need 2 a m to pass before it accepts new licences and then running updates which proved rather baffling and was not helped by the progress window being hidden in some kind of secured zone having been reported as not fully compatible with Windows We finally managed to get the latest definitions in place just as the deadline came to an end Next day safely isolated from further updates we tried deploying to the machine which would be used for the test proper having navigated the pretty but not entirely intuitive management interface in what we hoped was the right way A discovery job found our test machines readily enough but try as we might remote installation seemed unwilling to run
71. a 100 0096 Trojans 16 7096 Worms amp bots 39 45 False positives 0 Kingsoft is a major player X in the Chinese 5 market and has been a regular in our comparatives VIRUS since its first R AP 29 5 appearance in 2006 The vendor came into this month s test looking for a change of fortune after a string of tricky tests upset by problems with polymorphic viruses in our WildList sets The vendor s Advanced version came as a compact 68MB installer which runs through simply in a handful of standard steps with no reboot required The product interface is bright and cheerful not the most visually appealing but clean and simply laid out with a basic but functional set of configuration controls Operation was stable and solid throughout and the tests were completed in good time Scanning speeds were not outstanding but on access lag times were not bad and while RAM use was a little higher than some CPU use was below average as was impact on our suite of standard activities Detection rates were far from stellar with low scores in all our sets The trojans set was particularly poorly covered and RAP scores fluctuated unpredictably but never achieved anything close to a decent level Nevertheless the core certification requirements were VIRUS BULLETIN www virusbtn com met with no problems in the WildList or clean sets and a VB100 award is duly earned The last two years show six passes and four fail
72. a VB100 award this month After several tests skipped the company s test history now shows six passes and a single fail over the last two years with two entries both passed in the last six tests Trustport Antivirus 2011 11 0 0 4606 Itw 100 00 Polymorphic 100 00 ItW 0 a 100 0096 Trojans 99 16 Worms 8 bots 99 85 False positives 0 Trustport is one of the x handful of 2 multi engine products that routinely vies for the highest set of scores VIRUS in our tests marking out the top right corner of our RAP quadrant as its own We have been testing the vendor s products since June 2006 during which time a range of engines have been used but of RAP 98 0 VIRUS BULLETIN www virusbtn com late the company seems to have settled on a fairly winning combination of BitDefender and AVG The twin cores make for a fairly large install package although not too huge at 188MB including all required updates The set up process is fairly speedy with no deviations from standard practice and all is done in a minute or so with no need to restart The interface is a little unusual with multiple mini GUIs rather than a single unified console but it proves reasonably simple to operate with a little exploring and provides a solid set of controls as one would expect from a solution aimed at the more demanding type of user Under heavy pressure the interface can become a little unstable occasionally doing strange
73. ably most normal users would see little of this benefit as there would rarely be much written to logs anyway The only people with large amounts of data to log are those who have too much data to be comfortably stored in memory without causing horrible side effects the slowdowns and collapses and fails we have seen so many of this month Having dealt with the dark side there are also good things to report this month We saw a good ratio of passes this month with only a few products not qualifying for certification partly of course thanks to our extreme efforts in the face of difficulties but mainly due to good detection rates and low rates of false alarms Those not making it were generally denied by a whisker with only a few showing fair numbers of false positives or significant samples not covered In a couple of unlucky cases selection of default settings led to items being missed which could otherwise easily have been detected In general though performances were good As well as the simpler measure of certification passes we saw some excellent scores in our RAP sets with a general move towards the upper right corner of the quadrant We saw several new names on this month s list a few of whom had some problems but several put in strong showings and there are a number of proud new members of the VB100 award winners club We also saw some interesting results in our performance measures which we ll continue to refine going forw
74. agged out the testing process somewhat but with careful organization we just about got it all done in not much over a day Scanning speeds were fairly average and on access lag times a little lighter than many with low use of CPU cycles and RAM use Impact on our activities suite was not excessive either APRIL 2011 vb 31 32 VIRUS BULLETIN On access tests Please refer to text for full product names WildList 100 00 100 00 ER NEN NA 0 100 00 51 91 43 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 2 99 669 0 100 00 0 100 00 92 81 0 100 00 0 100 00 0 100 00 0 100 00 0 100 00 4 99334 1 99 83 Worms amp bots du dus Trojans viruses ETE ETE Ew 1444 EH ETA Ew OM 815 MEM HOM ES EN Le EN EE E 6990 Missed Ea EE a Po ma 39 39 8861 86 39 73 17 ens Dee an ues o moms mos me ess o aos uns 3s ses o woes 16s sens roses 7o ms ee Da 96 93 97 13 72 09 VIRUS BULLETIN On access tests contd viruses roo sense sess eo asser o wooos f 10808 as rro seca o Joso sas posto o 00s sies sons kaspenty anvise o esos ise ooze o 00s 3
75. ail that Hard Fails a traditional SPF check I don t typically recommend Technically speaking SenderID authenticates against the PRA which 1s either the Resent Sender Resent From Sender or From field In the majority of cases this 1s the From field VIRUS BULLETIN this because more legitimate mail than you might think fails SPF checks although for certain organizations that are heavily spoofed it makes sense We had to decide whether we wanted a Hard Fail to be used as a weight in the engine or to automatically mark the message as spam Experience had taught me that auto marking anything that Hard Fails an SPF check as spam would be prone to false positives My proposal was to use the failure of this feature as a weight in the engine by default and then give users another option to mark anything that Hard Failed the check as spam However a colleague pointed out that this would over complicate things for users For one they would have to enable this option manually Second they would subsequently have to click another checkbox to mark a message as spam instead of using the Hard Fail as a weight in the spam evaluation That was too much Better to pick one action and give the user the on off option than to make them do two things I decided to go with the auto mark as spam option in the event that a message performed a From Address Authentication and returned a Hard Fail Simplifying the design was the best option even i
76. al graphs that we re ran the tests to confirm them but got almost identical results on a second run through In the infected sets things were also a little problematic Although the on access run went by in a flash on demand scans were once again hampered by the storage of all data in memory the overworked test system slowly grinding to a halt as its resources were eaten up One attempt at running the standard scan of the full sets froze up with more than IGB of memory taken up Resorting once more to running multiple smaller jobs and ripping results out of the raw SQL database files created at the end of each scan we finally got the required data which yb 41 42 VIRUS BULLETIN File access lag time s GB Default Cold 26 87 22 55 38 53 15 64 626 125 04 Please refer to text for full product names Z yb Default Warm 0 01 22 76 Z gt 2 01 4 65 0 01 24 18 0 01 3 14 3 88 0 01 15 83 2 02 6 51 0 83 1 52 0 79 ZI T7 18 88 3 02 10 77 0 84 31 64 17 45 0 65 0 01 0 08 2 98 0 01 5 11 7 61 6 94 9 36 20 87 25 81 Archive files All files NA NA Z gt 42 57 519 73 68 66 161 95 6 52 42 09 44 30 188 07 NA NA NA 285 70 6 35 NA 162 25 29 99 NA 23196 NA 160 71 745 72 NA 42 33 NA NA NA NA NA NA 411 30 12 67 22 02 Binaries and system files Media and documents Default Cold 42 01 38 34 NA 34 73 192 12 21 72 41 93 28 38 22
77. all for the rootkit functionality API with SERVICE KERNEL DRIVER 0x00000001 In its simplicity Rustock uses lcreat and _Iwrite to make ServiceType parameter c windows system32 1zx32 sys a stream in a folder but hiding using ADS is not enough is now launched as a device driver see Figure 4 Finally a Rustock knows that it can easily be detected hiding the call to StartServiceA activates the driver code deeper using a rootkit is the next feasible step By calling the OpenSCManagerA API Rustock is now ready to launch its code as a service a call to the CreateServiceA The main rootkit functionality is to hide c windows system32 lzx32 sys By launching 1zx32 sys as a service Rustock secures a dual layer of An atom is a 16 bit integer used to access the string in the atom table stealth technology for i code an ADS and a rootkit not to a list of global strings mention it is a stream in a folder PART Ill A JOLEEE GOOD FELLOW Is ADS still used by malware today Yes a prevalent worm known as Joleee is still in the wild at the time of writing a recent variant of Joleee shows signs of ADS usage We will explore how this malware survives in the wild and how it uses an old style hiding capability Simply ADS Joleee uses a Bredolab style anti debugging trick and employs an encryption algorithm to hide its API names After decrypting and resolving the first batch of APIs Joleee sets up some registry sett
78. although some of the configuration was a little hard to find Thankfully past experience had taught us to search thoroughly to make sure all configuration options were checked Intrusion prevention and firewalling is provided in addition to the anti malware component and there are some extra tools as well Testing ran through smoothly without any major problems even the log viewer which has caused some pain in the past proved solid and stable Scanning speeds were not super fast but lag times were low with fairly low use of RAM too CPU use was a little higher though and the time taken to complete our set of tasks was around average Detection rates were very good continuing an upward trend observed in recent tests and the WildList and clean sets presented no problems at all AhnLab earns a VB100 award making six passes and four fails in the last two years with two tests not entered five of the vendor s last six entries have passed Antiy Ghostbusters 7 1 5 2760 Version 2011 02 23 20 ItW 87 02 Polymorphic 19 82 ItW o a NA Trojans 23 91 Worms 8 bots 72 88 False positives 4 Antiy was an interesting newcomer to our line up this month We have been in contact with the company for some time now and have long looked forward to the product s debut in our comparatives Antiy Labs hails from China with branch offices in Japan and the US and has been operating for over a decade It makes its scanning engine availa
79. ard hopefully making them more accurate and reliable as we fine tune the methodology over the next few tests We also hope now that the lab has a little breathing space to get back to work on plans to expand coverage of a wide range of protective layers and technology types The overheating overworked lab hardware may need a little downtime first though as might the similarly hot and tired lab team to recover from what has been quite an ordeal Technical details All products were tested on identical machines with AMD Phenom II X2 550 processors AGB RAM dual 80GB and 1TB hard drives running Windows XP Professional SP3 For the full testing methodology see http www virusbtn com vb100 about methodology xml 2011 BARCELONA ZZ VB2011 BARCELONA 5 7 OCTOBER 2011 Join the VB team in Barcelona Spain for the anti malware event of the year What e Three full days of presentations by world leading experts Rogue AV Botnets Social network threats Mobile malware Mac threats Spam filtering Cybercrime Last minute technical presentations Networking opportunities Full programme at www virusbtn com The Hesperia Tower Barcelona Spain 5 7 October 2011 VB subscriber rate 1795 register before 15 June for a 1096 discount BOOK ONLINE AT WWW VIRUSBTN COM END NOTES amp NEWS Infosecurity Europe will take place 19 21 April 2011 in London UK For more details see http www infosec co u
80. article we will present our reverse engineering of Zitmo and attempt to draw lessons from the attack as well as suggesting methods for circumventing it 1 ZITMO FOR SYMBIAN The Zitmo package consists of a few resource files and an executable named NokiaUpdate exe The resource files are typical to Symbian applications such as the resource in c private 101 875a import which is used to automatically restart an executable after the phone reboots and are of little interest for the purpose of reverse engineering NokiaUpdate exe is more interesting however The exe file centralizes all malicious functionalities in a single daemon and this is what we analyse 1 1 Initial tasks The first time NokiaUpdate exe is run after installation it sends an SMS to 44778148xxxx with the text App installed ok Both the text and the phone number are hard coded hence easily locatable in the malware s strings To ensure that no SMS will be sent the next time the exe file is run the file c 20022B8E firststart dat is created and used as a flag The presence of the file indicates that the trojan has already been launched if it is absent an SMS should be sent During the first start up the trojan also creates an SQL database c 20022B8E Numbers db containing three tables tbl contact tbl phone number and tbl history as depicted in Tables 1 3 The contact table lists contacts to spy on Only the first column the index is used b
81. as made to its own product to its OEM partners sometime soon VirusBuster Professional 7 0 44 Virus scan engine 5 2 0 virus database 13 6 217 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 88 90 Worms 8 bots 96 33 False positives 0 VirusBuster is another old x hand at the amp VB100 with entries running back over a decade and the vendor s last VIRUS missed entry way back in 2007 As usual we ve seen several entries spawned from this engine this month with most achieving good results which bodes well for VirusBuster itself However those most closely modelled on the original engine have had some nasty issues this month with scan slowdowns and memory drainage which left us somewhat apprehensive RAP 89 1 The 69MB installer tripped through rapidly with nothing too taxing to think about and no reboot needed before applying the 62MB offline update bundle The interface is very familiar having barely changed in many years but somehow still seems to bewilder and baffle with its awkward and non standard layout and approach to controls which are actually provided in decent depth once they are dug out Running through the speed sets proved simple with scanning speeds and lag times around average and resource use and impact on everyday tasks fairly low Getting through the larger infected sample sets proved harrowing as feared though with several crashes and several scans taking huge a
82. as run could prod the product into functioning properly This rather baffling result denies Keniu a VB100 award this month the vendor s record shows three consecutive passes in its earlier three entries Keyguard Internet Security Antivirus 1 1 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 Another from the family X of products 5 based on the Preventon set up Keyguard was VIRUS a last minute addition to this month s RAP 85 2 virusbtn com list our first contact with the company coming on the submission deadline day itself The familiar 67MB installer was pushed through its set up in good order with the usual connection to the Internet required to activate and access controls The Keyguard version of the interface has a pleasant spring green colour scheme with the usual simple but lucid and usable layout and solid levels of stability Speeds and overheads were all on the decent side with low impact on file accesses and activities and low use of resources while detection rates were decent and respectable With no problems in the certification sets Keyguard proves worthy of a VB100 award on its first attempt Kingsoft Internet Security 2011 Advanced Program version 2008 11 6 63 engine version 2009 02 05 15 data stream 2007 03 29 18 virus definitions 2011 02 24 02 ItW 100 0096 Polymorphic 96 0496 ItW o
83. avy Most users would consider the reasonable system impact more than made up for by the superb detection levels achieved by the product which destroyed our test sets with barely a crumb left behind The RAP set closely approached complete coverage in the earlier two weeks dropping off only very slightly The WildList presented no difficulties and finally the clean set was handled without incident either Lavasoft s Total product earns its first VB100 award after its third showing Logic Ocean GProtect 1 1 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 Yet another entry from x the Preventon 2 family based on the VirusBuster engine VIRUS GProtect was another last minute arrival RAP 85 2 virusbtn com turning up right at the end of the submission deadline day This version of the solution had the same 67MB installer running through the same handful of steps to get set up rapidly with no need to restart although an Internet connection is needed to activate The interface 1s a rather sickly blend of greens oranges purples and pastel blues but with some turning down of the screen it is just about bearable and provides the usual solid if basic set of controls Stability remained excellent with no problems getting through the full test suite within the expected time Scanning times were OK and lag times not too
84. ble as an SDK which sees it used in various firewalls UTMs and other security devices according to the company s website PP 4 RAP 62 0 The product was sent in as a 50MB executable which had some fairly recent updates included but for optimum performance we installed and updated the product online on the deadline date This was not as simple as it might have been as the product is only available in Chinese however a thorough usage guide was kindly provided and once Chinese support had been added to the test system it was fairly straightforward to figure out what to click and when The set up process took only a few minutes including updating with no need to reboot The main product GUI looks slick and professional although of course much of the actual content was unintelligible to us and navigating wasn t too difficult thanks to a combination of the guide provided basic VIRUS BULLETIN recognition of some characters and a general sense of where things tend to be in anti malware product interfaces The initial stages of testing ran through very nicely with all on demand tests zipping through without difficulty but the on access component proved elusive We could find no evidence of the on access scanner in initial trials of our archive tests but this was inconclusive since we found that the on demand component did not detect the EICAR test file either Various other attempts including checking that files were d
85. ble to actions against the hosts Marc Vilanova of la Caixa described a method to track such networks while other presentations dealt with IP reputation using network topology estimation and botnet detection and remediation Phishing is traditionally seen as a threat involving email and websites and these subjects were discussed as well A presentation by Richard Urbanski of AZB dealt with avoiding automated detection by using homoglyphs for instance by substituting the Cyrillic a for the Latin a while Brendan Bowles of University College Dublin discussed language models to detect phishing EDUCATION As demonstrated by recent examples of previously silenced botnets being resurrected and disconnected spammers continuing to ply their trade the only effective way to stop cybercriminals is to find them arrest them and bring them to court This is something that requires more than simple cooperation between researchers industry experts and law enforcement agencies it also requires significant technical knowledge among the latter group I was therefore particularly interested to learn that a number of universities University College Dublin host of the event among them have set up courses on cybercrime specifically for law enforcement These courses are essential not just to educate a new generation of police officers but also to educate existing officers for whom dealing with cybercrime has become an incr
86. curity industry Its attendees are a veritable Who s Who in the worldwide security community You ll find everything from pre conference training deep technical content peer to peer sessions and alliance summits to working group meetings professional development seminars executive forums and so much more There is something here for everyone including far too many social events that will have you hopping from one event to another every night This is truly a conference not to be missed VIRUS BULLETIN Securing your Organization in the Age of Cybercrime A one day seminar in association with the MCT Faculty of The Open University Are your systems SECURE Is your organization s data at RISK Are your users your greatest THREAT What s the real DANGER Learn from top IT security experts about the latest threats strategies and solutions for protecting your organization s data Book your place today to make sure your business is protected www virusbtn com seminar or call 01235 555139 SEMINAR 24 May 2011 Milton Keynes UK The Open University 19 VIRUS BULLETIN FEATURE SENDER AUTHENTICATION PRACTICAL IMPLEMENTATIONS Terry Zink Microsoft USA In my six part series on sender authentication 1 6 I wrote about a number of topics how SMTP works email headers SPF SenderID and DKIM I mainly wrote about the theoretical constructions of the system and illustrated some cons
87. d incoming calls are not blocked Finally the last few phone numbers are those listed in the phone number table partially blurred We added those phone numbers to our test phone using the relevant ADD SENDER commands They are ignored because the trojan is configured to monitor all incoming numbers 2 SECURITY CONSIDERATIONS AND SOLUTIONS Zitmo is quite worrying for two main reasons First it is difficult to spot Even security aware users could fall into the trap and have their mobile phone infected The only weak signs that something is amiss consist of 1 receiving an alleged certificate packaged as a Symbian package sis or sisx and not as a standard certificate p12 or pfx and 2 having an unknown application listed in the phone s Application Manager The rest of the social engineering is quite plausible Moreover the trojan is signed by Symbian which gives end users a false sense of security In reality the fact that the trojan went through the Express Signed program does not mean the application was reviewed Only some randomly selected applications are reviewed and Zitmo was not one of those Obviously a more thorough analysis of the packages undergoing the Express Signed program e g the Symbian security capabilities they require in house testing etc might block more malware but this has a financial cost nobody seems to be willing to pay The Apple Store and the Android Market get the money from app
88. dard jobs took a while to run through as well Detection rates were pretty solid with a lot of partial detections ruled out under our rules thanks to being labelled as suspicious only The clean set threw out none of these alerts though and certainly no full detections and with the WildList covered admirably Optenet earns another VB100 award making it two from two attempts PC Booster AV Booster 1 1 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 VIRUS BULLETIN www virusbtn com This is the z second time x on the test 5 bench for PC Booster whose product is another in the Preventon VIRUS line The virusbtn com vendor s previous entry in last December s Windows 7 test was thrown off course by an unlucky technicality with the on access component not checking packed files on read or on write This month given the results of a plethora of similar products all seemed to be on course for a smoother run RAP 85 2 The installer was once again 67MB and completed in a few simple steps with no reboot but a brief spell online required to activate a licence for full functionality The interface has a crisp cool blue and white colour scheme with the layout unchanged from the rest of the range tests ran through according to a well oiled schedule completing in good order with no stability issues Speeds were average
89. dard tasks Detection rates were also respectable with a decline into the later parts of the RAP sets but no serious issues and full coverage of the WildList and clean sets A VB100 award thus goes to SPAMfighter its second from five entries in the last seven tests GFI Sunbelt VIPRE Antivirus 4 0 3904 Definitions version 8516 VIPRE engine version 3 9 2474 2 ItW 100 0096 Polymorphic 99 79 ItW o a 100 0096 Trojans 97 99 Worms 8 bots 99 67 False positives 0 The VIPRE product has x been taking 5 part in our tests for 18 months or so now with some decent results and in VIRUS recent tests at least signs of overcoming some nasty issues with stability which made its earlier appearances something of a chore vb APRIL 2011 RAP 94 6 The installer is pretty small at only 16MB but contains no detection data initially requiring the extra 62MB of the standard installer bundle to get things fully set up The initial job is thus very rapid with just a couple of clicks required and all is complete in about ten seconds before a reboot is demanded After the reboot a set of set up stages must be run through and a demo video is offered to guide one through using the product This is probably not necessary for most users with the GUI fairly simple and clearly laid out and with little by way of fine controls to get lost in most areas seem limited to little more than on or off Thankfully stability was ge
90. ditional updates it ran through in good time with no surprises The product is a full suite including firewall anti spam mail and web monitors and some intrusion prevention components RAP 61 4 The interface has been adjusted and improved a little of late and is now looking complete and polished The layout is yb 27 28 VIRUS BULLETIN WildList Worms amp bots Ponoi me Trojans ou On demand tests viruses sets mes eo oa o ro e us Y 100 00 329 98 35 4 99 99 2508 94 05 63 06 Avertive VirusTect 100 00 815 95 91 0 100 00 5700 86 49 E A a Ed ena Oupo Sd Aab V3 nematSeuniy E EN EN EN AvailaSoft AS Anti Virus Bullard Aniviews o osos 7 6s o mors rs 707 CA mermer Secar Sue 0 ros 06 oss 4956s s sous 1 CAToalDeienerl2 o ross 785 9605s 4 onsen orm se Cental Commana veaa o rool s07 oroe o wooos aes fesso Check Pon ZoneAlarm o ross 165 17s o wooos so vaca 1 CeanightAnivins o osos sis sors o rooe s70 se Please refer to text for full product names F Secure Internet Security __ 10 00 74 99 63 o 100 00 1435 96 60 a Conmiouch Command o rooe 2569 sis o iocos sus 2s gt Comodo Premia o moo 701 sense e 90609 ons 225 gt comniz0i0 f o woes as ss o fioo amp 9o 5 Deren ecu Se o ioo 2 seres 1 ocos as sse
91. e m Busy system RAM usage increase OBusy system CPU usage increase LU Standard file activities time increase Negative value recorded forbusy CPU System resource usage and impact on standard activities contd 100 0096 90 0096 80 00 70 00 60 00 50 00 40 00 30 00 20 00 10 00 0 00 Please refer to text for full product names after that mainly taken up with firewall related steps and checks and a reboot was needed at the end The interface reflects the company s Swiss origins with its red and white colour scheme and looks efficient and businesslike without seeming unfriendly or intimidating Configuration is not over generous for the anti malware component the full suite also including anti spam and several other modules but provides enough controls for most purposes and is easy to navigate and operate Stability was excellent with no problems at any point and the use of caching of results even in infected items meant that the tests were sped through in excellent time Aided by the caching scanning speeds were lightning fast lag times feather light and performance measures stayed well within acceptable bounds Scores were solid as we have come to expect from the VirusBuster engine underlying things with decent levels across all sets The WildList and clean sets were handled vb APRIL 2011 Bldle system RAM usage increase m Busy system RAM usage increase OBusy system CPU u
92. e 3 Creating an ADS in a system32 folder re infection If the event DC5E72A0 6D41 47e4 C56D 024587F4523B is not Address Value Bi SC I Comment CIEE es01D04 8 FCALL to CreateServiceA from 1 90481D04 found it proceeds to check for the Sena GHG6FDSC BBBS3E9A EOE hManager B0083E98 of an atom with the same event string SETS TD 80402130 lt t ServiceName pe386 6006FD94 804602142 Bt DisplayName Win23 lzx files loader ee otherwise it creates one using the BBBGFDOS TN peeivennecess SERUICE_START GlobalFindAtomA and GlobalAddAtomA GHH6FD9C TT M ServiceType SERVICE KERNEL DRIVER APIs see Figure 2 GHG6FDAG BBBBBBET NH StartType SERVICE SYSTEM START GHG6FDAS OOHOOH ErrorControl SERVICE ERR R IGH RE BBB6FDAS BHBB6FECB ApN BinaryPathHame C XUIHDOUSXsustem32 12x32 sys GOB6FDAC 86462159 Yt LoadOrderGroup Base To create an ADS in a folder Rustock uses the GetSystemDirectoryA API to generate BBBGFDBB BBBBOBBBH pTagId NULL c 1 HBB6FDBh BBBBHBBH pDependencies HULL the system folder s path 1zx32 sys is OONSFDES NAANAOAB ServiceStartHame HULL now added to the folder s name followed BBB6FDBC BB8BBBBBS LPassword HULL by a call to the _Icreat API to create for example c windows system32 Izx32 sys and a call to the _Iwrite API to write the malware code to the stream see Figure 3 Figure 4 CreateServiceA c
93. e SMS socket processes it and decides it must be dropped does not commit any new entry on the phone s message server and makes sure it marks the socket message as successfully processed as in the two other cases see Figure 9 It is important to mark the SMS PDU as successfully processed or it will reappear in the inbox on the next reboot 1 5 Reverse engineering techniques Symbian malware is typically reverse engineered using static code analysis DA Pro is particularly handy for Symbian because it supports ARM assembler and automatically resolves most Symbian API calls Static code analysis represents a high percentage of our reverse engineering for Zitmo but in addition we have been able to use two other techniques Il Spoofing the administrator As mentioned previously the trojan s protocol to configure a new phone number for the administrator is flawed because anybody can claim to be the new administrator provided their phone number is not currently being monitored So for our experiments we used two phones one infected by the Zitmo malware and the other one to act as the administrator instead of the real Zeus gang There are two ways to become the new administrator yb VI RU S B U LLETI N WWW V l Iruspin com di IDA C Documents and Settingslaxe lle Wesktoplwirustepoctepoc idb epoc Fle Edt Jump Seach wew Debugger Options Windows Help CO rre s BR ED SD Co RR HB a xl m o RIS Bg x
94. e a complete set of results Speed measures were a little slow on demand with some fairly heavy lag times on access and with RAM use about average and impact on our suite of tasks average too CPU use was fairly high Our decryption of the logs we gathered showed some fairly respectable scores in most areas with no problems in the clean sets or with the on demand scan of the WildList set On access however the same large file which has tripped up a couple of other products was not spotted probably due once again to a cap imposed on the file size to scan although we could find no visible information on this limit and no clear way to change it if desired This missed detection was enough to deny iolo its second VB100 award by a whisker From three entries in the last two years the vendor now has two fails and one pass K7 Total Security 11 1 0025 Malware definition version 9 90 3942 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 84 52 Worms 8 bots 95 92 False positives 0 K7 Computing has become a regular in our tests over the last few years building up a solid record of success and VIRUS keeping the lab team happy with simple reliable products o N z o lt x RAP 80 4 The latest version was provided as a 71MB installer complete with all required definition data The install process seems to consist only of a welcome screen and a EULA in the blink of an eye everything is d
95. e deal with sender authentication Part 3 Virus Bulletin August 2010 p 15 http www virusbtn com pdf magazine 2010 201008 pdf A Zink T What s the deal with sender authentication Part 4 Virus Bulletin September 2010 p 17 http www virusbtn com pdf magazine 2010 201009 pdf 5 Zink T What s the deal with sender authentication Part 5 Virus Bulletin December 2010 p 12 http www virusbtn com pdf magazine 2010 201012 pdf 6 Zink T What s the deal with sender authentication Part 6 Virus Bulletin January 2011 p 8 http www virusbtn com pdf magazine 201 1 201101 pdf COMPARATIVE REVIEW VB100 COMPARATIVE REVIEW ON WINDOWS XP SP3 John Hawes When Windows XP first came out George W Bush was still in his first year of presidency The 9 11 attacks took place between the platform s release to manufacture and going on retail sale as did the launch of the first generation Pod Wikipedia was less than a year old Google was just starting to turn a profit while the likes of Facebook Skype YouTube and World of Warcraft were yet to come Computers themselves were not too different from today of course although the Pentium 4 was the hottest chip on the block and x64 was still a couple of years away Skip forward almost a decade and XP is still with us not just hanging on by its fingertips but firmly remaining the most popular desktop platform some estimates put it on over half of all desktop syste
96. e header is marked as an SMS to deliver ESmsDeliver see Figure 7 so that it appears as a message coming from the sender and not to the sender Switch to entry CBaseMtm SwitchCurrentEntryL long LDR RO R3 0x34 MOV R1 0x1002 KMsvGlobalInboxIndexEntryldValue BL ZN8CBaseMtml19SwitchCurrentEntryLEl Figure 6 Code to switch to global inbox entry CSmsHeader NewL CSmsPDU TSmsPDUType CEditableText amp MOV RO 0 ESmsDeliver LDR R1 R11 var_ 80 BL _ZN10CSmsHeader4NewLEN7CSmsPDU11TSmsPDUTypeER13CEditableText LDR RO R11 cmsvstore BL ZN9CMsvStore7CommitLEv CMsvStore CommitL void Figure 7 Setting SMS as to deliver Copy original body in TDes16 LDR R3 R11 var_18 ADD RO R3 0xCO LDR R1 R11 incomingsmstext BL _ZN6TDes164CopyERK7TDesC16 Point to Fri SUB RO R11 40x84 LDR Ri arr Nri Bh _ZN7TPtrC16C1EPKt TPEXCI6 TPEXCI ushort const Append Fr to body SUB R2 R11 0x84 LDR R3 R11 4var 18 ADD RO R3 0xCO MOV El R2 BL ZN6TDes166AppendERK7TDesC16 TDes16 Append TDesC16 const amp Append sender s phone number LDR R3 R11 var_18 ADD RO R3 0xCO SUB R3 R11 0x6C sender s phone number MOV R1 R3 BL ZN6TDesl166AppendERK7TDesC16 TDes16 Append TDesC16 const amp Send SMS BL NokiaUpdate CommitDraft Figure 8 Adding the sender s phone number to the body of the SMS RSocket Ioctl u
97. e positives 0 Specializing in the optimization clean up and recovery spheres iolo has been active in security for a while too with occasional VB100 entries dating back to 2007 The company achieved its first VB100 award in the last Windows 7 test see VB December 2010 p 27 with its current security offering based on the F Prot engine RAP 73 3 The install process requires an Internet connection with the initial installer no more than a downloader only 450KB in size This fetches the main installer which is also fairly small at 3MB and which proceeds to fetch the other components required The process is not too long or taxing but a reboot is needed at the end The interface is attractive and simply laid out with minimal clutter and provides a decent level of configuration in a pleasantly accessible style The only things missing were a setting to simply block or record detections without any automatic action and the lack of an option to save log VIRUS BULLETIN www virusbtn com data to a file leaving us wrangling an ugly and ungainly database format into shape to retrieve results Occasionally scans seemed to stop at random and the awkward log format made it difficult to see how far they had gone or even if any results had been saved We also saw some scans claiming to have completed but clearly not having covered the full area requested In the end however we managed to pull together what looked to b
98. ear but have been producing anti malware products for some time too When we first looked at their solutions they were using the Norman engine but of late they have been based on VirusBuster using the Preventon SDK but adding a fair amount of their own work to things The installer came in at 68MB including all updates and the set up process was zippy and to the point with a request APRIL 2011 vb 75 76 VIRUS BULLETIN www virusbtn com for the user s email details 8 the only 5 notable aspect Everything is done in under a minute with no need to VIRUS reboot The virusbtn com interface is a khaki green the logo adorned with military chic and the layout fairly clear and simple Some options were a little baffling though checkboxes marked turn on off beg the question of whether checked means on or off Although the layout is different much of the wording is similar to other products based on the same SDK with perhaps a few extra settings over and above those provided by the others We also found that registry entries used elsewhere to ensure logs were not thrown out after a certain time were missing or at least not where we expected so we had to run tests in smaller jobs to ensure all data was kept for long enough for us to harvest it RAP 84 3 Speeds were much as expected fairly average on demand but pleasantly light on access with fairly low use of resources and little impact on stan
99. easingly prominent part of their work yet who often lack the knowledge required to deal with it CONCLUSION There are many events dealing with the fight against cybercrime indeed in the same week as the APWG Sync Up another anti cybercrime event took place in London It is important that these events are organized and that experts get plenty of opportunities to meet For an event to be successful it is important not just for the talks to be of good quality but also for there to be ample time for discussion At the APWG Sync Up there were plenty such opportunities for discussion and I left Dublin not just with the pleasing feeling of having met many friendly and like minded people but also with fresh inspiration to continue my daily job D 16 VIRUS BULLETIN CONFERENCE REPORT 2 RSA 2011 CONFERENCE REVIEW Jeannette Jarvis Independent researcher USA The 20th annual RSA Conference was held at the San Francisco Moscone Center in February The RSA conference began exclusively as a cryptography conference taking 1ts name from the three founders of the RSA algorithm Ron Rivest Adi Shamir and Leonard Adleman The theme of RSA 2011 was The Adventures of Alice amp Bob Rivest first used these fictitious characters in 1978 to help explain the complex process of encryption Later Bruce Schneier another institution in the cryptography world added further characters such as Mallory the Malicious
100. eded to complete installation An Internet connection is needed to apply a licence key without which much of the configuration is inaccessible but even with the time taken to complete this step only a minute or so is needed in total to gets things up and running The interface is pared down and simple but provides a decent range of controls covering most of the standard bases The only issue that has troubled us in the past 1s a lack of control over the logging system which defaults to overwriting logs once they have reached a certain size 10MB for on demand scans and 2MB for on access activity This presents a problem for us in gathering results of our large scans of course but could also pose issues for real world users since the default setting is to log every file scanned it would be easy to run a scan job which turned up an infection but could not tell you at the end what was found or where of course with the default settings some action would have been taken to combat the threat but it s usually best to be aware of what s been done to your system even in the name of good security Fortunately after some trial and error we managed to increase the log sizes by making some simple registry tweaks The product proved as solid and stable as on previous occasions with a nice simple process to get all the tests complete Slow scanning of some polymorphic samples which were heavily represented in some of our sets dr
101. eing added to the various jobs carried out actually left the processor idle Looking over the results we saw some confusing variation with no apparent correlation between the scores recorded and those of other products using the same engine or even with the same product in different detection modes So we went back and repeated the tests finding them once again slow and prone to sudden and unexplained death Each time a scan failed to complete and report results it was necessary to repair the affected sample set and re run the job in smaller chunks Eventually we managed to get at least one set of scan logs for each area of the test sets by running on up to six of our test systems for several further days but even combining all the various runs together showed far lower scores than anticipated With no further time available we finalized the results as the combined best of all jobs The results for the WildList set after more than 20 runs through in both modes seemed to be reliably accurate at least showing good coverage of the polymorphic items but a fair number of other samples not detected As a result no VB100 award can go to AvailaSoft just yet despite an enormous amount of work on our part Avast Software avast Free Antivirus 6 Version 6 0 1000 engine and virus definitions version 110223 1 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 96 8096 Worms 8 bots 98 95 False positives 0 Avast made some serio
102. end in reasonable time Scanning speeds were OK and lag times fairly light with RAM use below average and CPU use a little above average while the set of activities completed very quickly indeed Detection rates were excellent with splendid scores across the board However a single item in the WildList set was missed a closer look showed this was an exceptionally large file which has upset some other products of late implying that karus imposes some limit on the size of files scanned by default Further investigation confirmed that there was a cap sensibly set to 8MB which was considerably smaller than the file in question However removing this limit still did not result in detection even when the file was scanned on its own Finding this a little odd we tried re running the job with the limit left in place but increased to a size that covered the file in question This successfully enabled detection hinting that the controls are less than fully functional Of course our rules insist on default settings for our official scores so the eventual detection cannot be counted In addition a handful of false alarms were generated in the clean sets including a Virut alert on a piece of office software thus karus doesn t quite make the grade for certification and will have to wait for its third award iolo System Shield 4 2 1 ItW 100 0096 Polymorphic 100 0096 ItW o a 99 8396 Trojans 74 39 Worms amp bots 86 46 Fals
103. er IE6 5 4 3 2 1 2001 was a memorable year for me I started working at VirusBuster and thus officially joined the AV industry I got my first cell phone I bought my first car a used one but who cared I moved to a new apartment which was largely due to the fact that my son had just been born I also bought a new home PC 2001 was also the year that Microsoft released Internet Explorer IE 6 Over a decade has passed since then My company has moved office twice I have switched cell phone four times I have replaced my home PC three times I ve moved to a new apartment and I ve applied several hotfixes and replaced the engine of my car Unlike all these other elements in my life JE 6 has prevailed On releasing JE 9 three major versions away from our title piece Microsoft launched a website tracking the astonishingly high prevalence of this elderly web browser according to data collected by Net Applications it accounted for 1246 of the market share overall in February 2011 It s not only that the overall prevalence of the browser is high but the outlook is alarming when you consider the browser s local prevalence in China which peaks at 34 596 What could be behind this phenomenon One would expect that in the 21st century which is all about increasingly rapid change especially in IT users would http ie6countdown com Editor Helen Martin Technical Editor Morton Swimmer Test Team Director Jo
104. ersion being in a cool blue and white colour scheme Its clear and simple operation made it easy to use and test the only extra task being a registry tweak to enable full logging Stability was not an issue even under heavy strain and the tests took just about the full 24 hours allotted Scanning speeds closely mirrored those of others from this range being a little slower than average over most types of files but not too much On access lag times were around average and performance measures showed low use of resources and minimal impact on activities Detection results were also no big surprise with solid scores averaging around the 90 mark with a slight decline towards the more recent parts of the RAP sets The WildList and clean sets were handled nicely and Clearsight earns 1ts first VB 100 certification on its second attempt Commtouch Command Anti malware 5 1 10 Engine version 5 2 12 DAT file ID 201102232246 ItW 100 0096 Polymorphic 100 0096 ItW 0 a 100 0096 Trojans 78 39 Worms amp bots 87 12 False positives 0 The Command product name X has a long 2 history in VB100 testing dating all the way back to VIRUS 1998 The RAP 77 7 company name may have changed with the acquisition of Authentium by Commtouch but not much seems to have changed in the product itself The installer is an ultra compact 12MB with only 28MB extra by way of updates The installation process is pretty simple although it
105. es when the administrator s phone number changes In this case the administrator can send a SET ADMIN command from the new administrator phone In fact we believe this is a flaw in the trojan s protocol and will explain later how we have abused it Note that the SET ADMIN command is the only one a non administrator can send 1 3 Remote SMS commands Zitmo implements 10 different commands ON OFF SET ADMIN ADD SENDER ALL ADD SENDER xx REM a Message texte lt i 112 gt O De Av data Third try After on Long message more than 8 characters Just to see Fr Figure 3 SMS intercepted by Zitmo and forwarded to the administrator lab test phone VIRUS BULLETIN SENDER ALL REM SENDER xx SET SENDER xx BLOCK ON BLOCK OFF All of these have been described either in 3 4 or in our previous work 5 What hasn t been explained yet is how the trojan recognizes the commands in the SMS and processes them Basically the trojan reads the SMS body converts it to upper case and counts the number of spaces in order to work out the number of words in it If there are no spaces the only likely commands are ON or OFF If there is one space the only possible commands are BLOCK ON or BLOCK OFF etc see Figure 4 This is rather a strange way to recognize commands and is perhaps copied from a more sophisticated library Once the trojan knows which command it is dealing with it must react Its immediate action always c
106. ese days one its standard desktop suite and the other VIRUS from the virusbtn com client branch presumably a more business focused effort but there is usually little difference between the two This client edition had a 58MB installer and a 125MB update bundle which was shared by the two solutions RAP 95 8 The set up process went through several stages including some questions about management systems and which components to install and needed a reboot to complete The interface is dominated by a large green tick to indicate all is well and has a very simplified design which is somewhat awkward to navigate in places There is little by way of fine tuning controls Stability seemed a little suspect with some scans freezing and reboots required to restore functionality to the product Running over infected sets was even more rocky with age old logging issues rearing their ugly heads once more A run over the clean sets reported a number of detections urgently labelled infection but on trying to display the log we were instead shown one from a previous scan over the archive sample set This sort of disinformation could be extremely troubling to a user Speeds were very fast once files had been checked out for the first time and this effect had an even more notable impact on lag times The batch of standard jobs completed rapidly and resource consumption remained low throughout Logging problem
107. ests When these issues were not blocking progress things zipped along with their customary speed and even with the issues we still got all the necessary jobs done in under 24 hours As usual scanning speeds were fast and lag times very low with low use of memory and a small effect on the time taken to complete our set of activities although CPU use was closer to the average for this month s test With the final results processed we saw some stomping good scores highly impressive in all sets The WildList and clean sets were handled without a glitch earning Avast another VB100 award for its free product the company boasts an impeccable 12 out of 12 record in the last two years of our comparatives Avertive VirusTect 1 1 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 VIRUS BULLETIN www virusbtn com Avertive has appeared in a couple of tests recently being part of a set o N T o lt x of products derived from VIRUS the same RAP 85 2 toolkit a front end and SDK to the VirusBuster engine developed by Preventon whose own version first took part in late 2009 see VB December 2009 p 16 The number of these entries continues to grow with Avertive already one of the more familiar names on the list The product comes as a 67MB installer and runs through a very standard set of steps with no reboot ne
108. etected by the on demand scanner before copying them around the system and even executing them produced no results and a request for information from the submitters went unanswered Whether or not the product even has an on access component thus remains a mystery but either way as it does not appear to be enabled by default it would not be possible to include it in our official tests This also meant there was no point in running our standard performance measures but on demand scanning speeds were pretty zippy and the product powered through the infected sets in good time too The logs showed some fairly disappointing scores with coverage of polymorphic items particularly poor but the RAP sets showed a steady if not super high detection rate The WildList showed a fair few misses with a handful of false alarms in the clean set too and of course no obvious on access capability was found giving us several reasons to deny Antiy a VB100 award for the time being However the product impressed the team and looks like a good bet for some rapid improvements ArcaBit ArcaVir 11 2 3205 1 Update 2011 02 24 12 54 56 ItW 100 0096 Polymorphic 93 63 ItW 0 a 100 0096 Trojans 63 06 Worms 8 bots 72 11 False positives T ArcaBit has made a few appearances in our comparatives over the last few years and has shown some steady improvements both in performance and stability PP 7 The install package weighed in at 95MB and needed no ad
109. event diseases and an international structure to respond when outbreaks occur The application of such a model to Internet health would have enormous benefits but would require sustained local and international collaboration Charney also focused on identity management A shared and integrated domain creates huge problems when people and their activities are mingled Anything we ve ever done on the Internet is recordable and findable Identity management is critical We must build trusted stacks with strong identity management systems As the threat world evolves Microsoft continues to revise its Security Development Lifecycle SDL RSA would not have been complete without hearing more about Stuxnet And who better to offer that information than Symantec s President and CEO Enrique Salem Symantec played a crucial role in the identification and analysis of Stuxnet The worm exploited four zero day vulnerabilities and Symantec helped uncover three of them The threat has moved the game from espionage to sabotage and used the first rule of the art of war deception Salem noted that we ve been expecting this sort of sophisticated elaborate attack for many years Now it is here and it is more sophisticated dangerous and prevalent than anything we have seen before While SCADA attacks are not new they are a threat to our economy prosperity and our lives We now know what is possible More targeted attacks are coming with the most da
110. f it had the potential to cause false positives All of the other results Soft Fail Neutral etc have their own weights associated with them and used in the spam filter evaluation By itself Hard Fail can single handedly mark a message as spam Thus if an organization selects this option and publishes SPF records then a spammer will not be able to spoof the organization in either the P1 From or P2 From address Those messages will be marked as spam and hidden from the end user RESULTS The feature was coded tested and deployed into the production network within a couple of months Yet for all of the work we had put in and the research we had done I was still nervous All of the reading I had done that looked at performing SPF checks on the P2 From address suggested that the results were potentially unreliable Would we get false positives Would there be a whole bunch of scenarios that I hadn t considered and lots of complaints pouring in The best case scenario was that it solved the problem of spoofing for the original customer Years later when researching choice architecture the process of providing users with a list of options I discovered that giving users fewer choices is better than giving them more The reason is that the more options we are given the more difficult it is to make a decision and the less likely we are to be happy with that decision This seems counterintuitive but in fact a simplified
111. first of several subfolders of the selected region We also hit a problem in the on access test where a single item seemed to be tripping up the engine causing a blue screen several runs over the same batch of samples brought the same result so the set was split into small chunks to get as much coverage as possible yb Scanning speeds were not very fast but lag times were not very heavy and system resource use was low with a low impact on our set of activities In the end detection results proved pretty solid too with respectable scores in all sets a gradual downturn through the RAP weeks and a slight rally in the proactive week an unusual pattern that K7 has repeated in three comparatives in a row now Both the WildList and the clean set were handled well and another VB 100 award is earned by K7 this month The company now has a solid record of seven passes and one fail in the last 12 tests with four not entered in the last year K7 has three passes from three entries Kaspersky Anti Virus 6 0 for Windows Workstations Version 6 0 4 1212 a ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 91 0496 Worms 8 bots 99 24 False positives 0 This month sees a trio of entries from Kaspersky Lab which until it skipped last year s Linux test was the VIRUS only vendor with a 100 record of participation in our comparatives since the VB100 award was introduced in 1998 N oa
112. flip side is that if a credit card has gone for two years without any signs of fraudulent activity banks and retailers are likely to assume that it hasn t been stolen thus making it easier for the criminals to defraud The news comes just days after email marketing firm Epsilon admitted that hackers had obtained access to its customer data The Dallas based company claims that the data breach affected only around 2 of its clients and that the information obtained was limited to email addresses and or customer names only However a growing list of companies is known to have had their customer lists stolen Among the victims are Hilton Honors Walgreens Disney Destinations Marks and Spencer Capital One TiVo JPMorgan Chase and Citibank Even if the hackers did only obtain names and email addresses these companies customers will now be at increased risk of phishing and with the crooks able to personalize their emails the phishes will be harder to spot than generic ones Most of the affected companies have warned their customers to be on the alert for phishing attempts VIRUS BULLETIN Prevalence Table February 2011 Malware Type Autorun Worm 9 13 VB Worm 1 438 Conficker Downadup Worm D 0 Agent Trojan 5 0096 FakeAlert Renos Rogue AV 4 03 Exploit misc Exploit 3 80 Adware misc Adware 3 68 Downloader misc Trojan 3 49 Delf Trojan 2
113. g for a minute or so before a window appears showing progress The interface is quirky but not unclear with a wide selection of options crammed into a small area We noted with interest that the support email address shown in the about window is at hotmail com FP 19 RAP 72 0 Running through the tests is always a little fiddly as the product only records on access detections when set to erase or clean automatically otherwise a pop up appears noting the detection and asking for a decision as to what VIRUS BULLETIN to do about it but no entry is made in the product log until the choice is made Nevertheless it seemed to cope with the heavy workload and got through the tests in good time Scanning speeds were not incredibly fast but file access lags were very low and processor cycle use was low too although memory consumption was fairly high The set of standard jobs completed in average time Detection rates were not too bad in general but there were quite a few misses in the WildList set many more polymorphic samples missed on access than on demand and a fairly large smattering of false alarms in the clean sets As a result the product is denied certification once again but it seems to be showing steady improvement in both solidity and coverage and it seems likely that Filseclab will reach the VB100 standard in the not too distant future Fortinet FortiClient 4 1 3 143 Virus signatures version 10
114. he function that adds a new contact to the trojan s database for monitoring 2 Unhiding the console window Static analysis of the trojan reveals that it actually creates a text Ar Fi A dd A mI ff LE Lm gg lj ra J E Aike 4 y editor window and writes debug information to it Under normal circumstances this debug window is not shown because the malware authors have hidden it basically this consists of setting the window as hidden CApaWindowGroupName SetHidden ETrue and making sure the window stays in the background RWindowTreeNode Set OrdinalPosition to ECoeWinPriorityNever AtFrom 1000 or ECoeWinPriorityNormal 0 See 8 for more information So to show this debug window we set breakpoints to the SetHidden and SetOrdinalPosition API calls ran until we reached those breakpoints and then each time we reached SetHidden we modified ETrue 1 to EFalse 20 and each time we reached SetOrdinalPosition we set the priorities to ECoeWinPriority Always AtFront 21000 0x3e8 This caused the debug window to appear Figure 11 shows the debug window after the trojan has read its settings First there is the administrator s phone number blurred a test k Nokia update Q state is On monitoring all blocking is off 12345678 33 NNI Figure 11 Zitmo s debug window dynamically sent to the foreground phone in our lab Then we see the trojan is enabled monitoring any incoming number an
115. he repeated write warnings we broke things up into several jobs and re imaged the test system in between runs and eventually got everything done after about four full days of run time Scanning speeds came in rather slow and lags were pretty heavy with high use of system resources processor drain was particularly high Impact on our suite of activities was not too significant though Detection rates were pretty good tailing off somewhat in the RAP sets but showing good form in the core certification tests and earning Sofscan its first VB100 certification Sophos Endpoint Security and Control 9 5 Sophos Anti Virus 9 5 5 detection engine 3 16 1 detection data 4 62G ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 91 7096 Worms 8 bots 87 69 False positives 0 Sophos 1s another of our most regular participants with a history going all the way back to 1998 and only two tests not entered both of which were over five years ago The vendor s main product is provided as a 75MB installer with additional incremental updates in a svelte 4MB VIRUS BULLETIN www virusbtn com package Set up follows z the usual 5 path with a few corporate extras such as the removal VIRUS of third party products 1 e virusbtn com competitor solutions and the option to install a firewall component which is unchecked by default No reboot is needed to finish the process which is completed in under a minute
116. heavily on usage instructions included with the submission aided somewhat by our limited ability to understand the markings on the interface RAP 94 1 The install process seemed to require that Japanese language support be added to the system rather sensibly but even then much of the display was garbled and not usable as a guide It ran through half a dozen or so incomprehensible steps before rebooting the system On boot up we found the GUI as strange and interesting as ever with quirks both in layout and operation it frequently fades into semi transparency when not focused on Nevertheless it seemed fairly stable and proved OK to operate as long as no complex configuration was needed As in previous tests on demand scans over infected sets took an enormously long time No real reason could be found for this the main cause of such slowdowns elsewhere is the foolish attempt to store all log data in RAM until the end of the scan but here the standard Windows event system is used as the only available logging and memory use did not seem to increase too dramatically Scans would simply start off very rapidly and gradually slow to a crawl So having prepared for this we set the product up on several systems at once and ran various jobs over the weekend with most of them finished by Monday In total around five full machine days were used up getting through the tests considerably more than the allotted 24 hours No such prob
117. hese agencies frequently have to decide which are the most relevant threats and where they should dedicate their limited time and resources Stuxnet Rustock ZeuS or perhaps a gang of ebay fraudsters Having a good idea of which are the biggest threats and which are linked is essential for making such decisions It 1s thus important to have a good idea of the size of threats from spam to botnets and to represent these correctly Presentations by Trend Micro s David Perry APWG s Pat Cain and Randy Vaughn of Baylor University dealt with some aspects of the far from trivial task of threat measurement Indeed a lack of resources is a constant struggle for those working in law enforcement and the current economic downturn and subsequent public sector cuts have not made things any easier But rather than bemoan the difficult nature of their jobs under such circumstances participants discussed ways in which they could use resources more effectively and ways to convince both governments and the general public about the severity of these online threats The fact that online crime is a serious problem was demonstrated by data showing that in the US the amount of money lost per year through online crime is significantly greater than the amount lost through bank robberies If nothing else the data reinforced the idea that collaboration is needed to drive forward the fight against cybercrime and a proposal to set up an eCrime Collab
118. hives thus G DATA earns another VB 100 award with some ease The vendor s recent record is pretty strong eight passes and only a single fail in the last two years with three tests not entered four of the passes as well as that one unlucky fail have been in the last six tests Hauri ViRobot Desktop 5 5 Engine version 2011 02 22 00 6659169 ItW 99 33 Polymorphic 100 00 ItW 0 a 99 33 Trojans 65 0496 Worms 8 bots 64 96 False positives 0 Hauri has a somewhat sporadic history in our comparatives entering several tests in a row and then vanishing for a few years The company s current product is a combination of the BitDefender engine with some additional detection of its own The installer is a sizeable 300MB but it gets to work fairly rapidly even taking into account the scan of running processes performed before it gets going No reboot is required to complete The interface is clear and sensible simple to navigate even for an unfamiliar user and our lab team found it pleasant both to look at and to use The product generally ran stably but logging was a bit of an issue the process of going from the end of scan dialog to a saved log taking anything from ten minutes to three hours depending on the size of the log being exported We also found the scheduler a little irritating as despite having set it only to log all detections it stopped at the first sample spotted and asked if it should continue with the scan As
119. hn Hawes Anti Spam Test Director Martijn Grooten Security Test Engineer Simon Bates Sales Executive Allison Sketchley Web Developer Paul Hettler Consulting Editors Nick FitzGerald Independent consultant NZ lan Whalley BM Research USA Richard Ford Florida Institute of Technology USA PRIL 2011 consider the browser s upgrade their operating system or at least the major applications every few years However nothing could be further from the truth At the root of the problem is a combination of Windows XP and Windows Update XP came with IE 6 preinstalled and was a very successful operating system more successful than its successor and this is one major part of the problem Although a fair number of JE updates were released the XP service packs did not include the installers for them One could install them with automatic update or by visiting the Windows Update website but both of these required a genuine non pirated OS version as with Windows XP came the debut of Windows Genuine Advantage And herein lies the other part of the problem The most popular operating system in China is Windows XP with 81 8 of the market share According to several sources the software piracy rate in China is around 8046 so it is little surprise that over a third of web browsers or operating systems have not been upgraded Manual download and installation of the updates is possible but beyond the capabilities of m
120. iVir Personal OD Y V v v v v vy v v v v a Ja Xx XN XN XN XM XN XN XN XN XN y Avira AntiVir Professional OD Y v y Y NP v v tv v pv fv Lo fa lx XN XV XN XN XN XN XW XN XN y BitDefender AntivirusPro OD Y V 7 7 J v v v 7 vN v v Lo 0A XN XN xv XN 2N P XN XW XW ww iN v Bkis BKAV Professional OD X X X X x x x x x x v Lo 0A X J X X X x x x x x x v Bullguard Antivirus OD Y v 8 8 v v v s vy vj v LL 0 V 1 v s s Jvprvprvsvj vy v CA Internet Security Suite Plus OD x Y ovo Y v v v v v v x o x x _ x if EC E x LEX IL CA Total Defensert2___ OD X XN XN X IW XN XN XN 1N XN TV pO X XN XN XN PN XN XN xw v XN v Central Command eria fof 2 Y p Vf Vf xw x Ly X y Lx xw CTA A 3 vp a 3 ERIGI IG DG fou x px px x pe E EXEC Clearsight Antivirus OD 1 1 X X a xX rrixy r tj v po fw a x j x Mm X t xt xN ey y Detection of EICAR test file up to ten levels of nesting X No detection of EICAR test file XN Default settings all files 1 9 Detection of EICAR test file up to specified nesting level EXT Detection of EICAR test file with randomly chosen file extension A Please refer to text for full product names 53 VIRUS BULLETIN EXI eee EFFERRE ER eel BEEBE EE EE EE E REPE ERE Ek EE EE EE EE REEL ERE i
121. ice their existence because they are harmless and mostly used simply to identify the base file to which they are attached But like any other files 1t 1s possible for them to contain malicious code dangerous URLs encrypted commands or updates for existing malware CONCLUSION ADS may be an old trick easy to use and easy to detect but 1t will remain in existence for a long while and it will only be a matter of time before malware writers start to use ADS in new malicious ways we must remain vigilant A great way to start looking for ADS in your computer is to use the Streams tool from the Microsoft SysInternals site 1 Happy hunting REFERENCES 1 Streams http technet microsoft com en us sysinternals bb897440 2 File Streams http msdn microsoft com en us library aa364404 v vs 85 aspx yb CONFERENCE REPORT 1 PHIGHTING CYBERCRIME TOGETHER Martijn Grooten The first annual eCrime Researchers Sync Up organized by the Anti Phishing Working Group APWG in conjunction with University College Dublin s Centre for Cybercrime Investigation was described as a two day exchange of presentations and discussions related to eCrime research in progress and for networking of researchers within the disciplines that are defining the eCrime research field today However when I first looked at the programme for the Sync Up I have to admit to thinking that it might be too much of an academic event I wasn t wo
122. iderations for mail receivers when they implement the technologies But what about some practical realities How well do these technologies work in real life Can we use them to solve actual problems The answer is yes and that is the subject of this article THE REAL LIFE WEAKNESSES OF SPF AND SENDERID SPF and SenderID are two technologies that are very similar and accomplish similar things but each has its weaknesses and strengths Table 1 shows a comparison between the two technologies The weaknesses of SPF became apparent to me several years ago The year was 2007 The mortgage financial crisis was still ahead of us Rudy Giuliani and Hillary Clinton were their party front runners for the presidential nominations and I was still a fledgling spam analyst The years 2006 and 2007 were quite turbulent in the spam world In 2006 we saw a major influx of image only spam and spam filters were caught scrambling to react to it because it was very effective in evading content filtering This was also the time that botnets really hit their stride and we saw massive increases in the volume of spam hitting our inbound servers Finally in the summer of 2007 spam with PDF attachments was just emerging It was short lived but it was still a new and creative spam technique that hadn t been seen previously I wasn t nearly as familiar with SPF at that time as I am now I had only recently become a Program Manager at Microsoft and this meant
123. ience is pretty similar We found it occasionally slow to respond and once again found some of the buttons less than clear to use However the level of control available was excellent and stability was generally fine with the known bad file removed from the RAP sets in advance to ensure a steady run through Once again exporting logs was slow but sure Memory consumption was fairly low and CPU use not too high either while scanning speeds were pretty fast again speeding up massively in the warm runs Once again there was a fairly significant impact on the time taken to complete our suite of activities Detection rates were splendid with excellent scores in all sets Perfect coverage of the WildList and clean sets comfortably earns Kaspersky a second award this month Our records for the consumer product line look pretty good with seven passes a single fail and one test skipped since first appearing in December 2009 Five of the last six entries have earned certification APRIL 2011 vb 65 66 VIRUS BULLETIN www virusbtn com Kaspersky PURE Version 9 1 0 124 a b ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 43 Worms 8 bots 99 43 False positives 0 PURE isa fairly new X arrival from 5 Kaspersky an extension of the suite concept while promising an VIRUS even broader virusbtn com range of protection This 1s 1ts first appearance on our test bench RAP 94 5 Much like the
124. ily on our set of standard tasks Not surprisingly detection rates were not bad either with no serious complaints in any of the sets and with the core sets covered without problems another newcomer joins the list of VB100 award winners PC Tools Internet Security 2011S Version 2011 8 0 0 624 database version 6 16970 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 85 Worms 8 bots 98 44 False positives 0 PC Tools products X have been 5 fairly regular participants in our tests since 2007 although the Internet VIRUS Security line has only taken part since 2009 following the company s takeover by Symantec After a slightly wobbly start the product has amassed a good run of passes of late Although the underlying detection technology has changed considerably the look and feel remains much as it did when we first tested it several years ago RAP 90 3 The install package was fairly large at 209MB and ran through a fairly standard set of stages Towards the end the machine froze completely not responding to any stimulus and a hard restart was required After that all seemed fine though and a subsequent reinstall did not reproduce the problem The interface is clear and friendly with large status indicators covering the firewall anti spam and various guard layers but configuration of the latter is fairly basic generally limited to on or off Tests proceeded rapidly although a
125. imple with a bare bones set of options under the hood but it proved reasonably easy to make our way through our tests helped along by blink and you 11 miss 1t scanning speeds in the warm scans Once again we saw some wobbliness in the scanner set up with some scan jobs disappearing silently after being set up and others failing to produce final reports we saw the same confusion covering the clean set where the scan progress indicated a detection had been found but the final report could not enlighten us further Again the command line tool was used for the more hefty jobs and proved much more reliable VIRUS BULLETIN www virusbtn com With scan speeds and lag times similar to the client solution memory use seemed a little higher and a slightly heavier impact on our set of activities was observed Detection rates were again superb with over 90 everywhere The core certification requirements were comfortably met and F Secure picks up a second award this month The company s main product line has an exemplary record of ten passes in the past two years with only the annual Linux tests not entered G DATA AntiVirus 2011 Program version 21 1 1 0 9 22 2010 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 99 52 Worms 8 bots 99 88 False positives 0 G DATA is always a X welcome sight E on our test bench thanks to an excellent record of VIRUS a RAP 97 0 and good behaviour to say no
126. ings and then proceeds to create an ADS version of itself To create the ADS StreamC and Rustock simply used a string for the filename but for Joleee there 1s a considerable amount of preparation just to produce the filename itself First it gets the path for the Windows directory using the GetWindowsDirectory A API and stores the path character by character in its memory space Next it adds the string explorer exe manually four characters at a time followed by the strings userini and exe By allocating a total of 631 bytes of code Joleee generates the ADS name C windows explorer exe userin1 exe and creates it using the CreateFileA API see Figure 5 After successfully creating C windows explorer exe userini exe Joleee copies the content of the encrypted version of E EH E3 00407BFA 0040 7BFF 00407004 00407009 00407C0E 00407013 00407018 00407020 00407031 00407038 00407C03B 00407640 00407045 00407044 OO407C4F 00407054 04077058 Bn B PUSH B 8085 FBFEFFFF FF15 38904000 2985 FAFEFFFF _ MOU PUSHA SH ERK DWORD PTR DS 489838 VIRUS BULLETIN kernel 32 CreateF ilef ERR CALL to CreateFileA from Joleee BARES FileName Cr WINDOWS explorer exeruseriniexe Access BENERIC_NRITE Sharetlode FILE_SHARE_READ psecurity HULL Mode CREATE_ALWAY S Attributes H hTemplateFile NULL Figure 3 The call to the CreateFileA API to create CAwindow
127. ink wa state gov Subject Latest results of bill 2101 In this case 1 Perform an SPF check on tkgghsas wa state gov 2 bigcommunications com It returns an SPF Pass We therefore interpret this message as authenticated and proceed with the rest of the filtering pipeline No further authentication is performed Whereas before this message was a true positive with SPF and a false positive with SenderID now it is back to being a true positive again NAMING THE FEATURE After it was decided that this was the way we would address the spoofing issue we had to come up with a name for the feature It isn t SPF and it isn t SenderID it s a combination of the two of them Since the feature is designed to authenticate against the From field in an email message we called it From Address Authentication It authenticates against the From address of an email message We decided that this feature would not be enabled by default on all inbound mail hitting the network Instead 1t would be a custom spam filter action that was off by default In order to get the benefit of this feature an organization would have to activate 1t manually ACTIONS Next we had to decide on an action to take in the event that a message received a Hard Fail with the second check Spam filters usually use the results of an SPF check as a weight in their scoring engines Some like ours allow users to enable an option to auto reject all m
128. int TRequestStatus amp TDes8 uint MOV R1 0x304 KloctlReadMessageSucceeded MOV R3 R12 BL ZN7RSocketb5IoctlEjR14TRequestStatusP5TDes8 j Figure 9 Call RSocket Ioctl with KloctiReadMessageSucceeded to indicate the message was processed correctly VIRUS BULLETIN Finally 1t commits the change CommitL Note also that 1f the message to release comes from a contact listed in the phone s address book the trojan opens the address book searches for the contact whose phone number matches the sender of the SMS retrieves the contact s first and last name and writes this information in the inbox instead of the phone number This ensures for instance that the SMS appears to come from Axelle Apvrille and not from D336xxxxxx Diverting the SMS to the administrator s phone number is quite similar except a new entry is created in the Drafts box And of course the new SMS is created with the administrator as recipient and the body is modified to include at the end the phone number of the original sender of the SMS see the result in Figure 3 the original sender s phone number is mentioned after Fr The trojan then marks this entry as changed CMsvEntry ChangeL see Figure 8 sets the SMS service centre and finally sends it Dropping the SMS i e not displaying the SMS at all basically consists of doing nothing with the SMS once it has been read More precisely the trojan reads the SMS from th
129. interface with fewer options helps people make decisions faster and to remain happier with their decisions 24 VIRUS BULLETIN Perform normal Continue regular SPF check o filtering pipeline S customer option enabled No A for FAA Yes Extract PRA specified in RFC 4407 Perform SenderlD check Apply spam weights to No gt messages based upon SenderID result Mark message as spam Figure 1 From address authentication in Forefront who had complained that 1t was adopted by others Online and that no complaints came in The worst case scenario was that piles of false positives occurred the original customer complained and disabled the feature phishing messages still came in and we would be back to square one As it turned out it was the best case scenario We solved the problem for the customer and stopped the phishing messages from hitting their inboxes We didn t get false positive complaints from other people and the feature was adopted by a number of other organizations as well The feature worked exactly the way 1t was supposed to how often does that happen in real life By getting creative with SenderID and SPF we had managed to use them in a unique way that combined their strengths while avoiding their weaknesses CONCLUSION SenderID and SPF each have their advantages and yb
130. irst looked at Returnil s offering last summer see o N T o VB August 2010 p 21 when it went VIRUS by the name RAP 18 4 Virtual System in reference to the sandboxing virtualization set up that is at the core of its protective approach It also includes the Frisk malware detection engine which is the main aspect we looked at on this occasion The installer is compact at only 40MB and takes only a few moments to complete with a reboot requested after 30 seconds or so The interface is bright and colourful and fairly easy to use although the configuration section seems mainly focused on the virtualization system and on providing feedback on incidents with little by way of actual options for the scanning or protection With sensible defaults and good stability though testing progressed nicely and was completed in short order Scanning speeds were rather slow and on access lags a little heavy with low use of memory and minimal impact on our suite of tasks but very heavy use of CPU cycles Detection rates were pretty decent in most sets with a slow decline in the RAP sets and once again that slight and unexpected upturn in the proactive week The core sets were handled well and Returnil earns another VB100 award Having entered four of the last five tests skipping only the recent Linux test Returnil can now boast three passes and only a single fail Sofscan Professional 7 2 27 Vir
131. ives 0 Symantec is another long standing regular in VB 100 testing but has been somewhat unpredictable in its entries of late with its last appearance as long ago as August 2010 Finally back on our list we expected to see a solid performance The installer seemed to cover the entire corporate product range with multiple platforms supported and management tools etc included so X weighed in 5 at a chunky 1 3GB For the standalone anti malware solution the VIRUS set up process was fairly short and simple though running through a standard set of stages for a business product and offering to reboot at the end but not demanding one immediately The interface is fairly bright and colourful for a corporate offering with large clear status displays A hugely detailed range of controls can be found under the hood again with a clear layout and good usability RAP 88 6 Scanning speeds were good in most areas slower than most over archive files thanks to scanning internally by default while on access lag times were perhaps a little on the heavy side but nowhere near some of the extremes seen this month Resource usage was a little above average but a good time was recorded over our suite of standard tasks Detection rates were pretty good with a fairly sharp drop through the RAP sets but solid coverage in most areas and the core certification sets caused no unexpected issues thus comfortably earning Symantec
132. ization does to prevent being spoofed and then delivered to someone s inbox 2 Upon receipt of the message the spam filter executes an SPF check on the email address in the P1 Mail From which is the randomized alwknrOzebuzez com The domain zebuzez com exists in DNS and has an A record but does not publish SPF records The spam filter checks it out This was the first instance I had seen of a spear phishing attack although in retrospect it was probably less sinister than it sounds A targeted spear phishing attack customizes everything right down to the recipients This attack spoofed the From address but nothing else in the message content was customized The government of Washington State is not our customer I use this as an example VIRUS BULLETIN and the result is SPF None It continues to pass it down to the rest of the filter 3 The URL in the message is a newly created domain and the message is sent from a new IP address that is part of a botnet but is not on any blocklists It evades the spam filter s other reputation checks and ends up in the customer s inbox This is a false negative 4 The user sees the mail which appears to come from their own internal department admin wa state gov Since it seems to come from a domain they recognize they trust the message and decide to click on the link The spammer has been clever enough to send the message in HTML format and the link in the message actually points
133. k SOURCE Boston 2011 will be held 20 22 April 2011 in Boston MA USA For more details see http www sourceconference com The New York Computer Forensics Show will be held 26 27 April 2011 in New York NY USA For more information see http www computerforensicshow com The Counter eCrime Operations Summit 2011 takes place 26 28 April 2011 in Kuala Lumpur Malaysia This year s meeting will focus on the development of response paradigms and resources for counter ecrime managers and forensic professionals For details see http www apwg org events 2011_opSummit html The 5th International CARO Workshop will be held 5 6 May 2011 in Prague Czech Republic The main theme of the conference will be Hardening the net Details are available on the conference website at http www caro201 1 org The 20th Annual EICAR Conference will be held 9 10 May 2011 in Krems Austria This year s conference is named New trends in malware and anti malware techniques myths reality and context A pre conference programme will run 7 8 May For full details see http www eicar org conference The 6th International Conference on IT Security Incident Management amp IT Forensics will be held 10 12 May 2011 in Stuttgart Germany See http www imf conference org TakeDownCon takes place 14 19 May 2011 in Dallas TX USA The event aims to bring together security researchers from corporate government and academic sectors as well the
134. l then we know if the message 1s authenticated or spoofed However we don t know one way or the other if we get None Neutral Temp Error or Perm Error If we get one of these results then we perform a SenderID look up on the P2 From address to see if that address 1s being spoofed a SenderID check is conditional upon the result of an SPF check Once that result comes back appropriate action can be taken Use the Hard or Soft Fail as weights in the spam filter Use the other results with the same actions that you would take for the results of a regular SPF check The idea is that since we didn t have an authentication answer the first time we try it again a second time on a different field and see what the result is Let s return to our two previous examples and see how we can get the results we want while avoiding the results we don t want SMTP Mail From alkwnrezebuzez com P2 From adminewa state gov To tzink wa state gov Subject Update your credentials 1 Perform an SPF check on alkwnr zebuzez com It returns SPF None This 1s a non authoritative result 2 Perform a SenderID check on admin Owa state gov It returns SPF Hard Fail We therefore interpret this as a spoofed message and treat it as such Whereas before it was a false negative now it is detected as spam What about our other example SMTP Mail From tkgghsas wa state gov bigcommunications com P2 From communications wa state gov To tz
135. l with impressive reliability in the trojans and RAP sets the team behind the detection part of the product seem to be maintaining things quite nicely A single item of adware was identified in the clean set and there were no problems in the WildList earning CA a VB100 award for its consumer product The solution has been having a rather tough time of late with only two passes from six attempts in the last two years this is the first pass in the last six tests three of which were not entered hopefully this will mark the start of a new chapter for CA CA Total Defense r12 Endpoint Protection Client Product version 12 0 528 signature version 4209 ItW 100 0096 Polymorphic 99 9696 ItW o a 100 0096 Trojans 78 26 Worms amp bots 96 06 False positives 0 CA s business solution has had a major revamp which we were first o N o lt x exposed to in the last VIRUS Windows RAP 74 4 comparative 1n late 2010 see VB December 2010 p 27 This was not the most pleasant experience and we hoped a degree of familiarity would help things along this month With the installer package recycled from the previous encounter there was fortunately no need to repeat the lengthy process of downloading the 4GB DVD iso image we were asked to use The time saved in avoiding this chore was quickly used up though as the install requested on the deadline day revealed that the product cannot be installed on Windows
136. l note Zitmo s reverse engineering is fully completed Future work should probably keep an eye on SpyEye which is seen as a rising successor to Zeus Some other aspects would also be worth investigating more closely such as countermeasures or cybercriminality Research into countermeasures would mean testing solutions based on malicious behaviour detection firewalling or anti virus capabilities in real life environments Research could also be conducted on reviewing challenge based authentication protocols and proving them formally against Zeus Zitmo attacks As for cybercriminality several points are still unknown or undisclosed such as how many online bank accounts were stolen how much the cybercriminals traded the accounts for and to whom and of course the identity of the gang ACKNOWLEDGEMENTS We thank Guillaume Lovet Fortinet for his technical and in depth review and Ludovic Apvrille Telecom yb ParisTech for useful comments on the article structure Finally we thank David Barroso s2 sec for kindly sharing information regarding Zeus and Zitmo REFERENCES 1 Apvrille A Yang K Defeating mTANS for profit part one Virus Bulletin March 2011 p 6 http www virusbtn com pdf magazine 201 1 201103 pdf 2 Payu S Silent Receiving of SMS Messages October 2008 http symbian devtricks mobi tricks silent receiving of sms messages 3 Barroso D ZeuS Mitmo Man in the mobile September 2010
137. last six tests BitDefender Antivirus Pro 2011 Version 14 0 28 351 of branch 14 24 engine version 7 3681 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 95 48 Worms 8 bots 99 53 False positives 0 VIRUS BULLETIN www virusbtn com BitDefender is another major firm whose reputation continues to grow with the company VIRUS Itself As usual it is well virusbtn com represented in OEM and rebranded products with some half a dozen of this month s list including the company s engine in some form or other am o N T o lt x RAP 93 7 The current mainline product came in as a fairly large 265MB package with all updates included The set up process was considerably longer and more involved than most A quick scan early on took close to five minutes and a large number of steps followed including options to remove other solutions already present on the system to disable the Windows Defender system and to share updates with other BitDefender users presumably some kind of Torrent style data pooling system After what seemed to be the last of many steps listing the included features as anti virus and identity protection a ten second pause was followed by another option whether or not to contribute anonymous data to a feedback system There was then another ten seconds of silence then the offer of a demo video fortunately we didn t have Flash Player installed on the test systems so
138. lems were encountered when scanning clean files though with a light touch in the on access lag measures and initially sluggish on demand scans speeding up hugely for the warm runs CPU use was perhaps a little higher than average but RAM use and impact on our activities were fairly standard As expected from the Kaspersky engine detection rates were excellent across the board with little missed anywhere and with no issues in the core certification sets Nifty earns another VB100 award The product has taken part in all six desktop tests in the last two years failing only once the last six tests show three passes from three entries vb APRIL 2011 Norman Security Suite 8 00 Product Manager version 8 00 anti virus version 8 00 scanner engine version 6 07 03 NVC version 8 1 0 88 ItW 100 0096 Polymorphic 99 9896 ItW o a 100 0096 Trojans 86 80 Worms 8 bots 89 16 False positives 0 Norman has hit 1ts stride again recently after a run of difficulties and is now back on a winning streak with VIRUS no problems virusbtn com encountered in the last few tests The vendor returned this month doubtless hoping to continue its streak of success o N z Q lt x RAP 81 3 The Suite solution was provided as a 112MB installer including all the required updates and it ran through in only a handful of steps The process was all over in good time but needed a reboot to complete The interface is a
139. lications sales VIRUS BULLETIN an interesting concept although it does not make them technically immune to malware This issue is not simple to remedy with the current mobile framework The most technically promising solutions we are aware of base malware detection on behaviour analysis 9 10 on SMS sending profiles 11 or on matching rules combining security capabilities 12 They should however be tested in real life situations and perhaps be combined with other approaches such as mobile anti virus solutions or firewalls The second reason Zitmo gives us cause for concern is that it initiates on demand two factor authentication In part one of this series 1 we explained that Zitmo gives cybercriminals the capability to authenticate whenever they want using two different authentication factors Two factor authentication is a good security measure but only as long as the security of the systems in charge of each factor remains intact In Zitmo s case this does not happen from a compromised PC in charge of the first authentication factor it manages to compromise the mobile phone which handles the second authentication factor The insecurity of the PC leads to the insecurity of the mobile phone Hardware authentication tokens such as SecurID tokens are not a solution to this issue These were defeated by prior versions of Zeus because the one time password they generate is entered on a compromised host the PC
140. little bizarre at times for a start being a little too large for the browser based window it is displayed in thus requiring a pair of scroll bars which only move a tiny way The window size is locked so the issue cannot be fixed by the user The layout is unusual and sometimes confusing with a limited set of options and a quirky approach to just about everything but with practice and patience it is just about usable Less forgivable is its disregard for instructions with samples routinely removed or disinfected despite all settings being firmly set to avoid such behaviour Otherwise stability seemed good with no hitches to prevent us completing the set of tests in good time What did impede things somewhat was the scanning speed which was slow in the extreme mainly thanks to the sandbox component looking at things in great depth As we have suggested here before this might benefit from some sort of memory of what it s already run to avoid such unnecessary duplication of work On access lag times were also fairly high and use of CPU cycles was well up too although RAM use was not much above average and our set of tasks was completed in reasonable time Detection rates were not bad with respectable scores throughout the sets and once again the WildList was handled well The clean sets threw up only a single suspicious alert on a rather bizarre piece of software which claimed to be an entertaining game but in fact seemed to si
141. me time This month s submission a nice small 44MB executable was installed with the standard steps enlivened as usual by the enforced choice of whether or not to detect potentially unwanted software the next button is greyed out until a selection is made It doesn t take long and no reboot is needed just a short pause before the protection is in place The interface is simple and unfussy but provides a wealth of fine tuning controls There is so much here that some of it seems to be a little superfluous and in places overlapping and we have long had trouble figuring out the controls for vb APRIL 2011 VIRUS BULLETIN Agnitum Outpost pv Xx papa Y xp v eta te ta tet _AhnLab V3 Internet Security POD X Y XN XN x Y tv x v ix v Lo fo X X X XT XE XP xT xX xX x v Antiy Ghostbusters OD X xX X X X Xx X x x x x AAA als le ld e ArcaBit ArcaVir Job 2 Y v Y v v vy v vN p v Lo 0A 2 XD Xo XN X XN XN 1 wv AvailaSoft AS Anti Virus OD 1 5 5 5s 5s5 v 58 2 s 5 v CSCC i D LEG LG DG HESCDG CD GGG Avast Software avast Free OD XW XN Y _ Y XN XN XN XN XN XN XA Tala ap Dv ps ps pi xs xi x8 Avertive VirusTect OD 1 1 x Xx ft xX Pt x 1 J J1 v Lo 00 tt X x Jxi ux Prg Jj gy xt X AVG Internet Security OD Y v y v v P v viv v v xv pax X X X X X xX x x x XN Avira Ant
142. mounts of time to complete After leaving it over several nights taking it off during the days to get on with more urgent tasks results were finally put together showing the expected decent scores across the sets with a slight decline in the latter half of the RAP sets The core sets were well handled and VirusBuster earns another VB100 award The long view shows passes in all of the last six tests three fails and nine passes in the last two years Webroot Internet Security Complete 7 0 6 38 Security definitions version 1892 virus engine version 3 16 1 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 05 Worms 8 bots 98 47 False positives 0 Entering into its fifth year of X VB100 entries 5 Webroot has a good record of passes thanks to the VIRUS e that provides the bulk of the malware detection However the product has yet to earn much popularity with the test lab team thanks to its control free interfaces and long run times getting through tests As usual we hoped for an improvement but after an exhausting few weeks feared more of the same RAP 89 3 The installer provided measured close to 300MB but was a custom build for testing including a wide range of extras and several versions of the virus data Some special steps were involved in the set up too but the main process ran through the basic simple steps completing fairly rapidly and needing a reboot at the end Performance
143. ms and most agree that it runs on at least 40 It is familiar cheap comparatively reliable and very popular To most of the world s computer users it s just the way computers work The operating system s popularity with users is if anything surpassed by its popularity with developers so it was almost inevitable that we would be deluged with products of all shapes and sizes for this month s comparative from the old and familiar to the new and scary We knew there would be more than enough to keep us busy this month Of course the platform s maturity and stability also mean there has been plenty of time for refinement and quality control so we hoped that we might see a trend in products towards the sort of stability and reliability that has been woefully lacking in some quarters of late PLATFORM TEST SETS AND SUBMISSIONS Setting up Windows XP has become such a familiar and oft repeated task that 1t requires very little effort these days In fact we simply recycled bare machine images from the last run on the platform a year ago tweaking and adjusting them a little to make them more at home on our current hardware and network set up and re recording the snapshots ready to start testing As usual no updates beyond the latest service pack were included and additional software was kept to a minimum with only some network drivers and a few basic tools such as archivers document viewers and so on added to the basic operating
144. mulate the experience of driving a bus Being quite forgiven for this result Norman earns a VB100 award once again making a total of four passes and two fails in the past six tests with the longer view showing six passes and four fails with two tests not entered in the last two years Optenet Security Suite V 10 06 69 Build 3304 last update 21 February 201 1 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 76 74 Worms 8 bots 91 82 False positives 0 Optenet first entered our a tests at the 5 end of last year with a successful run on Windows 7 and returns VIRUS for more of the virusbtn com same Based on the ever popular Kaspersky engine its chances looked good from the off RAP 81 8 The product installer was 105MB including updates and ran through a series of set up steps including the providing of a password to protect the settings and a request for online activation before a reboot was requested to complete the process The interface 1s another browsery affair which can be a little slow and occasionally flaky but 1t 1s at least clearly laid out and provides a reasonable level of fine tuning From a tester s point of view the most annoying aspect is the tendency to log out and require a password every time it is revisited after more than a few moments Scanning speeds were reasonable but on access lag times seemed a little high and while resource use was fairly low our suite of stan
145. n file 7 11 03 177 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 98 51 Worms 8 bots 99 45 False positives 0 Avira s Pro edition is fairly similar to the free version on the surface o N T o and although the installer VIRUS package is RAP 96 0 a few MB larger the same update bundle was used The install process felt fairly similar although the application of a licence key file took the place of the registration step Again no reboot was needed and everything was over with in under a minute The interface looks and feels much the same Configuration was excellent and stability again generally solid although we saw the same occasional minor snags when closing the Luke Filewalker scanner module We were happy to see another product out of the way in considerably less than 24 hours freeing up more time for other less zippy solutions Scanning speeds were again super fast with very low impact on file accesses and performance measures closely mirrored the free version Scores were identical to the free edition as might be expected given that both used the same detection data and the lab team once again nodded their approval as set after set was demolished with remarkably high scores throughout setting a high bar for others to aim for A VB100 award is earned with style giving Avira s Pro product line 10 passes out of 12 entries in the last two years and a 100 record in the
146. n the WildList in both modes With no problems in the clean sets either the company can finally claim its first VB100 award after two previous failed attempts AVG Internet Security Business Edition 2011 Version 10 0 1204 virus database version 1435 3463 ItW 100 0096 Polymorphic 99 9996 ItW o a 100 0096 Trojans 93 55 Worms 8 bots 98 61 False positives 0 AVG continues to consolidate its position as a well known and widely trusted security brand VIRUS expanding and diversifying 1ts capabilities with regular acquisitions and 1ts premium products have established a solid record in our tests N oa lt RAP 92 6 The current version came as a 149MB installer package including updates and the install process is reasonably rapid and straightforward the only incidents of note being the offer of a browser toolbar and the choice of joining a feedback scheme With no reboot required the process is complete within a couple of minutes The interface has a sober and sensible feel to it and somehow seems a little less cluttered than previous entries On top of the standard anti malware protection are extras including a rootkit scanner and AVG s LinkScanner safer browsing system Configuration for all is exemplary in its clarity and comprehensiveness Stability was rock solid with a nice simple scheduler helping to ensure time was well used and all tests were completed well within the allotted 24 hours
147. n the very near future to get more accurate measures of this kind of thing The GUI eventually opened however and proved reasonably pleasant to operate if a little drab and grey Options were a little odd in places with the list of possible actions to take on detection being auto treat clean or delete if disinfection fails which seemed to overlap each other and provide no actual choice The interface was generally responsive but prone to odd spells of slowing down where buttons would take some time to elicit a response yb Scanning was similarly sluggish but generally well behaved although handling large quantities of infected items proved a heavy burden and many scans had to be aborted after slowing to a point of unbearable drag On Occasion scans simply stopped with no sign of any results or logs By breaking up the sets into smaller chunks we managed to get through most of the tests in the end although it took several times the allotted 24 hour time period to do so Scanning speeds were very slow and on access lag times enormous with one particular job which usually takes less than a minute on a bare system dragged out to several hours This seemed to improve somewhat on warm runs Impact on our activities suite was fairly heavy and while RAM use was around average CPU use actually showed a large reduction over the same job running on a bare system this suggests that much of the extra time b
148. nd CPU use also fairly high our set of standard tasks ran through in good time As predicted detection rates were stratospheric with barely a thing missed anywhere and even the proactive week of the RAP sets was covered extremely well The clean sets threw up a few detections but as these were only for Themida packed items and possible adware there were no problems here With the WildList also powered through effortlessly Coranti easily earns another VB100 award after a truly excellent performance This makes three passes out of five entries in the vendor s first year of competition with only one Linux comparative not taken part in Defenx Security Suite 2011 Version 2011 3390 519 1247 ItW 100 00 Polymorphic 100 00 ItW 0 a 100 00 Trojans 88 54 Worms 8 bots 96 78 False positives 0 Defenx has become something of a fixture in our xe e N T Q lt 100 comparatives over the past year or VIRUS so and has RAP 88 7 always been a welcome sight thanks to a record of good behaviour and reliability The version entered this month came as a 94MB installer including updates and took only a couple of clicks to install The process continued for a couple of minutes yb 49 50 VIRUS BULLETIN www virusbtn com System resource usage and impact on standard activities 100 0096 90 0096 80 00 70 00 60 00 50 00 40 00 30 00 20 00 10 00 0 00 Bldle system RAM usage increas
149. nerally good even in the on access runs which have given us some problems in the past However it remains unclear what the product s approach to actions on detection is with some runs seeming to go one way and others another Scanning times were very slow over some sets such as our collection of media and document files but surprisingly quick over executables which one would expect to be looked at most closely On access lag times showed a similar pattern with some good speed up in the warm runs improving things considerably Resource use was low in terms of memory but perhaps a fraction above average in CPU use and impact on our suite of activities was barely noticeable Detection rates were excellent continuing a steady upward trend noted over several months The RAP scores were very high in the reactive weeks with something of a drop in the proactive week as expected The clean sets were covered without problems and after double checking a selection of files which were not initially denied access to but alerted on slightly behind real time the WildList set proved to be well handled too A VB100 award is thus well earned making for four passes and a single fail in the vendor s five entries so far the last year shows three passes and three no entries Symantec Endpoint Protection 11 0 6200 754 Definitions 21 February 2011 r2 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 13 Worms 8 bots 98 25 False posit
150. ng at 99 when logs showed the scan had already completed without problems Scanning speeds were OK and on access lag times fairly low too with low use of resources Impact on our set of activities was a little higher than most but not too much Detection rates were excellent as usual with most of the sets demolished and there was superb regularity in the reactive part of the RAP sets A couple of items were flagged as unsavoury in the clean sets one of them being packed with Themida and another a toolbar but no problems arose there or in the WildList thus earning ESET yet another VB100 award to maintain the 100 record it has held for the best part of a decade Filseclab Twister AntiVirus V7 R3 Version 7 3 4 9985 definition version 13 35 42143 ItW 97 62 Polymorphic 63 35 ItW o a 92 81 Trojans 66 8696 Worms 8 bots 68 29 False positives 19 Filseclab first took part in our comparatives just over two years ago and has been gamely regular in its appearances ever since despite as yet no luck in achieving certification The vendor s solution is an interesting and unusual one but provides all the usual features one would expect from an anti malware product The main installer is 53MB with a 54MB updater also freely available to download from the company s website The set up process is completed in three clicks and about ten seconds although the updater program is a little less Zippy apparently doing nothin
151. ngerous ones targeting critical infrastructure Salem noted that every day there are over two million different attacks and it takes skill to figure out which are real threats and which can safely be afforded less attention Dr Michio Kaku provided delegates with an enlightening presentation on the future of computers Some of the advancements he predicts are cars driving themselves and a home office in your glasses or contact lenses blink and you go online Dr Kaku predicts that in 10 years time we will be able to identify people s faces know their biographies and translate their languages all with a pair of smart glasses According to Kaku our clothing will contain all our medical records and particles in our homes will be able to diagnose health issues Ultimately he indicated the augmented reality we see in movies like The Terminator will be in our own reality very soon With the amount of personal information being added to the Internet there will be more headaches for those working in security And can you imagine the opportunity for exploits Kaku also believes that Silicon Valley will become a rust belt by 2020 due to overheating and quantum leakage the two problems facing Moore s Law today yb Moore s law will flatten out until physics can create quantum computers Another popular keynote was The Murder Room Breaking the Coldest Cases presented by Michael Capuzzo author of the book The Murder
152. nning through it all took less than a minute though with the final screen somewhat confusingly reaching completion and leaving a progress bar at around 70 of the way across No reboot was needed to complete the process but we restarted anyway after the manual application of updates just to be safe The interface is very familiar after dozens of appearances on the test bench in recent years enlivened somewhat by Vexira s gaudy red colour scheme The layout is a little 0 I O deb eee e OTPAO 100 90 unusual but generally usable once one has got to know its ItW o a 100 0096 Trojans 88 9096 quirks However a scheduler system proved beyond our Worms amp bots 97 0196 False positives 0 limited powers failing to run as we had apparently failed to properly set the user password settings ideally this would Vexira has be checked by the product before accepting the job Despite become x this minor setback things mostly went smoothly and there a regular Ly were no issues with stability participant 100 few years VIRUS since starting Fe AP 89 1 With everything looking set to be completed comfortably up a highly inside the allocated time slot the on access run over the successful main sets taking somewhat longer than average but not in our tests over the last partnership with the ubiquitous VirusBuster yb Scanning speeds were not super fast but on access lags seemed OK with impressively low measures in all of o
153. o problems with stability and managed to use the scheduler system without any trouble running the bulk of the testing over a weekend to make the best use of time This proved to be a good thing since the product has a somewhat languorous approach to scanning dawdling dreamily along and showing no sign of urgency Scanning speeds were very slow and file access lag times very high with heavy use of CPU cycles when busy but RAM was not too heavily drained and our set of jobs did not take much longer than normal to complete Detection rates were respectable but not jaw dropping with decent coverage in all the sets the proactive week of the RAP sets showing a slight upturn over the previous week A couple of suspicious detections in the clean sets were allowable and the WildList was covered in its entirety earning eEye a VB100 award The product s recent test history has not been great with a string of problems including missed polymorphic samples and false positives in the last year it now has three passes and five fails in the last two years having skipped four tests The last six tests show a slightly better picture with two passed two failed two not entered EmsiSoft Anti Malware 5 1 04 Itw 99 33 Polymorphic 95 58 ItW 0 a 99 66 Trojans 95 06 Worms 8 bots 98 88 False positives 2 EmsiSoft dropped its widely recognized A Square name in favour of a more sober title some time ago but the product remains familia
154. occurring regularly enough for the IT personnel of the company to escalate the matter to us At the time I knew that SPF was an anti spoofing technology but I didn t know much more beyond the basics so I did some research and learned a lot more The spammer was sending mail from a domain with no SPF records in the P1 Mail From and was spoofing the recipient s organization in the P2 From address field The result was that the recipients of the message were fooled into believing that it was from an internal sender because they recognized their own domain as the sender For example suppose that the organization receiving the mail was the government of Washington State SMTP Mail From alkwnrezebuzez com P2 From adminewa state gov To tzink wa state gov Subject Update your credentials Dear recipient We are upgrading our security infrastructure Please login to the following site and enter your credentials so it will update in our systems otherwise your account will be locked out http security wa state gov user login Thanks for your co operation in this regards Department of IT Security Let s take this message apart and see what happened 1 The state of Washington has published SPF records and tagged them with all which means that receivers should Hard Fail any mail that purports to come from its servers but whose sending IP is not in its SPF record This is something that a responsible organ
155. ocess The set up is straightforward and rapid with obviously no licence code or file to apply although there is an offer to register online With no reboot required the process is complete in less than a minute The interface is clean and simple with little by way of additional modules but comprehensive configuration controls are easily accessed via an expert mode button Stability was generally as solid as ever although a couple of scan jobs in our speed tests seemed to linger long after they had completed and been told to shut simply ending the task with a right click was all it took to get things moving again though Tests were completed in excellent time with just a few hours at the end of an afternoon and some jobs running overnight meaning several hours were cut from the expected day of testing Scanning speeds were very fast as usual and on access measures showed a light footprint too with low use of RAM and CPU and a light impact on our set of tasks Detection rates were pretty hard to beat as is also usual for Avira and even the proactive RAP set was more than 90 covered The WildList was demolished and no issues emerged in the clean sets only a couple of items alerted on as adware Avira thus earns another VB 100 award quite comfortably This free version of the product has only entered four tests in the last couple of years but has aced all of them Avira AntiVir Professional 10 0 0 976 Virus definitio
156. on and parental control modules as well as the anti malware component Operation is a little fiddly and unintuitive in places but generally usable with a good level of options Stability was good with no issues in any of the tests and everything was done within less than a day 45 46 VIRUS BULLETIN 300 File access lag time contd E System drive B Archives defaults cold D Archives defaults warm B Archives all files m Binaries and system files defaults cold 250 E Media and documents all files B Other files types defaults cold B Other files types defaults warm B Other files types all files MB IM i 1 Lag time sGB N C e C o e O o E E Binaries and system files defaults warm B Binaries and system files all files O Media and documents defaults cold E Media and documents defaults warm N T NM h a 2 N N A oF FS VM XS S amp SS FF CS KF SF SF FCF SF FC EC SC SF SK SF S Ss Po e R KF FEF F FF ST CE FSF SS d 2 E e e T d A e e a 9 ov O S S amp RS S e o M ES e Ss amp Ci e o e gU 2 S S amp S i SS ra y S SU E X 4 vo gd qu qeu SF SK S S d Y S S Qo d S E g S S S 49 A Se Sog SR ev e D g Some values exceed chart area Please refer to text for full product names Scanning speeds were fairly slow but lag times were of welcome quite light and while RAM use was around average and
157. on demand and reasonable on access with no outrageous drain on system resources and our set of jobs ran through in decent time Detection rates were respectable with decent coverage in all areas With no issues in the main certification sets PC Booster qualifies for its first VB100 award PC Renew Internet Security 2011 Version 1 1 48 definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW 0 a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 Yet another from the nN same stable 5 PC Renew appearing for the first time this VIRUS month makes RAP 3 5 2 rather cheeky use of the standard phrase internet security generally used to imply a multi layered suite product but here providing little more than standard anti malware protection based on the common VirusBuster engine APRIL 2011 vb 71 72 VIRUS BULLETIN www virusbtn com With no change in the set up process or interface the only other area worth commenting on is the colour scheme which here stuck to a fairly standard blue and white with a touch of warmth in the orange swirl of the logo For some reason some of the speed tests seemed a fraction slower than other similar products but only by a few seconds a time and on access measures reversed the trend by coming in a touch lighter Resource use was also fairly similar to the rest of the range being reasonably light in all areas and not impacting too heav
158. ond s TETUR ET 17 04 S hb 6 A e SJR c JN ON tuU 92 O 2 io KR nN ala 2 Z m Bg AQIS 2 9 B S O FE l6 ala O se YO E e E EEE EE N NLSN olula Ol r N o Te Te O 3 le 8 3 olv v sc E e 5 l gt 2 ala IN o EGE 812 x IZ 5 o an A B mie Ti Det eowip Sone E socom E AT E sermons m rumes E Perna 00 m o a Ta esae E Please refer to text for full product names es E E Jo e Is am hb olla Nn 16 N Plu ul ON o uo aJa la U x ON yb Archive files Default Cold 1 83 8 45 290 69 3 59 1 91 181 68 29 57 4 90 5 61 5 47 5 61 61 85 8 23 1 87 145 35 12 32 2 92 5 78 7 07 2 23 3 42 3 00 5 43 P RS D 3 29 4 90 4 82 1 62 7 96 10 20 10 13 10 49 3 94 4 08 30 28 All Warm files i E 8 17 T i pase fr 2906 94 4 3 pa rm a 5 61 8 23 3 38 4 06 2 92 7 y 3 42 3 00 w oo Uo o Uu N ops mx Un rare sales 10 20 10 20 2906 94 9 08 ENT ETEZEIT ET 2st s o N o 2906 94 3 94 2 91 139 ou Binaries and system files Default Cold 17 35 19 78 13 95 19 55 6 51 37 89 17 98 28 47 42 84 40 05 24 88 8 51 28 64 37 89 34 69 17 85 19 32 20 87 15 74 14 32 9 77 33 06 16 48 3 20 LIS 3 16 37 32 23 24 9 85 14 79 20 44 21 61 20 61 11 87 16 76 AS
159. one JHZ l PUSH ESI by using for example calc exe STR as the CALL DWORD PTR SS EBP 8FB kernel3 GlobalAdd tom ApplicationName of the CreateProcessA API Figure 2 Strings used by Rustock for infection checking F5656666 EAX DWORD PTR SS EBP 5F5 PUSH EAX ASCII 12x32 sys PART Il HIDING THE HIDDEN PUSH EDI ASCII C WINDOWS system32 FF95 97080000 CALL DWORD PTR SS EBP 897 kernel32 1strcatfi E 89FE ESI EDI A variant of Rustock attempts to use a 6A 88 PUSH gt 57 PUSH EDI ASCII C XWINDOWSAsystem32 1z2x32 sys combination of a rootkit and ADS in an FF95 C3080000 CALL DWORD PTR SS EBP 8C3 kernel32 lcreat attempt to hide its code EE m BYTE PTR DS EBX a EAX DWORD PTR SS EBP 688 ADS in a folder PUSH EAX PUSH EDI Given a file to infect StreamC has shown us MH 6A 88 PUSH how simple it 1s to create an alternate data 57 PUSH EDI FF95 C3080000 CALL DWORD PTR SS EBP 8C3 stream A walk through Rustock s code will 83F8 FF EAX l explain how to create an ADS in a folder EM Af F f d 8D85 63696666 EAX DWORD PTR SS EBP 903 ter a series o ecryption routines 68 66940100 PUSH PUSH EAX Rustock checks if the operating system EIE is NT by looking at its version number FF95 C7880808 CALL DWORD PTR SS EBP 8C7 kernel32 lwrite 57 PUSH EDI the same check as performed by FF95 07888888 CALL DWORD PTR SS EBP 8A7 kernel32 1close StreamC Then Rustock checks for an event synchronization object to avoid Figur
160. one and set up with the product asking if it can be activated No reboot is required and the process is all over in under ten seconds This gives instant access to the interface which is truly something to behold in an eye watering collection of bright and gaudy reds yellows oranges and pinks The layout at least is pleasant and U 64 VIRUS BULLETIN RAP detection scores April 2011 100 90 80 70 60 50 40 30 I O y mM I o E Q Q Ss Q O U ps Q gt 9 Qo 2 O Q tc King soft Ad vanced 20 KingsoftStd A King soft Std B O 10 0 0 40 Lavasoft Trustport tkarus G DATA Coranti Cihee scan de F y Keniu Avast Check Point TN AOA ESET UnThreat PC Tools SD Sn PC Tools IS VirusBuster Symantec Comodo SPAMfighter Retumil Avertive Clearsight iaital Defende Keyguard LogicOcean PC Booster PC Renew Preventon j Commtouch AvailaSoft 60 Proactive week 1 Products with strikethrough generated false positives Please refer to text for full product names simple with good navigation although it is somewhat wordy in places and we found it easy to click in the wrong place where a lot of options were clustered close together Running through the tests proved reasonably straightforward although a couple of scan jobs seemed to have trouble traversing directory structures occasionally only covering the
161. onsists of updating its settings and or updating the contact and phone number tables ADD SENDER REM SENDER and SET SENDER commands Later the effective behaviour of the trojan relies only on those two parameters The trojan s settings are dumped in c 20022B8E settings2 dat The format of the file is the following The first byte represents the state of the trojan O if it is off 1 if it is on enabled Count nb of spaces In SMS body Invalid 7 code 10 e eem yes yes Code 1 Code 9 A es Count commas Code 3 Add each phone to DB de Code 4 Count commas Remove each ye phone to DB COSE Code 6 AA yes no Write settings2 dat Print to hidden debug window Return code Figure 4 How Zitmo parses SMS commands 00000010 x x 00000000 00 01 00 34 2b 34 34 37 37 38 31 34 38 x x x 4 44778148xxx Figure 5 Zitmo s initial settings file 2 The second byte represents the monitoring case O to monitor phone numbers specified in the table and to monitor any numbers in the case of ADD SENDER ALL 3 The third byte represents the blocking state O if calls must not be blocked and 1 if they must be blocked BLOCK ON OFF 4 The remaining bytes correspond to the externalized 16 bit Unicode string object TDesC16 for the administrator s phone number For example the settings of Figure 5 correspond to a disabled trojan OFF configured to
162. orative Research Center was examined in a roundtable discussion PATCHER For those like me who do not dissect malware and botnets on a daily basis a presentation on the Patcher rootkit was particularly interesting It certainly showed that phishing has evolved a great deal since the days when websites only vaguely resembled those of banks and victims were expected to fill in their credit card details their social security number and their PayPal password Patcher patches a number of Windows files in a near undetectable way so that traffic between the user and their bank is intercepted and modified Not only does the malware steal money from the user s account it also hides these transactions and modifies the account balance whenever the user visits the bank s website TOOLS AND TECHNIQUES With researchers digging so deep into the crooks systems it is easy to lose sight of the ethical principles guiding IT research and this topic was addressed in a presentation by Erin Kenneally of eLCHEMY Inc But fighting cybercrime is not just about fighting specific gangs or detecting specific pieces of malware Just as important in the fight against crime and the protection of users is to detect and block the tools used by the crooks VIRUS BULLETIN One example of such a tool is fast flux DNS where malicious domains point to constantly changing IP addresses to prevent detection and make the corresponding websites less vulnera
163. ost computer users The situation is not helped by the fact that many websites in China are optimized for and tested only on JE 6 thus forcing users to stick with the old version Taking all these facts into consideration I am afraid that JE 6 will not disappear any time soon The target population must be served by enabling Internet Explorer upgrades and critical OS vulnerability fixes regardless of licence or even by a final wrap up installer of XP But is it really a problem we should care about Why bother if one third of Chinese web browsers are as old as an entry level single malt whisky According to Wikipedia IE 6 has 473 publicly known unpatched vulnerabilities 1 e these will never be fixed All other versions and browsers have just 94 combined In other words JE 6 has five times more open vulnerabilities than all the other browsers put together One other thing has also changed since 2001 Back then the primary distribution media for malware was email Nowadays the primary intrusion media are drive by exploits introduced during web browsing and this is what makes using this dinosaur of a browser so dangerous Failing to upgrade the browser leaves the most vulnerable entrance to the computing system the least protected Before you ask my son is fine He s the only thing in my inventory list from 2001 that keeps improving http en wikipedia org w index php title Comparison of web br owsers amp oldid 421471
164. ots 99 17 False positives 0 E System drive E Archives defaults cold DArchives defaults warm D Archives all files B Binaries and system files defaults cold m Binaries and system files defaults warm E Binaries and system files all files El Media and documents defaults cold E Media and documents defaults warm E Media and documents all files O Other files types defaults cold B Other files types defaults warm E Other files types all files Some values exceed chart area Check Point s Zone Alarm X is a bit of a 5 classic name in security the free firewall offering VIRUS having been R A P 9 4 0 a common sight for many years The premium suite version with anti malware based on the solid Kaspersky engine has been around a good while too and has been a regular if infrequent participant in our comparatives for several years The current version came as a 148MB installer with 81MB of updates provided separately The set up process includes the option to install a browser toolbar subscription to an email newsletter and the option to disable protection after install for those users installing in conjunction with another anti malware product A reboot is needed to complete the process The interface is plain and unfussy with small icons and lots of text The suite includes the firewall of course as well as Program control mail and identity protecti
165. ough and a snapshot of the system was taken for later testing The product interface is quite attractive with its near black background and hot red highlights As well as the anti malware and firewall components the suite includes a well regarded HIPS system Defense and much else besides Controls lean towards the text heavy rather than the blobby icons favoured by many which makes them less easy to get lost amongst and an excellent level of configuration is provided throughout Stability seemed good in general with some slowdowns in early runs attributed to the cloud component This was disabled for on demand scans but as far as we could tell it could not be switched off for the on access module Simply disconnecting from the lab network solved this little snag and the rest of the test suite powered through in good time A rr U VIRUS BULLETIN Scanning speeds were on the low side of average with light lag times on access very low use of system resources and no great impact on the run time of our activities set Idle system Busy Standard system file CPU _ activities usage usage usage time increase increase increase increase Busy system Performance measures Detection rates were excellent and declined only very slightly across the RAP sets The WildList was handled nicely and with only two entirely permissible suspicious alerts in the clean sets Comodo earns its first VB100 award
166. p HERE Jr TE ZIP TGZ RAR LZH JAR EXE ZIP akdi a TA CESA pow x x CESA O pap x x pop x ay po ES X XN Archive scanning contd F Secure Client Security F Secure Internet Security Ikarus T3 virus utilities o faja pa eEye Blink Key o x4 xa Comodo 1S Premiem fof X 5 fs O pap ae ae Coranti2010 op y Y o paa x X Defenx Security Suite OD X y o pap xx Digital Defender oD 1 f PO y oaii EmsiSoft Anti Malware OD 2 2 OOOO ojej eScan Internet Security OD 9 5 o ES v v ESETNOD32 LoD Y v o pap x x Filseclab Twister OD S 3 pow x X Fortinet FortiCtient OD X V O 0 X V mskEPROT JOD v v o OA px xo G DATA AntiVirus 2011 OD Y y o 0 V v Hauri ViRobot Desktop OD X 1 o OA xx y Detection of EICAR test file up to ten levels of nesting X No detection of EICAR test file XN Default settings all files 1 9 Detection of EICAR test file up to specified nesting level EXT Detection of EICAR test file with randomly chosen file extension Please refer to text for full product names Jt LO VIRUS BULLETIN EXT A EE EE E add ER ER EHE HE HER EE SEE EEEEEEBEEEEEEEEEEEEECEEEEPEE LEE HERES ERE E ERE ERE kkk akki dde EEE ENE NoE HE ZIP ZIPX RAR LZH JAR EXE ZIP X 1 CAB EXE RAR X l X Te o 5 oaj 5 MEFE pip
167. pap x x Symantec Endpoint Protection OD 3N 3N o OA x X PC Tools Spyware Doctor Quick Heal Total Security eee ERE Archive scanning contd PC Booster AV Booster PC Renew LS 2011 PC Tools LS 2011 Sophos ESC o 0A P X ws PreventonAnivins opp i fut x x a px papi 1 X x x Qihoo 360 Antivirus oD Y Y s OOOO pap X P X Returnil System Safe 2011 OD 5 5 OO poa X x Sofscan Professional OD wv W OOOO pap X x SPAMfighter VIRUSfighter__ OD 1 1 AO OSO GFVSunbeltVIPRE_ OD X X ATX XX Trustport Antivirus 2011 OD v Y A E98 E XN P XN UnThreatAnt vimsPro OD X X O pap X X VirusBuster Professional OD 2 W ATX X Webroot IS Complete OD X W PoC ATX f X Key y Detection of EICAR test file up to ten levels of nesting X No detection of EICAR test file X N Default settings all files 1 9 Detection of EICAR test file up to specified nesting level EXT Detection of EICAR test file with randomly chosen file extension Please refer to text for full product names Ko LO scanning inside archives on access However it is generally solid and intuitive Occasionally the interface tends to get itself in a bit of a twist after a scan job but it invariably sorts itself out within a few moments and the only other issue noted was the occasional scan display screen not finishing properly lingeri
168. r and includes references to the old name in several folders and files used by the installed product Much of the detection is provided by the karus engine PP 2 RAP 92 0 This month s submission measured a little over 100MB including all updates and ran through the standard steps followed by a lightning fast installation With this complete no reboot was required a configuration wizard ran through some set up stages including licensing updates joining a feedback system and an initial system scan The interface is quite appealing adorned with a rotating Trojan horse image and has a few quirks of design but is APRIL 2011 vb 51 52 VIRUS BULLETIN www virusbtn com generally clearly laid out and not too difficult to operate Configuration is reasonable but provides no option to simply block access to infected items in the on access module something which often causes problems in large scale testing Scanning speeds were fairly slow but on access lag times were extremely low with low use of system memory CPU cycle use was a little higher than average though and our suite of standard jobs took a little longer than usual to complete Once we got onto the infected sets the need to disinfect or quarantine all samples or else respond to a pop up for each and every one soon caused the expected problems with the product freezing up entirely and refusing to respond to anything Even after a reboot it proved
169. rates were pretty good with a step down in the second half of the RAP sets but the WildList was handled fine and the clean sets threw up only a handful of adware alerts presumably from the anti spyware component which has been added to the product title since previous entries A VB100 award is duly earned doubtless to great relief at McAfee making two passes and two fails from four entries in the last six tests the two year picture is much brighter with eight passes and two fails with two tests not entered VIRUS BULLETIN www virusbtn com Microsoft Forefront Endpoint Protection 2010 Version 2 0 657 0 anti malware client version 3 0 8107 0 engine version 1 1 6502 0 anti virus definition version 1 97 2262 0 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 90 9696 Worms 8 bots 99 12 False positives 0 Microsoft has generally 8 alternated 5 its Forefront and Security Essentials products in VIRUS our server and desktop tests respectively but this pattern is shaken up a little this month with the corporate product appearing The installer is compact at 19MB with 63MB of updates also provided The set up process is fairly simple with a half dozen steps to click through and no reboot required and all is done with in under a minute The product interface is similarly brief and to the point only providing a minimal set of controls and in some places mincing words to a rather confusing deg
170. rd its first since this time last year thanks to a string of bad luck we fully expect the product to continue to do well eEye Digital Security Blink Professional 4 7 1 Rule version 1603 anti virus version 1 1 1257 ItW 100 0096 Polymorphic 99 9896 ItW o a 100 0096 Trojans 86 73 Worms 8 bots 89 16 False positives 0 Having initially only X participated 5 in VB100 tests once a year in the annual XP test VIRUS eEye s Blink has recently virusbtn com become a more regular participant and the product has become quite familiar to the test team Its most notable feature is the vulnerability monitoring system which is the company s speciality and which sits alongside anti malware protection provided by Norman RAP 81 3 The product arrived as a fairly sizeable 157MB install package with an additional 94MB of updates The installation process is not complex but takes a minute or two starting off with the installation of some supporting packages and ending with no need to reboot After installation the firewall seems to be switched off by default but the anti malware component included alongside the VIRUS BULLETIN www virusbtn com vulnerability management and intrusion prevention system is up and running from the off The interface is of fairly standard design with status and configuration sections for each module and controls are limited but provide the basic requirements We encountered n
171. ree However it is generally usable and it ran stably throughout the test suite From past experience we knew to expect long scanning times over large sets of infected samples but leaving this over a weekend proved a successful tactic and no testing time was wasted RAP 91 9 Over clean files scan times were not too bad and on access measures proved fairly light with low use of resources and one of the fastest average times taken to complete our set of tasks Detection rates were pretty solid with a very gradual decline across the RAP sets and the WildList set proved no problem at all Our clean set threw up only a handful of adware alerts hinting that we may want to clean out some of the less salubrious items from the popular download sites and a VB100 is thus comfortably earned Forefront has taken part in only five tests in the last two years only two of the last six comparatives but has an excellent record with every entry achieving certification Nifty Corporation Security 24 Version 3 0 1 50 client 5 63 2 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 93 53 Worms 8 bots 99 45 False positives 0 APRIL 2011 vb 69 70 VIRUS BULLETIN www virusbtn com Nifty has become X a regular E participant in our comparatives the Japanese VIRUS is providing its own quirky interface over the Kaspersky engine and showing no signs of adding translated versions As usual therefore we relied
172. resumably in everyday usage there is some marginal performance gain from this approach although it seems unlikely to be much given the size of most real world results logs In a testing environment this almost invariably causes problems On this occasion scans began at a lightning pace as we have come to expect from the excellent engine underlying the CA product range but steadily grew slower and slower as RAM was eaten up with gusto A first attempt at scanning the main test sets only without even the RAP sets ran for 18 hours and was consuming over 500MB of RAM before it froze out leaving us with no option but to reboot the machine and abandon all the data not saved to disk Scans were run in smaller chunks each one carefully measured to hit the happy zone where speed hadn t slowed down too much and crashes were unlikely As a result of the extra work and time involved in running over 20 jobs in place of one testing took rather more than the 24 hours we had allocated each product although not too much more thanks to good speeds in the on access run over the infected set Thanks to smart caching of results over the clean sets scanning speeds went from good in the cold measures to excellent in the warm while file access lag times were not bad either In the performances measures we saw a fairly low addition to our activities run time while CPU and RAM use were both fairly high Detection rates were fairly respectable in genera
173. rried about my own presentation on evaluating spam filters not being academic enough in fact having spent some time in academia I thought this would be a good opportunity to dust off my mathematical notations to make simple things look a little more complicated Rather cybercrime is a very serious issue and I didn t believe it would benefit greatly from being discussed on a purely academic level However I needn t have been concerned not only were the participating academics involved up to their elbows in the task of fighting online threats on a daily basis but participants came from all areas of the field from those dealing with user education via those whose job it 1s to protect the users to those involved in hunting down the cybercriminals and bringing them to justice There were also representatives of perhaps the most prominent victims of online crime financial institutions In fact many of the participants wore multiple hats NAMING AND MEASURING The benefit of having such a broad range of participants became obvious during a discussion of the naming of malware families and botnets When it was suggested that this was an exercise of little relevance in today s world of fast changing threats the naming practice dating from an era when just a handful of new samples were seen every day a delegate who worked with law enforcement agencies stood up and said that for them naming and labelling is extremely important t
174. s Their whitepapers This will provide an indication of who is being targeted as well as who is doing the attacking It is about behaviour detection not just malware detection Mandia commented that hackers are not targeting operating systems but people These people just happen to be using Windows Companies need to implement DHCP DNS and web access logging Whole packet capture is not always optimal but logging and analysis of activity both coming and going must be provided User involvement and user education is also critical Mikko Hypp nen F Secure s Chief Research Officer presented a compelling talk the highlight of which was the world premiere of a video documenting Mikko s recent trip to Pakistan to meet the authors of Brain the first PC virus on the 25th anniversary of its release The authors of the virus brothers Basit and Amjad Alvi had posted their names and address within the code and Mikko found that they were still operating a legitimate business from the same address today Brain was not intended to destroy data and the brothers said that they regret seeing the destructive behaviour of today s malware However they said they believe that someone else would have written the first virus had it not been them CONCLUDING REMARKS I could go on describing more presentations and keynotes but there simply isn t enough room for all the content RSA is by far the best networking event across the se
175. s with only the two Linux comparatives not entered three of those fails were in the last six tests Kingsoft Internet Security 2011 Standard A Program version 2008 11 6 63 engine version 2009 02 05 15 data stream 2007 03 29 18 virus definitions 2011 02 23 08 ItW 100 0096 Polymorphic 96 0496 ItW o a 100 0096 Trojans 8 4796 Worms amp bots 35 68 False positives 0 Kingsoft has routinely X entered its 5 Standard product alongside the Advanced VIRUS one and this time offers two separate variants on the theme Standard A and Standard B although as usual they are hard to tell apart RAP 18 0 virusbtn com The install process is again fast and simple and the interface clean responsive and easy to navigate with good stability allowing us to get through all the tests in good time Scanning speeds and lag times closely matched those of the Advanced edition while RAM use was a little higher and CPU use a little lower with impact on our activity set a little higher too As expected detection rates were even worse with some truly terrible scores in the RAP sets the proactive week score bizarrely some way better than the others Despite this poor showing the WildList set was covered fully and there were no issues in the clean sets so a VB100 award is earned just about That makes for four passes and four fails in the last dozen tests with four not entered in the last year
176. s Ve wn wu wo uu Cm Du UU gu DU GU Uu Qu Uuduteiduuuu er UNKNOWN 7C91704C idate T5ms ddr T5ms amp dd void Output window 885662DC B8BBB8BBBO MENURY 09060080 884662E8 86406368 MEMORY 004663 BB 9858662E5 BB86888808 EHORY 99868888 nuu62EN mapHO 3ED M M RVY 005606300 884662EC B8688888 MEMORY 09860000 w UNKNOWN 00406206 MEMORY 004052D8 li FCBEIBI4 hit breakpoint gt hit breakpoint QF2C hit breakpoint FCBEBADS hit breakpoint Up Disk 2GB Figure 10 Screenshot of IDA Pro during a remote step debugging of the trojan In this case the function is adding a new row to the phone number table of the trojan The simplest way we found was to send a set admin command due to a bug in the trojan the command must be in lower case with the phone number of our second phone The more complicated way consisted of crafting a settings file with the new administrator s phone number for example replacing the phone number at the end of the code in Figure 5 The settings file is located in a private restricted directory though so it is necessary first to install a hack on the phone 7 to access the directory Once we had set up our phone as the new administrator it was much easier to understand the code of the trojan set up remote debugging of the device send a command by SMS and step through the assembly line by line For example in Figure 10 we are debugging step by step t
177. s continued in the main infected sets where a large job was left to run overnight only to find that no details could be shown the following morning The task was repeated using the command line scanner included with the product with options tuned to approximate the GUI scanner as closely as possible The scores turned up in the end were uniformly excellent more than sufficient to cheer us up after a rather dismal testing spell RAP scores were particularly impressive The clean sets were found to contain only a riskware item which is allowed and the WildList set was covered without problems thus earning F Secure a VB100 award without difficulty This product line has been entered in all desktop tests since late 2009 passing every time F Secure Internet Security 2011 1051 build 106 anti virus 9 30 build 400 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 96 6096 Worms 8 bots 99 63 False positives 0 Despite slightly a different 5 version details and a change of product title this looks like a pretty VIRUS ke similar product to the last The 55MB installer and that same 125MB updater install slightly more simply at least when choosing the automatic rather than step by step mode After a minute or so copying files around and so on it requests the opportunity to validate itself online but no reboot is needed to finish things off RAP 95 9 The interface is much like the previous product s
178. s dominated the extra 100 000 or so files added this month while the retirement of some older and less relevant items from the set kept it at just under half a million unique files weighing in at a hefty 125GB Some plans to revamp our speed sets were put on hold and those sets were left pretty much unchanged from the last few tests However a new performance test was put together using samples once again selected for their appropriateness to the average home desktop situation This new test was designed to reproduce a simple set of standard file operations and by measuring how long they took to perform and what resources were used to reflect the impact of security solutions on everyday activities We selected at random several hundred music video and still picture files of various types and sizes and placed them on a dedicated web server that was visible to the test machines During the test these files were downloaded both individually and as simple zip archives moved from one place to another copied back again extracted from archives and compressed into archives then deleted The time taken to complete these activities as well as the amount of RAM and CPU time used during them was measured and compared with baselines taken on unprotected systems As with all our performance tests each measure was taken several times and averaged and care was taken to avoid compromising the data for example the download stage was run on
179. s than real time This approach probably helped with the on access speed measures which seemed very light while on demand scans were on the slow side RAM consumption was high although CPU use was about average and impact on our set of everyday jobs was not heavy Detection rates when finally pieced together proved just as excellent as we expect from the underlying engine with very high scores in all areas and with no issues in the core sets a VB100 award is duly earned Since its first entry in December 2009 Qihoo has achieved six passes and a single fail with three tests not entered the last six tests show three passes and a fail from four entries APRIL 2011 vb 73 74 VIRUS BULLETIN www virusbtn com Quick Heal Total Security 2011 Version 12 00 5 0 0 2 SP1 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 82 64 Worms 8 bots 92 7296 False positives 0 Quick Heal is one of our more venerable regulars with entries dating back to 2002 and the vendor hasn t missed a test since way back in August 2006 o N o lt VIRUS RAP 90 3 The current product revels in the now popular Total Security title and offers a thorough set of suite components including all the expected firewalling and anti spam modules As such the installer package weighs in at a sizeable 205MB The set up process is fast and easy though with only a couple of steps to click through and less
180. sSexplorer exe userini exe PUSH Joleee 00400040 PUSH Joleee 00404000 PUSH Joleee 00401118 Joleee 00401260 PUSH Joleee 00400040 POSH Joleee PUSH Joleee Joleee 004012C0 PUSH Joleee 00400040 PUSH Joleee PUSH Joleee 00404148 PUSH 80000001 Joleee 004012C0 PUSH Joleee 0040DD40 PUSH Joleee PUSH Joleee 004011D8 PUSH 80000001 Joleee 00401200 MC WINDOWS explorer exe userini exe userini Software Microsoft Jindows CurrentVersion run CA WINDONS explorer exe userini exe er ott ware Microsoft Windows CurrentVersion policies Explorer Run MC WINDOWS explorer exesusecini exe userini Software Microsofti Jindows CurrentVersion run MO WINDOWS explorer exe userini exe Merins Softvare Wierosoft Windows CurrentVersionpolicies Explorer Run Figure 6 Some registry start ups added by Joleee Survival in the wild itself to its memory space using the VirtualAlloc and ReadFile APIs and writes the malcode to the newly opened ADS file using WriteFile Once the ADS version of Joleee is attached to explorer exe the malware continues with the rest of its With a combination of spamming decryption anti debugging tricks and a touch of ADS Joleee has all the ingredients needed to survive in the wild for long enough to malicious actions it drops a copy of its encrypted version in the system folder and will attempt to delete itself from the current directory It then
181. sage increase Standard file activities time increase perfectly and a VB100 is awarded to Defenx for its efforts The vendor s history in our comparatives is impeccable with seven entries and seven passes the recent Linux test the only one not entered since the product s first appearance in last year s XP comparative Digital Defender 2 1 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 4996 Worms 8 bots 95 91 False positives 0 Another member of the Preventon club Digital Defender has been around longer than most with more than a year s worth of comparatives under its belt The install process for the familiar 67MB package held no surprises with a few stages and online activation all dealt with in a minute or so no reboot required The interface has a pleasant minty green hue its layout once again giving us little to worry about with the same simple design and reasonable set VIRUS of options No stability issues were noted and testing went according to plan completing within 24 hours o N T o RAP 85 2 Scanning speeds were slowish and lag times not too zippy but resource consumption was low and our set of jobs was not too heavily impacted Detection rates closely matched those of the rest of the product family with little to complain about and the core certification sets were handled without fuss Digital Defender thus earns a VB100 awa
182. sk and straightforward and could be dealt with within a few minutes with little effort The interface 1s snazzy and stylish if a little baffling at times there are several components including firewalling intrusion prevention and parental controls but the configuration is scattered and often less than clear Stability seems fine though with no crashes or hangs at usual levels of pressure When running the seriously strenuous tests for our malware detection measures though some cracks began to show Like several others of late the developers seem to have decided that it would be a good idea to store all yb E System drive B Archives defaults cold OArchives defaults warm DArchives all files B Binaries and system files defaults cold B Binaries and system files defaults warm B Binaries and system files all files O Media and documents defaults cold Y l Ml m Media and documents defaults warm 50 B Media and documents all files 3 AAA l AH A RE minas 40 E Otherfiles types defaults warm pS o M l NERA ELE EIL M 1 S M x Y Y N N o o y O E ES RS Oo e Ko x 9 ie KS or Vv J SS N ES N X e e gt gt gt A c o gt E 2 BS cg c K e a Cd Sd o ao A SS SF S So Q9 C SS oo 9 25 qe KS SS O SL e de O Oo 2 e xs we we M S N O qv xO 3e o e Q Some values exceed chart area detection results in memory only writing out to file at the end of a scan P
183. smartcard reader The only vulnerability we foresee 1s race attacks where the signed authentication challenge could be intercepted by the cybercriminals and sent to the bank by them before the victim This protocol can probably be improved In the future mobile phones could act as smartcard readers as long as their SIMs have the capability to store a keypair and the phone features a secure keyboard 3 CONCLUSION In this two part series we have shown how cybercriminals related to the Zeus gang have stolen online banking credentials even in cases where the bank sends an mTAN to the end user s mobile phone We have provided an in depth analysis of the malicious mobile component Zitmo which infects Symbian mobile phones We have explained how the trojan intercepts all incoming SMS messages Using a disassembler tool with a Symbian remote debugger and configuring a sane phone to act as the attacker we have stepped through Zitmo s malicious code and revealed the entire process of SMS interception and handling This technique even succeeded in helping us display a debug window the malware authors had hidden We have also covered how the cybercriminals probably wrote Zitmo During our research we noticed a very similar piece of spyware and found that Zitmo was closely related to it with a high percentage of identical routines and strings So the motivation implementation and inspiration of Zitmo have all been explained On a technica
184. something for certain either one way or the other To illustrate this here are the results of an SPF check yb e SPF Pass We can state with certainty that the sending IP of the message is permitted to send mail for that domain It is explicitly stated in the SPF record published by that domain e SPF Hard Fail We can state with certainty that the sending IP of the message is not permitted to send mail for that domain and should be treated with great suspicion e SPF Soft Fail We can state with certainty although a lot less of it that the sending IP is not permitted to send mail for that domain e SPF None We cannot state one way or the other whether the sending IP is permitted to send mail for the sending domain and the result is ambiguous This is what I mean by non authoritative We just don t know e SPF Neutral Similar to SPF None we don t know whether or not the IP is permitted to send mail for the sending domain Again it is ambiguous Is it neutral because the sender forgot to include the IP in the SPF record because the message is forwarded or because the sender is forged We can t assert either way e SPF Temp Error Perm Error The same as the above we can t say one way or the other whether the sending IP is permitted to send mail for the domain The implementation we came up with was to send all messages in our pipeline through a standard SPF check If the message returns Pass or Fai
185. ss However if it were performed on the P2 From address the one that is displayed in the mail client the result would be an SPF Hard Fail Many spam filters assign this a heavy weight and there is a good chance that the message would subsequently be marked as spam the exact opposite of what is desired Thus we are in a position where performing a standard SPF check leaves our recipients open to phishing attacks Performing a modified SPF check on the P2 From address 1 e performing a SenderID check has the very real possibility of marking legitimate messages as spam and generating false positives What can we do How can we get the best from SPF and SenderID stopping phishing while avoiding the worst of SPF and SenderID false positives COMBINING SPF AND SENDERID While investigating these two technologies I liked senderID s ability to combat spoofing of the P2 From address because that is what 1s displayed to the end user However I could not stomach the idea of generating false positives The solution was to combine SPF and SenderID and perform both checks They would not both be performed every time but conditionally a SenderID check would only be performed in the event that a standard SPF check returned a non authoritative authentication result What do I mean by non authoritative Rather than the conventional Internet industry use of the term I use it to refer to an assertion that we cannot say
186. sses under its belt with one pass and two unlucky fails in the last year VIRUS BULLETIN www virusbtn com Qihoo 360 Antivirus 1 1 0 1316 Signature date 2011 02 19 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 97 25 Worms 8 bots 99 65 False positives 0 Qihoo apparently x pronounced 4 Chi Fu is another of the wealth of solutions VIRUS RAP 95 0 the bustling Chinese market space this one based on the BitDefender engine Having entered our tests on several occasions in the last couple of years the product has a decent record of passes but has also put us through some rather odd experiences The latest version came as a 110MB install package including signatures from a few days before the submission deadline Set up was fast and easy with no need to restart and the process was complete in half a minute or so The interface is fairly attractive with bright colours and clear icons a decent level of configuration options and a decent approach to usability Stability seemed OK and the oddities noted in previous tests were kept to a minimum However once again we noted that although the on access component claimed to have blocked access to items this was not the experience of our opener tool and often the pop ups and log entries would take some time to appear after access was attempted and apparently succeeded implying that the real time component runs in something les
187. standard suite offering the installer is around 120MB and coupled with the same update package shared by 1ts stable mates 1t runs through very rapidly the whole job being over with in less than half a minute with no restart needed The GUI eschews the company s traditional deep greens opting instead for a pale minty turquoise and has a somewhat simpler and clearer layout although 1t sticks to the practice of blending buttons and links in places Again an enormous amount of fine tuning 1s provided under the hood with the controls generally easy to find and use and the overall experience felt nimbler and more responsive than the previous offering Scanning speeds closely mirrored those of the rest of the range while on access lags were a little heavier RAM usage was on the low side and CPU use a little high with impact on the set of activities quite high too Detection rates were very similar to the 5 product with superb scores in all sets A clear run through the core certification sets earns PURE a VB100 award on its first attempt Keniu Antivirus 1 0 Program version 1 0 5 1142 virus definition version 2011 02 23 1008 ItW 100 0096 Polymorphic 100 0096 ItW o a 99 8396 Trojans 93 5796 Worms 8 bots 99 4596 False positives 0 Keniu has been a regular participant in the last few tests having first entered in the summer of last year The company has recently formed an alliance with fellow vb APRIL 2011
188. steal any incoming SMS messages ADD SENDER ALL and let incoming calls go through BLOCK OFF The administrator s phone number is 44778148xxxx For the ADD SENDER REM SENDER and SET SENDER commands the trojan also updates the contact and phone number tables with the phone numbers specified in the rest of the command For example ADD SENDER 1234567890 creates a new row in the contact table for index 2 see Table 1 In the phone number table a new row is added too and index 2 is mapped to phone number 1234567890 see Table 2 The other columns are not used in Zitmo 1 4 SMS actions In the end there are only three different outcomes for an SMS received by the trojan release the SMS to the victim s inbox divert it to the administrator s phone number or just drop it This is how the trojan does it Releasing the SMS actually consists of creating a new SMS message in the phone s inbox To do this the trojan first switches to the inbox entry SwitchCurrentEntryL specifying the inbox KMsvGlobalInboxIndex EntryId Value see Figure 6 In Symbian each entry CMsvEntry object consists of generic information e g subject date held in a TMsvEntry object and message type specific data e g headers body in a CMsvStore object 6 So the trojan first copies the generic information to the entry and then marks the change CMsvEntry ChangeL Then it copies the SMS headers and body to the entry s store It must make sure th
189. system With the test machines ready good and early test sets were compiled as early as possible too The WildList set was synchronized with the January 2011 issue of the VIRUS BULLETIN WildList released a few days before the test set deadline of 16 February This meant a few new additions to the core certification set the bulk of which were simple autorun worms and the like Most interesting to us were a pair of new W32 Virut strains which promised to tax the products and as usual our automated replication system churned out several thousand confirmed working samples to add into the mix The deadline for product submission was 23 February and as usual our RAP sets were built around that date with three sets compiled from samples first seen in each of the three weeks before that date and a fourth set from samples seen in the week that followed We also put together entirely new sets of trojans worms and bots all gathered in the period between the closing of the test sets for the last comparative and the start of this month s RAP period In total after verification and classification to exclude less prevalent items we included around 40 000 samples in the trojans set 20 000 in the set of worms and bots and a weekly average of 20 000 in the RAP sets The clean set saw a fairly substantial expansion focusing on the sort of software most commonly used on home desktops Music and video players games and entertainment utilitie
190. t one point while scanning the main clean set the scanner and indeed the whole system froze once again and a push of the reset button was required but even with this interruption and the re run it necessitated vb APRIL 2011 the complete set of tests was finished within the allotted 24 hours Scanning speeds were fairly slow to start off with but sped up hugely on repeat runs On access overheads were light in some areas but heavy in others notably our sets of media and documents and miscellaneous file types Here no sign of smart caching was evident which is odd given that it would be most useful in this mode We could find no way of persuading the product to scan more than a defined list of extensions on access Use of system resources was fairly high in all areas and our suite of standard activities was quite heavily impacted taking noticeably longer than usual to complete Detection results showed very good scores in most areas with some excellent figures in the first half of the RAP sets dropping off notably in the later two weeks No problems cropped up either in the WildList set or other than the one off system freeze in the clean sets and PC Tools earns another VB100 award The vendor s two year history shows entries in all desktop tests with five passes and a single fail from six entries all three entries in the last six tests have resulted in passes PC Tools Spyware Doctor with AntiVirus 8 0 0 62
191. te rates include a licence for intranet publication See http www virusbtn com virusbulletin subscriptions for subscription terms and conditions Editorial enquiries subscription enquiries orders and payments Virus Bulletin Ltd The Pentagon Abingdon Science Park Abingdon Oxfordshire OX14 3YP England Tel 44 0 1235 555139 Fax 44 0 1865 543153 Email editorial virusbtn com Web http www virusbtn com No responsibility is assumed by the Publisher for any injury and or damage to persons or property as a matter of products liability negligence or otherwise or from any use or operation of any methods products instructions or ideas contained in the material herein This publication has been registered with the Copyright Clearance Centre Ltd Consent is given for copying of articles for personal or internal use or for personal use of specific clients The consent is given on the condition that the copier pays through the Centre the per copy fee stated below VIRUS BULLETIN 2011 Virus Bulletin Ltd The Pentagon Abingdon Science Park Abingdon Oxfordshire OX14 3YP England Tel 44 0 1235 555139 2010 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers O
192. tection rates were highly impressive showing a continuation of the gradual upward trend noted in recent tests This appears for the most part to be due to the enabling of ever stronger heuristics which used to be mainly switched off by default Of course increasing heuristics always comes with its associated risks and this month it looks like things have been taken a fraction too far a single item in the clean sets from Canadian software house Corel was flagged as a Krap trojan This false alarm denies Fortinet a VB100 award this month despite a good showing and flawless coverage of the WildList set The vendor s two year record shows seven passes and now three fails with only the Linux comparatives not entered the last six tests show a slightly rosier picture with only one fail and four passes from five entries Frisk F PROT Antivirus for Windows 6 0 9 5 Scanning engine version number 4 6 2 virus signature file from 22 02 2011 14 06 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 75 14 Worms 8 bots 90 77 False positives 0 Frisk is a pretty long serving company its first VB100 appearance was in 1999 and it hasn t missed a comparative VIRUS since 2007 The product hasn t seen any major changes since then either sticking to its tried and trusted formula o N T o RAP 74 9 The installer is a compact 30MB with an extra 30MB zip file containing the latest updates The set up
193. the product has had two passes and two fails with two tests skipped Kingsoft Internet Security 2011 Standard B Program version 2008 11 6 63 engine version 2009 02 05 15 data stream 2007 03 29 18 virus definitions 2011 02 23 08 ItW 100 0096 Polymorphic 96 0496 ItW 0 a 100 0096 Trojans 8 4696 Worms 8 bots 35 66 False positives 0 APRIL 2011 AZ B BII ZVI E d 67 68 VIRUS BULLETIN www virusbtn com There s not much more to say about the third entry from Kingsoft with very little to distinguish it from the VIRUS other two in virusbtn com terms of user experience with the install process and interface identical to the other two Even the fine detail of the version information is unchanged um o N T o lt x RAP 17 9 Scanning speeds were a little slower and lag times a little higher in some cases with more RAM consumed than either of the others but fewer CPU cycles while the impact on our activity suite was much the same Detection rates were fairly abysmal a fraction lower than the other Standard edition but the core certification requirements were met and a VB100 award is earned Lavasoft Ad Aware Total Security Anti virus version 21 1 0 28 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 97 6096 Worms 8 bots 99 71 False positives 0 Lavasoft first entered our X comparatives 2 in 2010 and has submitted both its standard VIRUS RAP 97 0
194. ther solutions based on the same engine in recent tests The installer was a lightweight 47MB but online updates were also required on the deadline date The install process was fast and simple taking less than 30 seconds to complete and not demanding a reboot at the end However on opening the GUI the bulk of the controls were greyed out and it was clear that no scanning or protection was 48 Please refer to text for full product names yb available It may be that it simply needed some time to Standard file activities time increase 13 97 13 75 57 47 47 15 31 43 11 85 8 10 9 68 13 49 8 18 22 997 11 41 12 97 4 35 16 92 14 07 41 59 10 01 13 39 40 50 38 18 4 39 18 38 27 00 5 6596 9 6096 8 47 12 21 29200 8 84 16 56 4 42 7 63 11 07 Idle system Busy system Busy system CPU usage usage usage increase increase increase K7 Total Security Performance measures contd Keniu Antivirus Keyguard Antivirus Lavasoft Ad Aware TS Logic Ocean GProtect Microsoft Forefront Norman Security Suite Optenet Security Suite PC Booster AV Booster S 2011 Preventon Antivirus Qihoo 360 Antivirus Quick Heal Total Security Returnil System Safe Sophos Endpoint Security Please refer to text for full product names GFI Sunbelt VIPRE Trustport Antivirus 2011 SPAMfighter VIRUSfighter 6 58 5 64 21 12 UnThreat Antivirus Pro
195. thing of invariably impressive detection levels The vendor s dual engine approach also manages to avoid the excessive sluggishness which is so often associated with this kind of product The latest version came as a not too huge 189MB installer including all the required data and took only a few straightforward steps to get set up although a reboot is required The interface is simple but efficient concealing a wealth of control beneath its pared down exterior and is a delight to operate At one point we experienced something of an oddity during our performance tests but this seemed to be something to do with the automation scripts or possibly some behavioural monitor not liking what they were doing and the product itself remained stable and solid All jobs were out of the way within a single working day well within the allotted 24 hours This was partly thanks to the excellent use of results caching to avoid repeating work which made for some good speed measures On access lags looked higher than some in our graph thanks to very thorough checks with scanning depth and breadth turned up high Resource use was pleasingly low with our standard jobs running through in reasonable time APRIL 2011 vb 59 VIRUS BULLETIN Reactive And P tive RAP Reactive Reactive Overall Agnitum Outpost ER 9140 93 24 87 51 90 72 gt 08 88 81 ama va memso 0 seus oss ear a ware wae Antiy Ghostbusters Y 59 9
196. things to general windowing behaviour too and we observed log data being thrown away a few times despite having deliberately turned the limits to the rather small maximum possible We had no major problems though and testing took not too much more than the assigned 24 hours Scanning speeds were a little on the slow side particularly over archives thanks to very thorough default settings and on access lag times were fairly heavy too Although resource usage looked pretty good we saw quite some impact on our set of standard activities This heaviness was more than counterbalanced by the detection rates though which barely dropped below 99 in most areas with even the proactive week of the RAP sets showing a truly superb score The WildList was brushed aside and perhaps most importantly the clean set was handled admirably easily earning Trustport another VB100 award The company s recent test record is excellent with nine passes in the last dozen tests the other three not entered the last year shows four passes from four entries UnThreat Antivirus Professional 3 0 17 DB version 8516 Itw 100 00 Polymorphic 99 79 ItW 0 a 100 00 Trojans 97 99 Worms 8 bots 99 67 False positives 0 Yet another new name and another last minute arrival on the test bench UnThreat 1s VIRUS based on the VIPRE engine e N T o RAP 94 6 APRIL 2011 vb 177 78 VIRUS BULLETIN which gave us
197. this month The Spyware Doctor line has an identical record to the suite with six entries in the last dozen tests the last five of them passes Preventon Antivirus 4 3 48 Definitions version 13 6 215 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 86 49 Worms 8 bots 95 91 False positives 0 The daddy of them all Preventon s own product has been entering our tests since N T o VIRUS ate 2009 RAP 85 2 with a record of strong performances occasionally upset by minor technicalities The install and user experience is much like the rest of the range with the installer a fraction larger at 69MB but the process unchanged completing quickly with no reboot but needing a connection to the web to apply a licence and to access full configuration The GUI remained stable and usable throughout our tests with its simple set of options allowing us to progress rapidly through them completing within 24 hours as usual Speeds were unsurprisingly fairly similar to the rest of the group perhaps a fraction slower but no more than can be attributed to rounding errors and so on Performance measures showed the expected light use of resources and a nice low impact on our suite of tasks Detection rates were fairly steady across the sets and there were no issues in the clean or WildList sets thus Preventon earns another VB100 award Having entered five of the last nine tests Preventon now has three pa
198. underground to present and debate the latest security threats and disclose and scrutinize vulnerabilities For more details see http www takedowncon com The 2nd VB Securing Your Organization in the Age of Cybercrime Seminar takes place 24 May 2011 in Milton Keynes UK Held in association with the MCT Faculty of The Open University the seminar gives IT professionals an opportunity to learn from and interact with security experts at the top of their field and take away invaluable advice and information on the latest threats strategies and solutions for protecting their organizations For details see http www virusbtn com seminar CONFidence 2011 takes place 24 25 May 2011 in Krakow Poland Details can be found at http confidence org pl The 2011 National Information Security Conference will be held 8 10 June 2011 in St Andrews Scotland Registration for the event is by qualification only applications can be made at http www nisc org uk The 23rd Annual FIRST Conference takes place 12 17 June 2011 in Vienna Austria The conference promotes worldwide coordination and cooperation among Computer Security Incident Response Teams For more details see see http conference first org SOURCE Seattle 2011 will be held 16 17 June 2011 in Seattle WA USA For more details see http www sourceconference com Black Hat USA takes place 30 July to 4 August 2011 in Las Vegas NV USA DEFCON 19 follows the Black Hat event
199. unusable and we had to resort to reinstalling on a fresh machine image Eventually by chopping jobs up into smaller chunks we managed to get a full set of results which showed some splendid figures Coverage of core certification sets however was not so splendid with a handful of items missed in the WildList set and some false alarms in the clean sets These included one file flagged as the infamous Netsky worm and another as the nasty polymorphic Virut both were in fact innocent PDF handling software This was plenty to deny EmsiSoft a VB100 award this month leaving it on a 50 50 record of two passes two fails in the last six tests eScan Internet Security Suite 11 0 1139 924 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 97 0696 Worms 8 bots 99 7096 False positives 0 The eScan product range a has a long 5 and solid history in our comparatives dating back VIRUS to 2003 and RAP 96 3 virusbtn com covering a wide selection of platforms Not long after dropping an OEM engine from the product it has put in some excellent performances of late The current version of the premium suite solution came as a 156MB installer no further updates required and installed in three or four clicks with no reboot needed After the main install came some standard initial set up stages and things were soon moving along The product interface is a rather funky affair with a panel of glitzy cartoon
200. ur performance drain tests too much the on demand scan threw a heavy and ugly VIRUS BULLETIN File access lag time contd 300 Lag time sGB N C e o o A e num a a 0 I Please refer to text for full product names spanner in the works Having been a popular product with the test team for several years the developers have flung themselves firmly into our bad books by leaping headfirst onto the bandwagon of storing detection data in memory rather than writing it to a proper log file incrementally this meant yet more agonizing waiting watching RAM consumption steadily rise with no certainty that results would be safe until all was complete The full job did in fact run without incident but took just over 56 hours considerably more than the five or six we would have expected of this product in its previous iterations Having survived this trial results were decent with good scores in general and a stronger than usual showing in the RAP sets The WildList and clean sets caused no problems and a VB100 award is granted despite our grumblings Since reappearing on our radar just over a year ago Central Command has achieved an excellent record of seven passes in the last seven tests Check Point Zone Alarm Security Suite 9 3 037 000 Anti virus engine version 8 0 2 48 anti virus signature DAT file version 1045962880 ItW 100 00 Polymorphic 100 0096 ItW o a 100 0096 Trojans 92 68 Worms 8 b
201. us cosmetic and technical improvements with its version 5 released not long ago and was heartily praised in these pages see VB January 2010 p 17 Version 6 popped R out rather 5 unexpectedly and we were intrigued to see what further VIRUS strides had R AP 5 3 been made The 62MB install package provided with all updates included looked fairly similar to previous submissions involving only a few steps one of which is an offer to install the Google Chrome browser A brief scan is also included as part of the set up but the whole thing is still complete in under half a minute No reboot is required although the application sandboxing system which seems to be the main addition in this new version does require a restart to become fully functional The interface remains much as before the colours looking perhaps a little less bold and impressive but the layout is generally sensible and easy to operate The new sandbox caused a few problems in our speed tests as prompts regarding innocent packages with potentially suspect capabilities interrupted measures Eventually the settings were tweaked to automatically apply the sandbox rather than prompting all the time However we had a few further issues using this setting with the machine becoming unresponsive a few times and needing to be reimaged to a clean operating system to enable us to continue with tests all this before even engaging in any malware t
202. us scan engine 5 2 0 virus database 13 6 217 ItW 100 0096 Polymorphic 100 0096 ItW o a 100 0096 Trojans 88 9096 Worms 8 bots 96 33 False positives 0 Another new name but not such a new face Sofscan was another last minute arrival with its product closely modelled vb APRIL 2011 on some others taking part this month and the test s most popular detection engine once again driving things o N z 2 lt VIRUS RAP 89 1 The installer package measured 66MB with an extra 62MB zip file containing the latest updates The set up process featured all the usual steps including as we have observed with a few others this month the option to join a community feedback system and provide data on detection incidents This was disguised as the accept box for a EULA and was pre selected by default It doesn t take long to get set up and no reboot is needed to complete The interface is a familiar design dating back many years now and showing its age slightly in a rather awkward and fiddly design in some areas but providing a decent level of controls once its oddities have been worked out Operation seemed a little wobbly at times with some tests throwing up large numbers of error messages from Windows warning of delayed write fails and other nasties We also experienced problems with logging to memory rather than disk once again with our large tests slowing to a crawl and taking days to get through Worried by t
203. vention always uses a colon to separate the names of the primary file and the alternate data stream primary file name gt lt alternate data stream name For example calc exe S TR Only two APIs are needed to create an alternate data stream CreateFileA and WriteFile After infecting all exe files in the current folder StreamC will display a message box see Figure 1 Figure 1 Message box displayed by StreamC Proof of companionship StreamC can be categorized as a companion virus in the old DOS days companion viruses created a copy of the malware using a similar name to the existing executable file For example calc com would be created as a companion virus for calc exe since com files are executed before exe files in the DOS environment This is done simply by making a copy of the virus with a com extension But StreamC does not create a com version of itself instead it uses ADS technology to hide the original exe file StreamC is disguised as the original legitimate application vb 11 VIRUS BULLETIN Executing the original calc exe CALL T SS EBP 8BB kernel32 OpenEventA JNZ When pee ed calc exe uil executed ESI DWORD PTR SS EBP 57C ASCII DCSE72A0 6D41 47e4 C56D 824587F 452383 StreamC s infection routine is performed PUSH ESI CALL DWORD PTR SS EBP 8FF kernel32 GlobalFindAtomA first after which the original executable AX AX file will be run as a process This is d
204. ving immensely in the warm runs Memory usage was also low with CPU use a little higher than most and in the activity test a fairly high impact was observed on the time taken to complete the task Detection rates when finally analysed after the very slow process of exporting log files proved to be excellent VIRUS BULLETIN www virusbtn com with only a very slight decline across the RAP sets The WildList and clean sets were handled expertly comfortably earning Kaspersky a VB100 award for its business solution The product s recent record is pretty solid with nine passes and two misses in the last two years with just the one test not entered The last six tests show five passes Kaspersky Internet Security 2011 Version 11 0 2 5556 a ItW 100 0096 Polymorphic 100 0096 ItW 0 a 100 0096 Trojans 90 73 Worms 8 bots 97 52 False positives 0 Kaspersky s consumer suite solution will be a familiar sight to anyone who frequents retail software VIRUS aa metallic green packaging It has been a semi regular participant in our comparatives for a couple of years now usually appearing alongside the business variant already discussed here o N T o RAP 94 6 The installer is somewhat smaller at 1 15MB and the set up process is considerably simpler with only a few standard steps a few seconds processing and no reboot to complete The interface looks much like the business version and the usage exper
205. y Zitmo The other columns probably refer to the name descriptions As for most Symbian OS 9 executables NokiaUpdate exe must first be uncompressed before searching for strings yb int o mummeo Table 3 Example of history table pb contact id 32 bit int index 32 bit name descr integer 16 bit 16 bit Unicode Unicode Table 1 Example of contact table contact id 32 bit int phone number 16 bit Unicode 1234567890 Table 2 Example of phone number table event pnid date type description contact contact id 16 bit info id 8 bit 1 Unicode 16 bit 32 bit Unicode int 2 of the contacts and their indexes in the phone s address book if listed there The phone number table sets the relationship between contact indexes and their phone numbers The contact id column corresponds to the index column of the contact table Finally the history table stores events related to those contacts such as incoming calls 1 2 Listening to incoming SMS messages Once the initial set up is complete the trojan listens for incoming SMS messages To do so it uses the technique described in 2 1 e it opens and binds a socket to the SMS channel The Symbian APIs provide several ways to open SMS sockets such as receiving anything ESmsAddrRecvAny receiving messages that start with a special prefix ESmsAddrMatchText or using a special port ESmsAddrApplication8BitPort to receive messages Since opening an S
206. ymorphic 100 0096 ItW o a 100 0096 Trojans 88 57 Worms 8 bots 96 89 False positives 0 Agnitum kicks off a this month s 5 comparative in its usual solid style This is the full VIRUS Pro version of the suite solution which has recently been joined by a slightly pared down free edition still offering a good range of protection layers The installer came as a 94MB executable with the latest updates thoughtfully built in and the set up process followed the usual steps of language selection EULA and so on it took a couple of minutes to get through and a reboot was needed to complete RAP 88 8 virusbtn com The GUI hasn t changed much for a while remaining clear and simple with not much in the way of fancy frills to get in the way of things The product includes a comprehensive set of firewall HIPS web filtering and anti spam components vb APRIL 2011 Configuration is not hugely in depth for the anti malware component at least but a good basic set of controls are provided Testing ran smoothly unhindered by unexpected behaviour or difficulties operating the solution We were once again impressed by some judicious use of result caching to ensure items that had already been checked were not processed again and this efficiency helped us keep the overall test time to well within the expected bounds when planning our testing schedule we roughly allocate 24 hours to each product for full testing
Download Pdf Manuals
Related Search