In general, the statistics we are seeing in through our online scanner logs are consistent with our observation from last September.  We are seeing an average of 3 different malware families per infected computers.  This means that on average, when a computer is infected, we find three different malware families installed ont it.  An interesting point is that this average seems to be slowly but steadily going down each month.  This might indicate that malware operators are consolidating their operations.  There might starting to perform more actions with one program instead of installing different malware after an intrusion.

The average of different malware families per infected hosts in the United States is close to the global average.  On the other hand, this number reaches 4.5 in China where it has one of the highest value.  This indicates that malware operations are not conducted the same way around the world.  We usually see less bank information stealers in Asia but more online game password stealers.  Online game password stealers are usually installed by other malware families and don’t propagate by themselves, explaining why we see an higher average in China than in the United States.
 
On a daily basis, ESET is collecting more than 200 000 new and unique binary malicious files, this number is higher than the statistics published last year.  This means that by the time you are finished reading this blog post, at least 70 unique pieces of malware will be produced!

Pierre-Marc Bureau
Sr. Malware Researcher

When testing the product’s detection, namely its ability to protect against threats, flawed methodology was used. As an example, we can pull a quote:

“Every file has been positively identified as dangerous by at least four packages, so a good suite should detect most of them.”

This seems ok, right? But wait: there was no direct validation as to whether the samples constitute actual malware or not, i.e. whether they were validated as malicious or innocent.

There are at least two false assumptions here. The first is that you can validate samples accurately, simply by running them past one or more scanners and seeing if they detect them. Well, Mr. Graham-Smith is correct in thinking that he reduces the risk of false positives by requiring at least four scanners to identify each sample as malicious. However, he doesn’t eliminate it. It’s by no means unknown for an incorrect detection to be cascaded from one vendor to others if those vendors don’t re-validate them. As more vendors move towards an “In the Cloud” model of detection by reputation, driven by the need to accelerate processing speed, it’s easy for a false positive to spread, at least in the short term. At least some of the files identified could have gotten into the testing sample from a database provided by one or more of the vendors and was subsequently falsely detected by the heuristics as a virus.

However, there’s an even greater problem.

When a detection test uses default installation and configuration options, as was done in this test, it’s particularly important that samples are not only correctly identified, but also correctly classified. This is because all scanners do not treat all classifications of malware in the same way. While all scanners take similar approaches to out-and-out malicious programs such as worms and viruses, bots, banking Trojans and so on, there are other types of application, such as some examples of adware, that can’t be described as unequivocally malicious.

Similarly, some legitimate programs may use utilities such as packers and obfuscators, and it’s not appropriate to assume that all anti-malware products treat such programs in the same way. Some assume that all such programs are malicious, but others discriminate on the basis of the code that’s present, not just on the presence of a packer. These “grey” applications and ambiguous cases may be classified as “Possibly Unwanted”, “Potentially Unsafe”, or even “Suspicious”.

Unlike many professional testing organizations, PC Pro does not consult with vendors about such issues as configuration before a test, and it does not give “missed” samples from its tests to the publishers of the products it tests. However, and to his credit, Darien Graham-Smith quickly responded to a request for further information with a list of file hash values for the samples he says we missed (18 out of 233), and in all cases but one, the detection name given to it by one of our competitors. (A file hash such as an MD5 uses a cryptographic function to compute a value for a file that is unique to that least in principle. In fact, it is possible – though very rare – for two files to have the same hash value – we call this a hash collision.) This enabled us to check our own collection for files corresponding to the sample set used by PC Pro.

When checking samples that the magazine claims we missed, we found some anomalies in the samples set. The random nature of the sample selection (including such oddities as a Symbian Trojan, an anomalous file version of a 1989 boot sector virus, packer detections, a damaged sample detection, and a commercial keylogger) gives serious cause for concern. We even found samples detected by some of our competitors by names like “not-a-virus: RemoteAdmin.PoisonIvy”. With fuzzy classifications like these, it’s unsurprising that many of these cases are not detected by default by all scanners. But where such samples are used, as was the case here, the accuracy of the test is compromised, since it introduces a bias in favour of products that don’t discriminate between possibly malicious and unequivocally malicious applications.

The Anti-Malware Testing Standards Organization (AMTSO – http://www.amtso.org) was established in May 2008 with the exact intention of reducing unprofessional testing, skewed methodologies and resultant flawed results. Its status is strictly that of an international non-profit association focused on addressing the universal need for improvement in the objectivity, quality and relevance of anti-malware testing. Principle 5 of the AMTSO document “Fundamental Principles of Testing” (http://www.amtso.org/amtso—download—amtso-fundamental-principles-of-testing.html) states:

Testers must take reasonable care to validate whether test samples or test cases have been accurately classified as malicious, innocent or invalid.

It has often been the case in the world of Antivirus testing that seemingly reliable testing results were, in fact, not valid, because the samples used in the tests were misclassified. For example, if a tester determines that a product has a high rate of false positives, that result could be inaccurate if some samples were wrongly classified as innocent. Thus, it is our position that reasonable care must be taken to properly categorize test samples or test cases, and we especially encourage testers to revalidate test samples or test cases that appear to have caused false negative or false positive results.

Similarly, care should be taken to identify samples that are corrupted, non-viable or that may only be malicious in certain environments and conditions.

Yet another question that arises with regard to PC Pro and its testing methodology is the small sample size of 233 used in the test, and how the files were obtained. As the PC Pro validation of the test samples did not meet professional standards, there is no way any authoritative conclusions can be drawn from this test, as far as the products’ detection is concerned.

The other detection testing method used by PC Pro was a dynamic test of web threats. The methodology of dynamic testing of infected websites is very problematic to say the least (http://www.amtso.org/amtso—download—amtso-best-practices-for-dynamic-testing.html). We borrow a PC Pro citation to illustrate this:

“For this month’s web-based test, we visited several hundred dodgy-looking websites. We identified 54 of them as potentially malicious, because those pages caused at least one security product to throw up an alert.”

This is problematical, in that it suggests an immediate bias in that the validity of single product alerts is assumed without question.

It also has to be said that the web changes constantly, which means that web-hosted threats also change. So a question arises: Has the tester used 15 parallel computers to test all PCs and solutions against a single site, serving the same malware, at exactly the same moment? Only if this principle was upheld can consistent results be ensured for each tested product.

The method used here seems very questionable: malware loaded on the web may change at very short intervals and so may be different with every time it’s accessed. Moreover, the tester has failed to validate the websites as really malicious. And yet he goes ahead and draws conclusions regarding the performance of these tested products based on these questionable parameters. In the methodology used, the author fails to identify which web sites are dangerous, harmless, or even offline.

We will shortly address problems in the test's methodology as regards product performance other than raw detection testing in another blog. We have also asked Pierre-Marc Bureau and David Harley for more information on their expert analyses of the sample set used.

Ján Vrabec
Security Technology Analyst, ESET

http://www.eset.com/threat-center/blog/2010/01/09/today-we-have-naming-of-err-malware-1
http://avien.net/blog/?p=121

The estimable Kurt Wismer has taken me to task – well, Tom Kelchner and Mary Landesman too – for approaching the issue from the wrong angle. (See http://anti-virus-rants.blogspot.com/2010/01/whats-in-malware-name.html.)

Well, I guess I agree with him more than I disagree. Kurt says:

"what i have in mind is something not unlike the now defunct common malware enumeration with the exception of using names instead of numbers – a post hoc harmonized second name (a common name or layman's name) for those few pieces of malware that the industry feels they need to communicate to the masses about."

And he's right: we don't really need multiple spellings and synonyms for a common name (the so-called Stormworm, Conficker, whatever): the industry should at least be more scrupulous about cross-referencing names so that our audience knows when we're talking about the same thing by a different name. But there is a difficult: you can only be sure that we are talking about the same thing at a very generic level. You can't even assume that one company's W32/Nastymalware.A is the same as another company's Troj/Nastymalware.A because naming doesn't only derive from the code family, but from other factors - notably from the detection algorithm, which may reflect quite generic features such as the infection vector, or the type of botnet component it happens to be.

Kurt's analogy with the naming of bones is interesting and alluring, but I think it's misleading. The human skeleton is an aggregation of more-or-less finite components: you might even say the same of the rather more complex human genome: what we analyse in computer virus labs is a far more fluid target. In any case, it's rarely critical to the patient (let alone the former patient) to identify the exact bone(s) you managed to break at some point in your life. "I broke my ankle" or "it was a Potts fracture" is specific enough for most such conversations. Identifying the precise multimalleolar fracture is generally of use and interest to a small and specialized group. Not that I claim that the security industry is a very close analogue to the medical profession – well, in some instances there's a characteristic arrogance seen in both sectors! - but in this instance, there is a similarity between security researchers and medical researchers.

If you go to your doctor with symptoms suggesting an infection (probably a better analogy than a broken bone), he's most likely to prescribe generic measures such as bedrest and anti-pyretics. In the first instance, at least, any infection-specific chemotherapy he offers will probably be broad-spectrum. Only in a minority of cases is he going to initiate testing for exact identification of a strain or substrain. This isn't a perfect analogy to the way the anti-malware industry works either – for a start, we'd have to factor in a whole raft of alternative therapies – but it's closer than dem dry bones.

To revert back to a point made in the 2008 paper by Pierre-Marc and myself, detection is more generic than most people realize: that doesn't mean we can't do exact identification, only that we only expend that sort of effort on an individual sample when we need to. And to go back to one of Tom Kelchner's points, wouldn't you rather we did it that way, as opposed to analysing and classifying each of tens of thousands of daily samples?

The industry's real failure here less its inability to harmonize than its continuing inability to communicate why harmonization isn't (and shouldn't be) top priority. In the end, it's down to this: harmonization between object and name is easy enough in a one-to-many relationship, but the contemporary threat landscape is largely about many-to-many.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

Randy Abrams
Director of Technical Education

Social Engineering attacks will continue to grow in prevalence. As operating systems and eventually applications become more secure, the easiest way to steal money from people or install malicious software will be to trick them. Part of this will be driven by adoption of Windows 7. Computers sold with Windows XP, with a few exceptions, such as newer netbooks, are beginning to age and will be replaced with PCs that have Windows 7. The increased security in Windows 7 means that tricking the user is far more viable than exploiting the OS for most criminals.

Third party applications will bear the brunt of vulnerability attacks. Security improvements in operating systems will continue to drive vulnerability research to applications like Safari, iTunes, Adobe Flash, Adobe Reader, many IM clients and other applications. Unfortunately, users are far less savvy about patching 3rd party applications than they are about patching the operating system

While the number of attacks against “jailbroken” iPhones is likely to increase, the number of infected or affected devices will likely decrease. The reason for a decrease is that in many cases the affected user incurs data charges and so they are motivated to do things like changing default passwords. Those who have flat rate data plans will be far more likely to continue to neglect security.

ISPs will increasingly implement technologies to identify users who are infected and take measures to block access to the internet until the user’s machines are cleaned up. It will probably be a few years before these ISPs are the norm, rather than the exception, but still the prevalence of such practices will increase.

Data breaches/losses will grow in scope as people put their data in the cloud. Cloud systems security is still fairly young. The aggregation of data will make many Cloud service providers attractive targets. We’ve already seen this as web hosting providers and credit card processing businesses have been targeted.

Pierre-Marc Bureau
Sr. Malware Researcher
 

1. Increase in rogue software or extortion software, probably some fake memory optimization tools, etc.
2. More specialization from malware gangs and exchange of service between them.  Some gangs will take care of the packing layer, others C&C communication, other stealing data, etc.
3. More malware targeting alternative operating systems like OS X and Linux as they increase their market shares.  This probably means more malware written in high level languages which can execute on various OSes like bash, perl, python, etc.

Aryeh Goretsky
Distinguished Researcher

Increased targeting of social networks, such as Facebook, LinkedIn, Twitter in the US, Orkut and Hi5 in South America, from both a social engineering standpoint and looking for cross-site scripting and wormable attacks on the web sites as well as their APIs.

Continued research into weaknesses in virtualization will lead to new attacks, but will remain largely impractical, e.g., attacker needs direct access to a server's hardware in order to perform the action.

Online games will continue to be targeted, as virtual assets such as an-game currencies or scare resources can be re-sold for real money, especially in Asia.

Increased research into attacks on gaming consoles, but with limited results due to the closed-wall nature of their Internet service.

Increased research into attacks on wireless networking (802.11n Wi-Fi, WiMAX, cellular broadband data connections) and SSL interception will make it more risky to conduct online shopping and banking over wireless connections (MITM attacks for credentials theft, etc.).

Patch management will continue to challenge IT departments.  Slight decrease in AUTORUN.INF-borne malware due to deployment of Windows 7.

David Harley
Director of Malware Intelligence
 

1. iPhone attacks will probably be a blip rather than an increasing trend, as based on a single high-visibility vulnerability. However, attacks (or at least probing for vulnerabilities) on smartphones in general are likely to increase as long as providers rely on a closed system model that encourages jailbreaking/rooting. The whitelisting model will probably get some attention eventually, even from Apple.
2. Data mining (legitimate and criminal) will have a wider and by no means automatically beneficial range of effects on individuals. The arch-example is Facebook's lack of commitment to a realistic security model, which counts more than its security centre advice. Essentially, it's encouraging its users to share as much information as possible while essentially making them responsible for the security of their own data. This isn't unique to FB, of course, or even to the Web 2.0 providers. But they're grooming us to accept that it's legitimate for an ever-wider pool of data to be used to monitor our behaviour, and makes it harder to distinguish between legit and criminal data mining.
3. Further to point 2, privacy tends to diminish where it's in the way of commercial rather than political interests. So, ironically enough, there will be particular and ongoing interest in data leakage where it affects public bodies, but selling on of information at the backdoor by more-or-less legal means will continue as it always has, though it's starting to attract some attention. This may be less true in Europe, where data protection and other directives -already- give some formal weight to the principle that organizations should only hold as much personal data as they -need-, rather than what they -want-.
4. Obviously, I'm in agreement with everyone else on the continuing importance of social engineering. The corollary to that, though, is that despite those who say that user education is ineffective, it remains an under-explored option for mitigating social engineering. It's unlikely that a psychological attack can be totally eliminated by technical means. On the other hand, it's always easy and resource-non-intensive to push responsibility back to the user and say "just be careful!" There are signs that user education in some areas is being taken more seriously, though: anti-phishing education, for instance.

They took a handful of scanners (including NOD32), installed them, then logged as
administrator and tried to disable them as fast as possible. It's nice to know that NOD32 turned out to be more resistant than most to tampering like this, whereas some products can be disabled by simply manipulating support files on disk. Frankly, though, if I were using the product that was disabled in two minutes rather than thirty-three, I probably wouldn't change products on the basis of this test. The sad fact is that if you have direct access to a machine with administrator rights, it's usually game over. Essentially, it's all about context.

As Pierre-Marc has suggested, this isn't a very effective measure of a product's effectiveness.

“Malware has to execute code to disable the AV. If a piece of malware is detected, it will never execute and thus the process of the antivirus is safe. Our proactive detection of is our best defense
against disabling of ESET’s program by malware.”

You might be reminded of the infamous “Race to Zero” contest at Defcon 16, which essentially told no-one anything new but generated much heated discussion among our readers (http://www.eset.com/threat-center/blog/?s=race+to+zero).

In fact, useful research often comes out of ESIEA, and at least this exercise was apparently carried out without using real malware (unless you have a very prejudiced view of the EICAR test file) or reverse engineering. As Aryeh Goretsky, ESET Distinguished Researcher, has suggested we look forward to receiving more details, in order to see whether we can make use of them to strengthen the product. He also suggests that given the reliance in this exercise on physical access to systems, it would be quicker and easier to boot from removable media to carry out such an attack in the real world, and that strong passwords and disk encryption could be used to mitigate the risk.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Well, I am in Switzerland, and very close to the French border, for the Virus Bulletin conference – perhaps the most eagerly anticipated event in the anti-malware researcher’s calendar. How sad is that?

I also thought you might like to further extend your French skills on an article here, about a presentation Pierre-Marc made at our offices in Bratislava: http://www.globalsecuritymag.fr/Voyage-au-coeur-du-Cyber-crime,20090918,12795.html.

I think that means "A voyage to the heart of cyber-crime", but my French is about forty years rusty. If you’re here (or will be when the conference proper starts tomorrow), come and say hello!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

The messages generally look something like this (at least, all the samples I’ve seen have). The subject field takes the form:

Wire Transfer Info for <1stname> <2ndname>

The message looks like this:

For more details please download the invoice found on this link:
[http://]<domain></folders>/transfer.php?name=<1stname><2ndname>

The link goes to a domain in Italy somewhat appropriately named after a region historically associated with violin making, or a subdomain thereof. The fiddle in this case, of course, is that the link is to a Trojan Downloader, this being a very common payload for this family of malware, though some members have been seen to redirect web traffic or mess about with applications.

These messages may look familiar: the gang behind this malware family seems rather fond of social engineering around wire transfers, as a report going back to June from the Internet Storm Center indicates. That’s because in this case at least, quite a few of the targeted domains are financial institutions, and on that occasion the message was along the lines of:

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Detection of this wave of malware seems to be reasonable, in general. Here’s a VirusTotal report Pierre-Marc has sent me relating to one of the samples he’s seen (23 detections out of 41 products):

http://www.virustotal.com/analisis/57b19e0a576be2d0493a00893cbd35e0cb4c278af106e06d9c906ab7028ab73a-1249334843

The hit rate varies between samples, though: I’ve seen reports as low as 16 for some, but NOD32 hasn’t failed to detect any of the samples I’ve tried subsequently (half a dozen or so, so far). That doesn’t, of course, mean I can guarantee we have 100% detection!

The really encouraging thing about this issue has been the generous exchange of information between researchers on certain specialist lists. Because of the nature of those lists, it’s best if I don’t name names (apart from Pierre-Marc of course!), but you guys know who you are.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

When monitoring known sources of rogue antimalware, it’s common to find sites used for the active spread of malware. ESET Latin America have already reported in their blog a number of highly effective attacks, directed at the many users looking for free security products.

This weekend, they found a new platform used to spread malware: Slideshare.net. This website is very widely used for sharing presentations, but now it is being exploited by attackers, creating fake slide decks and using social engineering techniques to pass them off as having themes that will appeal to potential victims.

A case in point is a file they found to be passed off as a cracked download of ESET’s NOD32 scanner. The presentation includes a slide that has a single link, and adds in the SourceForge.Net logo  to give more credibility to the download. (Though you may wonder, as I did, since when has SourceForge been distributing cracked commercial software?!?)

If the user clicks on the link, he or she will be directed to a website that looks like SourceForge.Net, but is actually a spoofed site set up for malicious purposes. Subsequently, the window opens a file for download which has an .EXE extension.

In the case investigated by ESET Latin America, if the user downloads the file, it does not, of course, install any antivirus software. On the contrary, his system gets infected with a malware variant detected proactively by ESET NOD32 heuristics as Win32/Kryptik.YT. However, Pierre-Marc tells me that he’s subsequently been seeing files with a different filename downloaded from a URL suggesting a Chinese origin. This file is detected as Win32/TrojanDownloader.FakeAlert.ADB, which is used to download fake anti-virus software, and a sample submitted to VirusTotal indicated good antivirus detection (31/41). The problem, however, is that these attacks are not aimed at people who already have competent anti-malware, but at people who are looking for a (preferably free) solution, even if it’s pirated.

More than ever, you need to be careful in carrying out downloads from the Internet, as any platform may suddenly be found to be used or misused to propagate malicious code. Particularly in a case like this: it only makes sense to download security applications from their official websites: after all, if a site is prepared to offer pirated software, why would you assume that it has honest and benevolent intentions towards people who take up that offer? In fact, attackers are constantly seeking new platforms by which to propagate their threats, and they are not slow to seize the opportunity to misuse any new means of propagating malware. In fact, malware that passes itself off as antivirus is almost as old as antivirus.

The situation may be exacerbated by the fact that Powerpoint is generally regarded as a "safe" format, even though it can be misused in a number of ways to carry malicious code (macros, embedded files and so on). In this case, however, it’s not just  a question of whether the file is innocent: it’s also a matter of realizing that an uninfected document may carry a link to a dangerous site.

Sebastián Bortnik, Pierre-Marc Bureau, David Harley

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Even heuristics are not perfect, so it is important that users learn to make good decisions. When you receive an email purporting to be a greeting card, there are some precautions you should take. Legitimate greeting cards never download an executable file. Your egreeting should not prompt you to download a file. If you are prompted, then cancel and close your browser.

http://www1.yahoo.americangreetings.com/emailprotection/ has some tips for identifying real versus fake greeting cards. I recommend you read the tips there. Education is really your best defense, security software, as I have said before, it like a seatbelt. It can’t prevent all accidents and it can’t prevent all injury when there is an accident, but it’s still a good idea to have it. Good judgment can’t be replaced by software and the more you educate yourself, the better your judgment will be.

A valid greeting card will be sent to you personally and come from someone you know, not “a friend”, or “your sweetheart”, etc. If someone wants to send you an anonymous card, then either know how to read the URL that the link to the card is pointing to, or just delete it.

For this Valentine’s Day, if you get an ecard and are not sure if it is legit, feel free to send it to me at askeset@eset.com and I’ll let you know what the signs are that it is fake or valid.

Randy Abrams
Director of Technical Education