ESET Threat Blog

I just noticed a blog on "Security vendor’s “top-threat” list proof for their less-than-perfect performance?" at http://hype-free.blogspot.com/2010/01/security-vendors-top-threat-list-proof.html. The essential point seems to be that periodic virus detection statistics (like our monthly ThreatSense reports) are likely to be based in part on infections spotted on a protected machine when a signature/update is released that wasn't available when the infective code was first run on that machine. He states further:

 I find the idea that marketing material put “out there” can backfire amusing .

He's right, of course, that a subset of reports will be malware detected after infection (and I'm not in a position to estimate the size of that subset, even for ESET: source information is not usually fine-grained enough to distinguish between pre- and post-infection context).

However, I wouldn't regard it as a backfire when a product detects something post-infection on the protected system. Yes, it's a failure of a product's proactive capability, but such failures are to be expected on the slippery continuum between false negatives and false positives. It doesn't make the statistics less (or more) valid.

It's only funny if you think of such reports purely as marketing collateral. Personally, I think such statistics are of limited value (especially to those who don't really know the field well enough to interpret them properly, largely because of the naming issues that seem to keep cropping up in my blogs lately). If properly done, though, they do give people a better perception of what the current trends in malware are, and thus a better idea of how they can protect themselves. Besides, there's a difference between marketing and giving people something they keep asking for. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

As our December ThreatSense report (now available at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_December_2009.pdf) was not only the last of the year but the last of the decade, it's rather longer and more detailed than usual, including a look back at the last 12 months. I suppose we could have gone back over the whole decade, but I have to sleep occasionally.

Inevitably, Win32/Conficker, INF/Autorun and gaming password stealers occupy the first three positions yet again. In fact, the most conspicuous feature of the December top ten is the preponderance of malware that exploits the Autorun vulnerability….err, facility. If you're using Windows 7, you'll probably have noticed that Autorun is disabled by default, and hopefully you'll leave it that way. ESET has published information on disabling Autorun in other versions of Windows at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun.

The most dramatic change to the top ten is the appearance of Win32/Spy.Ursnif.A. This label describes a spyware application that steals information from an infected PC and sends it to a remote location, creating a hidden user account in order to allow communication over Remote Desktop connections. More information about this malware is available at http://www.eset.eu/encyclopaedia/win32-spy-ursnif-a-trojanwin32-inject-kzl-spy-ursnif-gen-h-patch-zgm?lng=en.

As well as a lengthy retrospective section, there's a little crystal-ball gazing from the ESET teams in San Diego and Argentina concerning our thoughts on such major issues as social engineering, smartphone jailbreaking and rooting,  the "walled garden" concept of blocking an ISP user's full access to the Internet when his or her system is compromised by malware, cloud computing, rogue software and extortion, misuse of social networks, the use and misuse of publicly available data, and so on.

Of course, for a more cynical view, you might want to look at this, if you haven't already: http://www.eset.com/threat-center/blog/2009/12/30/top-ten-trite-security-predictions

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/

We interrupt our – well, my - scheduled programming to bring to your attention an article in "The Register" that I think deserves your attention. I put up what was intended to be a brief pointer on the AVIEN blog (http://avien.net/blog/?p=253), but I found myself kind of warming to the subject, to the extent that I think it's worth covering the same ground here.

Rik Myslewski's article says (among many other things in a three-page article that particularly focuses on Apple and Google) that “Waiting in the wings are corporate entities eager to exploit your personal information, and government agencies watching your every step.”

To which I responded in the blog cited above that:

The issue of government monitoring spends a lot of time under the spotlight, of course, and so it should. (Craig Johnston and I considered some of the law-enforcement issues in an AVAR paper this year, but there’s much more to it than that, obviously.)

But I’m seriously concerned about the consequences of the increasing amount of personal data (good, bad, and purely mythical) available to anyone with a browser (or even a USB port). It’s an issue I’ve had occasion to think about several times recently, and I expect to return to it a lot more in the coming months.

I also cited some previous ESET blogs that made related points:

http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010

http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

http://www.eset.com/threat-center/blog/2009/12/12/the-internet-book-of-the-dead

http://www.eset.com/threat-center/blog/2009/06/09/data-protection-not-a-priority

I also use this quote from the ESET Global Threat Trends report for December, which will be available shortly.

“Criminals and legitimate businesses will mine data from a widening range of resources, exploiting interoperability between social networking providers. Sharing of data in the private sector will be an increasing threat until the need is accepted for more data protection regulation on similar lines to that seen in the public sector, especially in Europe.”

I wish I could believe that this issue is going to be resolved satisfactorily soon.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
 

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

I was passed a query from a journalist in the UK about Win32/Induc.A, the Delphi infector both Randy and I have blogged about previously, asking whether ESET has figures supporting my contention that this "harmless" malware actually has the potential to cause significant damage, as he had seen no reports of "even minor disruption."

While we do have statistics from our Threatsense.net technology, we don’t give out absolute numbers for malware detections, as that sort of statistic is more confusing than helpful. The feedback mechanism involves a large but self-selecting population of ESET-protected machines, and doesn’t necessarily reflect the situation among the total population of PCs accurately: it’s never more than a trend indicator, so any extrapolation to a global figure is guesswork.

However, I can tell you (as I told him) that when we added detection of Induc.A to our products, ThreatSense.Net came in with 30,000 detection reports in 24 hours. In the UK, it accounted for 0.26% of detections in August, putting it at number 51: worldwide, it scored 0.39%, putting at number 37. That’s still a pretty significant figure, though, for a recently added detection.

As of somewhere around 2.45 on Monday, 7th September, Win32/Induc.A represented 0.64% of our worldwide detections for September so far, which putting it at number 22 in the rankings at that time. That’s as compared to 4.11% for INF/Autorun, which was the top-ranked detection. For the UK, though, the ranking was significantly less: 0.40%, at number 36. Nonetheless, incidence is increasing worldwide and in the UK. 

You have to remember, though, that this is a measure of detections of infected files, not of disruption, whatever you may understand by that: that can’t really be calculated from this automated service.

• Some of those detections will be Trojans in their own right that happen to be infected with Induc.A because they were compiled with an infected version of Delphi.
• Some will be detections of programs that the user hasn’t tried to run, or weren’t installed because Induc was detected.
• Many will be installations that cause minor inconvenience rather than major loss of functionality, which I guess is what the journalist was getting at. 

If you look back at my recent blog post, you’ll see that the blog isn’t about a scaremongering "thousands of machines will be put out of commission" prediction, it’s about the fact that there are a lot of infected files out there (and I think the figures speak for themselves on that).

However, in most cases, removal of those files won’t cause major damage. The case where a system is actually put out of commission because an infected program is installed and can no longer run is hypothetical: I don’t expect to see lots of those, but it was important to make the point that it -could- happen because there’s a tendency to assume that Induc.A is a "harmless" virus because it can’t infect most systems. The point that people are missing is that it can affect systems without "infecting" Delphi. In most cases the effect will probably be trivial, but it will still cause some disruption.

Having said all that, though, I’d still say that a reported distribution of 4m infected files by Computer Bild constitutes serious disruption though, irrespective of whether anyone actually executed that particular program (TidyFavorites 4.1, according to John E. Dunn on Techworld).

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Nowadays we see lots of malicious software that is designed to steal money and information. A new virus was recently discovered that seems to be all about proving a concept rather than blatant maliciousness.

The Win32/Induc.A virus does not infect like most viruses do. Delphi is a programming language. Induc infected the Delphi IDE so that when the programmers compile their programs the programs are already infected.

As far as we are able to determine at this time, this virus went undetected since April 2009. Most of the samples of infected files we have seen are other trojans, mainly those that steal bank information. So, we detected the Trojan, but didn’t know that it was also infected.

For the average user the virus is essentially harmless. The problem is that some software development companies use Delphi, got infected, and when we added detection for Win32/Induc.A their programs were detected. Some of these companies accused ESET of having false positives when their programs were actually infected!

In reviewing our internal malware collections our researchers have found over 4,000 infected samples. Our Threatsense.Net network has identified over 30,000 unique infected samples in the first 24 hours after we added detection.

For a write up about this virus you can visit http://www.eset.eu/encyclopaedia/win32-induc-a-virus?lng=en

Ironically, some other malicious software that was previously undetected by antivirus vendors will now be detected because it is infected with Induc.A!

It’s pretty rare now to be able to talk about a widespread virus that probably won’t cause you any harm.

Randy Abrams
Director of Technical Education

Our July ThreatSense.Net® report has been released today, and will eventually be available from the Threat Center page here. Most of the top ten entries are old friends: well, familiar names might be a better way of putting it. One of the disadvantages of having a scanner that makes heavy use of advanced heuristics is that many of the most common detections don’t really map to single malware families the way that they do for companies that are more signature-oriented.

There are advantages, though, as we’ve discussed before, apart from the obvious (and important) advantage of proactive detection: it gives us more time to concentrate on processing detections rather than fussing with crossmatching samples to malware families, and it gives us a better picture of major threat trends, which we consider to be more useful. Unfortunately, some sectors of the media are still hung up on the minutiae of malware naming, which I don’t consider so important at a time when some sources are talking about collections of (much) more than 20 million individual samples. Hopefully they’ll catch up with the rest of us eventually…

Pierre-Marc and I presented a paper on the naming problem at Virus Bulletin last year, and I’ve developed the theme further in another conference paper that will be available on the white papers page in September.

As it happens, there aren’t a lot of surprises: the first few positions remain unchanged from June. However, Win32/TrojanDownloader.Bredolab.AA, despite a strong local showing in some countries, has dropped out of the worldwide top ten, while W32/FlyStudio is in at Number 5. FlyStudio is kind of interesting: it’s not exactly a malware family, but a development platform (a scripting language, to be more precise) much used in China. Unsurprisingly, the FlyStudio malware we’re seeing also seems to be targeting computer users in China, but is also being reported elsewhere, including North America. This may mean that it’s being deployed by another malware family.

 Elsewhere in the top ten section, we’ve updated some of the descriptions. Over the lifetime of a threat family, there are often substantial changes in the way the malware works, or in our understanding of it as more variants appear and more information becomes available. And, as usual, we’ve included some notes on other issues that have been addressed recently by the labs and/or the Research team, including:

• Adobe and Microsoft patching issues
• Twitter and Facebook problems
• A little about AMTSO
• Some white papers that are about to appear
• Waledec and the Dewey Effect
• ESET in Europe’s initiative on safe wi-fi.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

We’ve just finished working on our monthly Threat Report. There aren’t many surprises in the top ten threats for June.

Conficker has taken over the "top spot", relegating INF/Autorun to second place. It’s difficult to say for sure what the significance is, given the relatively small percentage point involved: minor fluctuations in proportions from month to month can be ascribed to factors other than overall upward or downward trends. ThreatSense.Net® doesn’t distinguish between sources: it simply reports when it detects a Conficker infection attempt over any vector (network shares, USB etc).

As we’ve pointed out previously, the real story with Conficker is less the actual malware than the number of people who still aren’t taking elementary precautions such as timely patching and disabling Autorun, properly securing network shares and so on. I would guess that right now, the continuing prominence of Conficker in the ratings is due to lots of machines, mainly home machines or botnetted business machines, that are never patched or properly protected by AV, often because the owner doesn’t bother with all that, or maybe sometimes because of a longstanding infection that’s blocking patches and updates and has never been noticed.

 Rather more notable, perhaps is the entry of Win32/TrojanDownloader.Bredolab.AA into the top ten at number 10. I feel like a DJ when I make a statement like that… (but where will I get one at this time of the afternoon?)

This is an example of a class of application that is intended to act as an intermediary to the infective process. This particular detection label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the program is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon.

The question, what does this mean to you?

We’re seeing a great deal of this activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. (Nowadays it pays to keep an eye on new patches for any applications and utilities you use!) Having been somewhat negative about Adobe’s updating processes in the past, I really hope that Adobe’s new patching mechanisms, bringing them into line with Microsoft’s, will help to reduce the impact of these exploits in the longer term.

When a Trojan downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may make changes to the system such as those described above in order to increase its chances of doing so successfully. Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases. Because of ESET’s heavy use of generic signatures and advanced heuristics, our detection label actually picks up many close variants and sub-variants.

As we’re halfway through the year, we’ve also provided a look back at the past few months, and hope you’ll find it useful or at least interesting.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

You may have noticed that I’ve been making a lot of references to this over the past few weeks. You can now download it here. Quite a few people have worked pretty hard to make this project happen, and I’d like to thank them now. I hope some of you will find it interesting and useful.

We’ve also been doing a little tidying of the white papers page, and there will be some additional material there in the near future, including papers on fake antimalware, the apparently late but unlamented Storm botnet, some of our recent conference papers on testing, malware naming, and user education, and an independent paper on spotting implementational errors in comparative tests that has also been referenced in the AMTSO document on The Fundamental Principles of Testing.

AMTSO (The Anti-Malware Testing Standards Organization) will be considering a number of additional documents next month, on a number of test-related topics, as well as the "terms of engagement" for the newly-appointed Reviews of Reviews board.

This board, on which ESET is represented, will implement one of the areas highlighted in the AMTSO preliminary charter: "Providing analysis and review of current and future testing of anti-malware and related products."

That’s a topic I certainly intend to come back to!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

The top ten (twenty, twenty-five…) season doesn’t seem to have finished yet: the latest to cross my radar was something like seven ways of surviving the recession, which I’m sure is of interest to all of us, but not really in scope for this blog.

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more. )

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

• Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
• Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
• While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
• The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
• Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
• The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Table 2: Top Ten Trend Detections

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence