Month: June 2008

Fresh-it.blogspot, a blog whose entire mission in life is to steal the content of others for the purpose of generating Adwords revenue, posts this delightful (stolen) story today:

Alex Eckelberry

TSA’s latest pronunciamento on showing ID at the airport has logical gaps that are beyond reason.

According to the TSA, if you refuse to show ID, you’ll be refused entry to the boarding area, but if you say that your ID card was lost, you’ll be allowed.

Apparently, they are operating on the theory that “terrorists don’t lie”.

This is like the old joke:

“I got my car for $50 from a guy on the street!”

“Really? That price is way too low — it must have been stolen.”

“Nah, I asked the seller if it was stolen, he said no.”

This is so bizarre my mind is reeling.

Alex Eckelberry
(hat tip)

Of the SpywareNo family.

Patrick Jordan

(The Wildlist is the basis of in-the-wild virus testing and certification by VirusBulletin, ICSA, and West Coast Labs.)

Larry Seltzer’s pejorative post last week about the Wildlist started a few strong discussions going in the industry (with arguments on both sides). And there’s been more since the article (related or not).

The shocker was last Thursday, when it was reported that Trend Micro (following Panda’s lead) has decided to “boycott” the Wildlist.

I am of the belief that the Wildlist is an outdated method of determining the efficacy of an antivirus product. Oddly, let me make it clear that it’s to my benefit to say just the opposite: to promote the Wildlist as effective, since it’s a fairly small list of malware to worry about. Once one is “certified” for the Wildlist, one could then be considered a “real” antivirus product. Nothing is further from the truth, and therein lies the problem: It’s an implicit (and unintentional) form of fraud.

Andreas Marx echoes a fair amount of this sentiment, in an email he circulated among some researchers last week:

…there is nothing wrong with the actual testing performed by Virus Bulletin, the problem is related to the samples from the WildList. Indeed, as Larry Seltzer pointed out, there is something seriously wrong with WildList-based testing and certification.

At the Virus Bulletin Conference in 2007, Frank Dessmann and I gave a presentation, “The WildList is Dead, Long Live the WildList!”. What we found (proven with facts and figures), pointed to the actual problem of the WildList: We are mainly speaking about a “list of a small number of irrelevant random malware samples”.

And here we go for the facts (updated to include the most current WildList from April 2008):

1. The threat landscape has changed dramatically, just a few years back, we had to deal with 10 to 20 virus samples per day, now we are up to 21,000 unique new samples per day, but the current April WildList only includes 678 samples — that’s the number of samples we are getting on an average day in under an hour! Besides this, the WildList only covers self-replicating malware such as viruses, but not today’s most common threats, like Trojan Horses or rootkits. By ignoring today’s reality, the list MISSES the really HOT samples and the numbers of samples on the WildList is TOO SMALL.

2. While the WildList shows that currently 86 reporters (mainly working for AV companies) are submitting samples to the organization, most of them are inactive, so that a WildList is usually created by 8 to 10 active reporters — and these 8 to 10 people can “decide” which malware is the most active one world-wide? Therefore, the list is a RANDOM selection of samples.

3. The WildList is usually outdated when published: The April WildList was released on June 1, 2008, so the entire May (or at least 640,000 new malware samples we’re seeing per month) have passed by before the WildList was finally published… so the list contains only OLD malware, not really new samples.

The problems are not new — I’ve written about them one year ago, but
(almost) nothing has changed. 🙁

Another source of some contention on the Wildlist issue is the venerable Randy Abrams of ESET. In his words, “Agreement was virtually unanimous that the WildList is no longer useful as a metric of the ability of a product to protect users”.

Mary Landesman, on the other hand, wrote last year that “As much fun as it is to take cheap potshots and sling similes, the fact is the WildList is more pertinent than ever – particularly given today’s threat landscape. By setting a standard, definable bar, the WildList has consistently improved detection across the board. Reputable anti-virus vendors must work (hard) to gain credibility, participating fully in order to engage in the sample sharing necessary to build the library of threats required to score well on the tests. But what WildList testing really offers today is a measure of trust.” Checking back with Mary recently, she still believes the Wildlist is valid, but expanded on her viewpoint:

…I still think the WildList provides a resource to the average user to distinguish between *real* scanners and rogue (or just plain lousy) scanners. It also establishes some consistency between testing organizations so it helps set a minimum bar for the testers as well. Keep in mind, I’ve never believed (even in the mid-90s) that WildList testing alone was a good enough measure of a products overall protection capability. I just believe in the value of having a minimum bar and for that purpose it does well. This doesn’t mean it’s not in need of an overhaul. As an example, I’d love to see some minimum standard measure of behavioral analysis. And it needs a name change because it certainly isn’t reflective of what’s in the wild (indeed, nothing could be and still be manageable!) So when I say I think the WildList is still pertinent, I am referring to the value of setting those minimum bars, not necessarily about the WildList as it exists per se.

Fair enough.

So let’s shift gears. I’ll pose the problem in a question: What would you consider the gauge of effectivness of an antivirus product? (I use the term “antivirus product” to denote the current mode of protecting against malware in general — viruses, spyware, etc.).

If I’m guessing right, your answer would probably be something like:

“A good antivirus program should block the broadest amount of malware possible, including new malware as it comes out, and should be able to clean infected systems with a high degree of effectiveness.”

The Wildlist only has about 700 samples in the list. Well, there’s lots and lots of malware out there. We recently ran scans on over 10 million pieces of malware, and found hundreds of thousands of variants. Are they all in the wild? Not necessarily. But you get the picture. There’s a lot of stuff out there, and the Wildlist itself is not “the test”.

And really, I don’t think anyone really disagrees with that.

The Wildlist itself is peachy, and I think it’s just fine as a test of file infecting viruses, etc. It’s not an easy test to pass, and I think it should continue to be there. But it’s misleading, if consumers rely on the Wildlist (through VB 100 certification or another certification) to make a determination as to the validity of a virus product. Perhaps there should be a “Basic” certifcation, and there then should be a “Premium” Wildlist certification.

As the final word on this issue, I hope this will elucidate the problem graphically. Here, again from Andreas, are collection statistics on malware (these are newly added/discovered samples per month, with a total of about 11.45 million samples right now). .

QED.

Alex Eckelberry

First Google, then DoubleClick redirects, now Dogpile is a new favorite for XSS redirects by malware authors.

Example:

You can see this type of redirect in action by clicking on the following (it just redirects to Sunbelt, don’t worry):

http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://sunbeltsoftware.com&0=

XSS vulnerabilities are irritating, aren’t they?

Alex Eckelberry

Redmond is testing a new handy option that gives you “access anywhere” to all the free Sysinternals tools. As we all know, the diagnostic and troubleshooting utilities of Mark Russinovich are extremely useful. If you have a machine that is hooked up to the Net, you no longer have to download and unzip them. Russinovich and his gang are continuously updating the existing tools and create new ones. The site is easy to remember: live.sysinternals.com.

Another researcher emailed me, alerting me that the Anykindmp3 is now unavailable.  Instead, it’s in a revised incarnation — Anykindmp3s com.

Sneaky buggers.  This thing is still serving trojans.  Stay far away.

Alex Eckelberry
(Thanks, John!)

Just for fun, I made a quick video this morning to highlight some of the trouble you can get into searching on the web. Link here. (Low res version here.)

Alex Eckelberry

(Update: Anykindmp3s is the new name of the bad site.)

Anykindmp3 com advertises free music. Instead, what you’re going to get is a trojan downloader that installs Virusheat.

This is an extremely dangerous site, because it’s so innocuous, luring people in with “free MP3s”. Expect users to get infected by typing in various keywords to search engines. I expect to get a video up tomorrow showing some other things about this site.

The following screen is what you’ll see if a download is accessed through Google:

(The site itself will give a fake error code if you just go to the main page itself):

There are a number of different areas of the site, like these. Everything looks completely legitimate:

Trojan distributors are becoming more and more clever in their methods of propagation. To experts, the problems with this site are obvious (why is it free? and why is an executable?). To non experienced users, it’s a recipe for disaster.

I hope all search engine companies place warnings around this site or blacklist it as soon as possible, as SEO will be the major method of promotion.

Alex Eckelberry

(Update: Anykindmp3s is the new name of the bad site.)

SC Mag gives a very nice review of our email security product for Microsoft Exchange, Ninja Email Security, but says we’re a wee bit pricey.

So the punchline would be: Clearly, he hasn’t encountered our sales team at the end of the quarter. (Seriously, we’re not that pricey in volume.)

Alex Eckelberry

A spam making the rounds purports to be a Youtube video. 

Clicking on that link then redirects to a different site, youtube-s, which serves exploits to attempt to infect your system.  Then, if your browser hasn’t completely crashed at that point, you may ultimately get redirected to the real YouTube, displaying some idiotic video (hence, possibly even helping to continue the infection, by having users forward the spam above):

Alex Eckelberry

Apple just released a rather tome-like document on securing Leopard.

It’s a good document, albeit certainly for the more advanced Mac user or system administrator. Link here (pdf).

On a related note, the CIS security documentation for Leopard was released a few weeks ago. Link here.

Alex Eckelberry
(Thanks Steven + anonymous security guy)

 

 

Alex Eckelberry
(Thanks, Adam)

Ironic.

Alex Eckelberry

1 in 4 PCs infected? Give me a break, someone has been smokin’ some seriously funky stuff here:

An OECD study into online crime says that increased activity by cyber criminals has left an estimated one-in-four US computers infected with malware.

Link here (via the Inquirer).

Alex Eckelberry

We’ve seen this before, and it’s back:  Demands to install a new “certificate” from a site.

What’s downloaded is a malicious trojan, with very poor AV detection.

Alex Eckelberry

Blackberry stands up to India, refusing to provide the “master key” to decrypt traffic.

Alex Eckelberry

On May 25^th, we noticed that spammers and malware distributors had moved from using Google redirects, to Doubleclick redirects. 

If you’re tracking this stuff, you’re undoubtedly seeing extensive use of these redirects, like this one:

The reason is that Google has done quite a bit to fix the redirect problem, as you can see from this example:

So the party’s just moved on to a different location.  Let’s hope that DoubleClick (err, Google) can fix this soon.  They are aware of the problem.

Alex Eckelberry
(thanks, Adam Thomas)

If you’re a bit confused about the recent Microsoft advisory on the Safari blended threat, you’re probably not the only one.

Microsoft’s advisory speaks of a threat that “allows remote code execution”. However, if you review the work of Nitesh Dhanjani, who discovered the vulnerability, the exploit only allows sites to carpet bomb users with files. So, what remote code execution are they talking about?

According to Aviv Raff, there’s more to the story. It turns out that there is a method to allow remote execution, using Nitesh’s method, as well as a method that Aviv previously reported to Microsoft.

Solution? Don’t use Safari until this is resolved. Easy. (As the chorus of yawns echoes through the Blogosphere.)

Alex Eckelberry

Larry Seltzer tells it like it is. 

Similar points were made by Andreas Marx at his presentation at last year’s Virus Bulletin, “The Wildlist is Dead, Long Live the Wildlist”.

The Wildlist (the primary method of certifying antivirus products) is an anachronism in today’s environment.  That doesn’t mean, however, that all AV engines are crap — far from it.  Despite the constant negativity out there, there are, in fact, some extremely good engines on the market that have kept up with real threats in an admirable fashion. We just need a better method of certification. 

As to the calls about “we need to move to whitelisting because blacklisting is dead”, I don’t agree with these sentiments.  Hopefully I’ll have more time this week to write more on that subject.  

Alex Eckelberry