Tests Show Problems With AV Detections

Dateline: Moscow.

 

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

 

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

 

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

 

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

 

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

 

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

 

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

 

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

 

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

 

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

 

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

 

By Larry Seltzer from PCMag.com

 

 

Autorun no more

A little while ago, Microsoft released an update which partially disables some autorun functionality on Windows operating systems prior to Windows 7. The update, known as KB971029, is intended for Windows XP, Vista, Server 2003, and Server 2008. The autorun function is used to automatically start installation processes from CDs, DVDs, and USB drives, as well as other types of removable media.

 

Autorun works by using a file named autorun.inf found in the root of the file system for removable drives. While this is a helpful process when used with a trusted resource, such as a software installer from a CD, it has long been a successful malware infection vector on rewritable drives.

 

At Kaspersky, we’ve frequently urged Microsoft to disable this process, as anything that automatically installs software or code without properly informing the user can and will be used maliciously. In the past we’ve discovered infected consumer devices, and the autorun function has been used to spread incredibly successful threats as Conficker (Kido). This listing gives you a partial idea of just how often “autorun” gets used as an infection vector.

 

Early versions of Windows, including Windows XP Service Pack 1 and earlier, would automatically launch software on a rewritable drive with no notification. XP Service Pack 2 and later would automatically launch a window when the drive was inserted, and you could then choose to run an executable. In fact, you could check a box at the bottom to “Always do the selected action”. Malware creators often create an autorun.inf file on removable media when a malicious program launches, and this extends the attack vectors beyond network propagation. A shared USB drive becomes a threat to a network that may not even have Internet access.

 

With Windows XP Service Pack 2, and in Vista and Server 2008, a new feature called Autoplay was introduced. The Autoplay function pops up a window when an autorun.inf file is detected and requests action from the user. The options are to install a program, which launches the intended executable, or to open the folder to view files. While this approach is better than automatically running an executable without user knowledge, it’s not exactly safe. Most casual computer users are conditioned to keep clicking until the file opens, so this just adds a step on the road to infection. The update mentioned above disables the autoplay function on writable media like USB drives, while leaving the autoplay function intact for CDs and DVDs.

 

 

Windows 7 disables the function altogether on writable external drives by default. This is a much safer approach; although it makes it more difficult for the average person to find out what to do next when trying to install something new, there’s always a trade-off between security and usability. While we commend Microsoft for finally implementing this fix, it took far too long. Countless infections could have been avoided, and Conficker might have spread less widely if this simple fix had been pushed out earlier.

 

Source: viruslist.com

The New Version of Swizzor Trojan Not Detected Yet and How to Remove it Manually

Today I found new version of  trojan (Swizzor Trojan) the damage that Trojan do is slowing down IE and maybe it send personal information to remote server, therefore it can be a real threat to your privacy.

Swizzor can also try to download and install malicious software such as adware.

 

How did I detect it :

I saw 2 IExplore.exe processes is running without seeing any IE windows even if I closed any of them it will run again saw I tracked whitch software is running IE without any permission and I found it in Startup tab at Msconfig the file name is : admin dumb.exe with other files @ “C:\Documents and Settings\”Administrator”\Application Data\Extra 16″ .

I copied the folder that have the trojan and uploaded the files to virus total some of them have been detected from kaspersky but admin dumb.exe not detected from kaspersky,Mcafee,Symantec,Nod32,Sophos,….etc. to see the result from virustotal.com Click Here .

How to remove Swizzor Trojan Manually :

1- Open Msconfig from Start>Run and click on startup tab the uncheck from admin dumb.exe .

2- Go to admin dumb.exe path like “C:\Documents and Settings\”Administrator”\Application Data\Extra 16″ and rename the folder that include trojan file .

3- End admin dumb.exe process from Task Manager if its running.

3- Restart your PC then go back to the folder that you renamed before and delete it with all contects.

4- Your PC is clean now, Enjoy.

For any help please comment or contact us.

Kaspersky Lab detects new version of Conficker worm (Net-Worm.Win32.Kido.js)

Kaspersky Lab, a leading developer of secure content management solutions, announces that a new version of the malicious program Kido (aka Conficker and Downadup) has been detected.

 

Read more

How To Remove Win32/Mabezat, Win32/Mabezat.A, Win32/Mabezat.B, Worm.Win32.Mabezat.b

Overview

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Read more

Get Latest Kaspersky Security Suite CBE 2009 1 Year Genuine key For Free

Computer Bild, A German computer magazine giving away free Kaspersky Security Suite Genuine license key for 1 year for their subscriber. If you know German language, it’s a good chance to grab free 1 year Kaspersky security suite license key for your computer protection.

Read more

How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah

We saw a lot of people visiting us to find about ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah ) so we now put a way for how to remove and clean the infected PC from ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah ) just follow these steps :

Read more

How To Remove Conficker Worm And Protect Yourself Step By Step With VirusExperts.org Removal Package

There is a lot of tools that can remove Conficker worm but when conficker changed to more than one version A,B,C and E, some of tools not effected so we collected the best tools to remove and protect from conficker worm.

Read more

Kaspersky Anti-Virus & Internet Security 2010 V9.0.0.313 Beta

Kaspersky Anti-Virus 2009 – the backbone of your PC’s security system, offering protection from a range of IT threats. Kaspersky Anti-Virus 2009 provides the basic tools needed to protect your PC.

Read more

Kaspersky Removal Tool (Updated Daily)

Read more