Virus Bulletin Blog
30 mobile solutions tested for malware protection and speed hit.
Independent test organization AV-Test has released its latest report, covering the Andriod platform. This major test of mobile solutions included 30 contenders, with offerings of varying complexity. As well as rating malware detection, false alarms and performance, extra points were given for including additional security components.
Products were given a rating out of a possible six points for detecting a set of over 2,500 recent Android malware samples, and for 'usability', covering impact on system speed, battery drain, generating data traffic, and false positives on clean apps.
An additional point was available for including other protections - including remote lock, wipe and locate features, browsing and messaging filters and unwanted call blockers, parental controls, backup, encryption and much more besides.
The top performer, with an impeccable 13 out of 13, was Bitdefender's Mobile Security.
The bulk of the remaining products followed close behind, with AhnLab, Avast, Comodo, ESET, F-Secure, Kaspersky, Kingsoft, McAfee, Microworld, NQ Mobile, Qihoo and Symantec all scoring a very decent 12.5 points, Dr Web and Trend Micro doing very well with 12 points, and Antiy, Armor for Android, Lookout, Quick Heal and Sophos also doing pretty well on 11.5 points.
Tencent did reasonably well with 11 points, while G Data, Ikarus, Juniper, TrustGo and Webroot did OK with 10 points each. ThreatTrack Security managed nine points - just clearing the eight point cut-off point for certification, but identifying less than 90% of the malware set.
Lagging well behind were a few further products, all of which were denied certification. These included products from SPAMfighter - which wasn't too far off the mark with seven points, but which was given a score of zero for detection, having picked up only 76% of the samples. SUVSoft was given six points, with reasonable detection, but was hit by a large number of false alarms. Bringing up the rear was AegisLab, which fared poorly on all counts.
It may be worth noting that under AV-Test's official methodology (PDF here), it appears to (theoretically) be possible for a product to alert on all apps but still reach certification standard, as long as it doesn't slow the phone down too much and has at least a few extra features.
Android malware continues to proliferate, rapidly catching up with Windows malware in terms of sophistication, as researchers at Kaspersky Lab recently discovered. Dodgy apps are spreading through rogue app stores as well as sneaking onto legitimate stores, including spoofed versions of very popular Android games, so users of the platform are advised to ensure they run a quality security solution.
However, despite the growth in malware, the biggest risk most mobile users face is losing their device, as F-Secure's Mikko Hypponen recently pointed out. This makes the additional features, such as remote lock/wipe tools and phone locating systems, a vital part of the smartphone user's security armoury.
The test results can be found in full on the AV-Test website, here.
Most filters see a small increase in their catch rates overall.
The results of VB's latest spam filter test show that the spam sent from web hosts is significantly harder to block than spam sent via other means.
Following various reports on the amount of spam sent from compromised web hosts, we compared delivery rates for spam sent from web hosts with that of other spam - and found that the former kind of spam was more than three times as likely to make it past a spam filter.
This is a big difference, even if delivery rates remain low: spam sent from web hosts had a 1.04% chance of making it past a spam filter, compared to 0.29% for other kinds of spam. As a single spam campaign easily sends millions of emails, this difference can make or break the campaign.
In recent years, the security community has placed a lot of focus on botnets of compromised home PCs. Recently, however, cybercriminals have turned their attention to web hosts, many of which are easy to compromise and have good and reliable Internet connectivity. The results of this test show that this isn't merely a quantitative shift, but that by sending spam from web hosts, spammers can signficantly increase their delivery rates.
Most of the 20 full solutions tested saw an overall improvement in their spam catch rates since the last test - although catch rates didn't fully recover to their previous levels.
There was good news for most of the products in the test: 19 full solutions reached the required standard to achieve a VBSpam award, and two of them - Bitdefender and Libra Esva - combined a very high catch rate (99.50% or more) with a lack of false positives and thus earned a VBSpam+ award.
More on the VBSpam tests, including historical performance of the participating products, can be found here.
Set of checks can show if your security is properly configured and operational.
Today AMTSO officially released its 'Feature settings check' solutions, a set of simple tools to enable anyone to test whether their anti-malware solution is properly set up and working.
Hosted on the AMTSO website, the checks cover a range of standard anti-malware features, including protection against both manual and drive-by downloads, alerting on phishing pages, detection of 'potentially unwanted' software and proper connection to cloud lookup systems.
The checks are performed using specially crafted test files and pages, which the industry has agreed to include the proper detection for in their products. These include the long-standing EICAR test file, but also some newer items developed specially for the AMTSO check tools.
At the initial launch the checks are supported by many leading anti-malware vendors, including Agnitum, Avast, AVG, Avira, ESET, F-Secure, G Data, K7, Kaspersky, McAfee, Norman, Panda, Sophos, Symantec and Trend Micro. Other vendors are expected to join in soon. Not all vendors support all the checks, depending on the features implemented in their products.
The full set of checks can be accessed here, with details of which vendors support each check listed on the individual check pages.
The June issue of Virus Bulletin is now available for subscribers to download.
The June 2013 issue of Virus Bulletin is now available for subscribers to browse online or download in PDF or PRC (Kindle) format.
Some of the things this month's issue has in store are:
Note: The June 2013 VB100 comparative review (on Windows Server 2012) will be published as standalone article later in the month. As with all new VB100 and VBSpam reviews, the report will be available for non-subscribers to purchase as a standalone item (Virus Bulletin subscribers will be notified by email when the comparative is available to download). Non-subscribers can purchase VB100 reports here and VBSpam reports here.
Subscribers click here to access the issue.
If you are not already a subscriber why not take the chance to subscribe now.
Eased restrictions welcomed by security experts.
The United States has announced it has eased export restrictions to Iran, and now allows for the export of mobile phones and software, including anti-virus software.
The US originally imposed sanctions against Iran following the Iranian Revolution of 1979 and has tightened them several times since, among other things because of the country's alleged nuclear program. While the effect of economic sanctions is debated among experts, the fact that anti-virus software could not be exported has regularly received criticism from security and privacy experts.
The Iranian government is known to have regularly intercepted its citizens' online communications (for example by using SSL certificates generated by hacking into the DigiNotar certificate authority) and it is well possible that spyware is also used. However, it wouldn't be the only government to do so: this week, the US entertainment industry released a report in which it argued for the use of ransomware against piracy. But at least US citizens would be able to purchase security software that would, hopefully, allow the detection of such programs.
If citizens in a foreign country are not allowed to purchase security software, they would be forced either to do without such software, or to use whatever their own government provides them with; hardly a reassuring thought. A similar argument can be made about the use of communication technology, such as mobile phones; hence the ban on the export of these has also been lifted.
There is one notable exception to the eased restrictions: software and mobile phones cannot be sold if the seller has reason to believe they are going to be used by the Iranian government. The Iranian government will thus have to find its own solutions against new Stuxnet variants.
Code executed on web servers to cause them to join IRC botnet.
A critical vulnerability in Ruby on Rails is currently being exploited to make web servers join an IRC botnet, Ars Technica reports.
The vulnerability was discovered and subsequently patched at the beginning of this year, but many website owners haven't applied the patch yet. In failing to do so, they are allowing for remote commands to be executated on their servers - and attackers are taking advantage of this to modify the crontab. This is turn makes the web server download a number of files, as well as a piece of C code, which is compiled on the server; a pre-compiled version of the same code is also downloaded, in case compilation fails.
The web server then joins a number of IRC channels from which the attackers can control it. Interestingly, the communication with these channels is unauthenticated, which would allow competing botherders to take control of the compromised servers.
The use of IRC is reminiscent of early Windows-based botnets, and with a fix that has been available for months, this may not seem a big threat. Still, to quote security researcher Jeff Jarmoc, who discovered the botnet, "that isn't to say it won't make a bad day for some people".
Those running Ruby on Rails should make sure they run an up-to-date version (Ars Technica lists versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 and later as being immume to the attack), while some experts have been critical of the use of Ruby on production websites in general.
But the botnet is part of a bigger trend.
We have recently written about how web server binaries are being replaced by malicious ones, and about WordPress blogs being used in a DDoS attack. There have also been reports of the growing volume of spam sent from compromised web hosts, rather than compromised PCs.
Given their fast Internet connections, it is not hard to see why attackers have taken an interest in web servers. And because such servers (after the initial set-up) typically run themselves, security tends not to be a priority, if it is considered at all. Is it perhaps time for a wake-up call among webmasters?
New round of figures compare products to Microsoft baselines.
Independent test organization AV-Test has released its latest bimonthly report, covering 26 consumer products and nine business solutions. As in the last report, Microsoft solutions were considered a baseline level, although at least one product which scored lower than Microsoft was still awarded certification.
As usual, products were rated on a number of metrics, divided into three main categories covering 'Protection' (detection rates in a number of different malware-spotting tests), 'Performance' (speed measures) and 'Usability' (false positive measures). Up to six points were awarded for each part, for a possible total of 18, and in order to achieve certification 10 points were needed - with at least one in each section.
Removal and clean-up tests, formerly part of AV-Test's overall rating scheme, have been moved out to a separate, standalone test. The testing covered in this report took place through March and April 2013, on the Windows XP platform.
In the consumer set, top dogs were Bitdefender with 17 out of a possible 18 points. Symantec's Norton was not far behind with 16, while Avast's free solution and offerings from F-Secure and Kaspersky were also singled out for praise with 15.5 each. AVG's free edition and products from Tencent and Webroot scored 15, just ahead of AVG's Internet Security suite, BullGuard, G Data, Panda and Qihoo on 14.5.
A little off the pace were Microworld's eScan, the now defunct PC Tools Internet Security, and Trend Micro's Titanium Maximum Security, all down on 14 points, ESET and Norman on 13, and Avira, Check Point's Zone Alarm, Comodo, VIPRE from ThreatTrack Security (formerly GFI), Kingsoft and McAfee were all looking rather shabby on 12.5.
Microsoft's Security Essentials, considered the baseline for the test, scored 11.5, and lowly AhnLab trailed in well behind the competition on 10.5, just enough to scrape past the certification pass mark.
In the corporate part of the test, F-Secure came top with its Client Security taking 16.5 points, narrowly ahead of Symantec's Endpoint Protection which mangaed 16. Webroot's SecureAnywhere scored a creditable 15, with Fortinet and Kaspersky Lab both on 14.5 and McAfee and Sophos not far behind on 14. Trend Micro's Office Scan put in a rather disappointing showing with 12 points, just ahead of Microsoft's System Center Endpoint Protection which managed 11.5.
Full details of the test can be found at the AV-Test.org website here.
AV product testing in general tends to be a topic that sparks heated discussion and debate within the industry - several presentations at this year's VB conference will cover various aspects of testing - including a meta-analysis of recent malware tests (presented by Richard Ford and Liam Mayron, FIT), and the good, the bad, and the ugly of real-world testing (Aditya Kapoor and Craig Schmugar, McAfee).
Sales of Spyware Doctor and other security products end, support to continue for existing users.
Symantec has quietly announced the end of life the of PC Tools security product lines, including PC Tools Spyware Doctor, PC Tools Spyware Doctor with Antivirus and PC Tools Internet Security. Users with existing subscriptions will be supported for the length of those subscriptions, but will need to move to other solutions once they expire.
Other parts of the PC Tools family, including Registry Mechanic and other optimisation tools, will continue to operate under the PC Tools brand name.
PC Tools was founded in 2003, with its Spyware Doctor line a prominent name in the anti-spyware boom of the mid-2000s. The firm was acquired by Symantec in 2008. PC Tools products have made regular appearances in VB100 comparatives over the last five years or so; for a time before the Symantec acquisition, they included the VirusBuster anti-malware engine, which is also now defunct.
The company also created the Threat Expert malware analysis system, which continues to operate unchanged (at least at the time of writing). Other PC Tools offerings, such as the Mac solution iAntiVirus and the standalone behavioural monitoring system ThreatFire, seem to have faded from view.
Month-long attacks had significant impact.
25% of Dutch citizens have followed advice to keep extra cash at home, following a recent spate of DDoS attacks on Dutch banks.
At the beginning of April, customers of Dutch bank ING reported that the balance of their online bank account wasn't what they expected it to be, with the difference in some cases running to hundreds of euros. Some customers even reported that they were unable to pay using chip-and-pin as a consequence. Initially, the bank blamed the issue on a technical error, and reassured its customers that no money had disappeared.
While the bank appears to have been right on the latter account, it later changed its statement and revealed that the issues had been caused by a DDoS attack. And that was just the beginning: the attacks spread to other banks, taking down their websites and online payment systems. They also took down iDEAL, a widely used online payments system.
Over the next few weeks, as many other organisations were targeted by similar attacks, DDoS became a prime item on the news - making knowledge of DDoS attacks among the Dutch population more widespread than in any other country (with the possible exception of Estonia). Victims included the country's largest newspaper, the tax and customs administration, and various government services, including DigiD, an identity management platform for Dutch citizens on the Internet. The attacks led to DigiD temporarily being closed for access from abroad.
Although no new attacks have been reported since 8th May, the impact of the attacks on the country - where Internet penetration is extremely high - has been significant. It has led many people to wonder whether they have become too dependent on online services.
The attacks also prompted advice from Nibud, a charity that aims to make families more aware of their finances, to keep some extra cash at hand. Taken out of context, this might seem overly paranoid. However, the attacks have shown that, despite all their benefits, online payment systems create a single point of failure. Being too dependent on them might not be a good idea. Nibud found that 75% of people were aware of their advice - and 25% had actually followed it.
Two important questions about the attacks remain unanswered: who was behind them? And why did they do it?
Of course, the attacks could have been performed by an organisation that holds a grudge against the Netherlands, simply to 'make a point'. There have been suggestions that the attacks are a retaliation against the arrest in Spain and subsequent extradition to the Netherlands of Sven Olaf Kamphuis, himself accused of orchestrating DDoS attacks against Spamhaus.
While Kamphuis's supporters would have a reason for the attacks, it wouldn't explain why they started three weeks before Kamphuis's arrest - or why they have stopped, while Kamphuis remains in custody.
Perhaps the real reason for the attacks will never be known. But they have certainly taught Dutch citizens how important online services have become and how dependent many are on them - and that this isn't always a good thing.
In-depth investigations find widespread worldwide snooping, Pakistan primary target.
Several reports have emerged recently covering a highly organised campaign of targeted espionage malware that has been seen in many countries around the world and stealing data from many industries. Close investigation has provided strong hints that the campaign originated in India, with Pakistan the most widely hit country, and the defence sector the biggest target.
Separate reports from several anti-malware firms have highlighted the campaign, which some have dubbed 'HangOver'. Norman got on the trail after investigating an infiltration at Norwegian telecoms firm Telenor.
Norman's researchers found evidence of the malware family in countries across Asia, the Middle East, Europe and the US, generally penetrating defences using targeted spear-phishing attacks with spoofed documents dropping malicious code through vulnerabilities (all previously known) in Java, IE and Office.
A large and complex C&C infrastructure was uncovered, and analysis of malware binaries even suggested 'professional product management' and the use of freelance programmers for some tasks. Many features of the campaign led to the conclusion that it was Indian in origin, although there was no implication that it was state-sponsored. An introduction to Norman's findings is in a blog piece here, with a full report and in-depth documentation available here.
Another group of researchers, at ESET, released a report just a few days earlier on the same threat structure. They identified stolen digital keys used to sign some of the binaries, and provided details of how the surveillance operates, harvesting likely documents on the target system as well as using keyloggers and screen-scrapers.
They concurred that the source of the attacks appeared to be in India, and that Pakistan's military and defence industry were major targets, highlighting a number of documents used in the attack relating to local defence issues.
In a further twist, a targeted attack was spotted by researchers at F-Secure, on a Mac system belonging to an Angolan human rights campaigner, which appears to be part of the same campaign. Details on that are at F-Secure's blog here.
India has not generally been considered a major source of malware in the past, especially when compared to its near-neighbours China and Russia, which are similarly enormous in both land mass and population. These are worrying developments, especially given the long-standing political tensions with Pakistan.