Excellent blog by ESET about viruses, security issues, etc

ESET Threat Blog


Beware of Fake Invoices
August 22nd, 2008

Over the last two weeks, we have seen an increase of fake e-mails pretending to contain invoices for various companies including UPS, Fedex and airlines from around the globe. Subject of such e-mails include “Fedex tracking number 1234567890” or “E-ticket #1234567890”. The body of the e-mail states that the recipient’s credit card has been charged for hundreds of dollars and that an invoice for their purchase is attached to the message. The attached file has an Excel of Word icon but, in reality, it is an executable file. We remind our readers not to make judgement on the nature of a file by its icon but by its extension. It is trivial for a programmer to change the icon of their program, thus tricking users into thinking that a program is harmless. We have also seen variants of this attack that had zip compressed e-mail attachments.

Negative Values: Racing Past Zero
August 10th, 2008

Well, there’s not much doubt about the SecurityFocus view of the Race to Zero event. A report by Robert Lemos is festooned with advertising that states "If you want to stop a hacker…you have to act like one." Perhaps Symantec, who own SecurityFocus, can afford to be relaxed about the event, since their scanners weren’t represented in the test panel. All that apart, what are we actually learning as we pass zero?

Well, according to organizer Simon Howard we’ve learned that pattern-based detection isn’t working. Well, no, Simon: signatures actually work very well against known viruses. Do you really think it’s unnecessary to detect old viruses (maybe you should read our earlier blogs on Angelina and Helkern, or Kurt Wismer’s comment piece in the August issue of Virus Bulletin), or are you insisting that we should detect them heuristically? Given ESET’s expertise in heuristics, we’re not going to deny its importance, but in some contexts, signature detection can actually save a lot of processing time, depending on how it’s implemented. And who on earth told you that server-hosted anti-malware doesn’t use behavior analysis?

We’ve also learned that antivirus researchers started using "behavioral detection" in 2006. Except that some of us have been using proactive techniques for many more years than that.

Adware, Spyware and Possibly Unwanted Applications

August 10th, 2008

An interesting comment turned up today to my "Malware du Jour" blog entry at Securiteam (http://blogs.securiteam.com/index.php/archives/1121). The poster asked a couple of questions, based on content from the ESET mid-year Global Threat Report, one of which was ‘How do you define "possibly unwanted applications [PUAs]?"’

My first thought was to refer him to the definition on our own web pages, but I couldn’t actually find one, so that’s something I’ll be addressing forthwith. My second thought was to refer him to the vendor-neutral definition on the Virus Bulletin site, which I did. Good though that is, however, for me it lacks a dimension. There’s an essential distinction to be made between PUAs and other forms of adware and spyware, largely based on the existence and validity of a corresponding EULA (End User License Agreement).

In general, a PUA has some functionality that might

Global Threat Report - Half Year

August 8th, 2008

Our mid-yearly Global Threat Report looks at malware threat trends over the past six months, based on data from our ThreatSense®.net threat tracking system. This report focuses on broad trends rather than individual malware variants: this reflects better the proactive detection which is the strength of our products, but is also more useful to most readers. Here’s a fairly brief summary of a rather bulky document.

Malicious software that tries to use the Windows Autorun facility to self-install from removable media (such as flash drives and CDs) continues to flourish. While we have an efficient heuristic detection for this, we strongly advise disabling the facility in Windows.

We’ve been seeing high volumes of malware intended to steal passwords for online gaming and virtual worlds like Second Life since 2007 and earlier, but are now seeing a dramatic upsurge. This isn’t just about teenage mischief any more: the theft of “virtual” treasure often translates into real profit for organized criminal gangs. While we’re pleased to see other security vendors taking more notice of the issue recently, users in general need to be aware of just how much malicious activity occurs in virtual worlds (phishing, “grey goo” viral malware, griefing attacks).
Potentially Unwanted Applications and other adware and spyware continue to constitute a large proportion of the programs we detect. While such programs are sometimes defended as being harmless and legitimate advertising material, they’re often presented in a deceptive manner, skating over the damaging effects on the usefulness of an affected system:

Extensive modifications are made to the host system, and may entail breaches of privacy, inability to access legitimate sites, and exposure to malicious sites and software.

Once installed, it’s made intentionally difficult to remove the application, especially when it’s still in memory.

The performance hit caused by the program’s payload can amount to a denial of service. Adware like the Virtumonde Trojan can serve so much advertising material that the system becomes effectively unusable for the legitimate purposes for which the owner acquired it.

The use of email as a direct channel for the transport of new malware is in dramatic decline, though email remains a major vector for the transmission of malicious URLs, so that social engineering is used to persuade the recipient to access a malicious web site.

Malicious attachments are far less likely to be completely new threats: indeed, many of the top detections are elderly mass mailers like Netsky.Q, suggesting that the main sources of email-borne malware nowadays are unprotected machines, probably mostly home machines rather than corporate systems.

As a result of the way the threat scene changes at an ever-accelerating ...