We have just released the Annual report PandaLabs 2007, which summarizes the most important events of the last year. Inside you will find interesting information regarding trends on malware, among other current topics. Additionally, we have also included a complete report on spam.
You can download it in English or in Spanish.
Enjoy it!
BTW, in case you want to give us some feedback about the report, we have created a poll (English / Spanish). Thanks for your help!
Some days ago MR Team members warned that a new stealth technique was being used by some rootkits.
When this type of malware is run in a system, it makes a copy of the original MBR in the absolute sector 62 of the hard disk and overwrites the one existing in the sector 0 with malicious instructions. Additionally, it installs itself at the end of the hard disk, being its code of approximately 240kb in size.
The next time the computer is started, the first sector of the drive will be loaded before the operating system. The first sector of the drive contains the modified MBR, whose code will load the other part of the malware (~240Kb). This part, in turn, is responsible for the network communication established between the operating system and the BIOS interruption 13h, hiding the modified MBR and the malicious code.
This technique allows any type of malware to be camouflaged in the system, making its detection more difficult.
Thanks to Arrizen Pérez for his explanations.
Some days ago MR Team members warned that a new stealth technique was being used by some rootkits.
When this type of malware is run in a system, it makes a copy of the original MBR in the absolute sector 62 of the hard disk and overwrites the one existing in the sector 0 with malicious instructions. Additionally, it installs itself at the end of the hard disk, being its code of approximately 240kb in size.
The next time the computer is started, the first sector of the drive will be loaded before the operating system. The first sector of the drive contains the modified MBR, whose code will load the other part of the malware (~240Kb). This part, in turn, is responsible for the network communication established between the operating system and the BIOS interruption 13h, hiding the modified MBR and the malicious code.
This technique allows any type of malware to be camouflaged in the system, making its detection more difficult.
Thanks to Xabier Francisco & Arrizen Pérez for this one!
Microsoft has released its patches for this month. There are two patches: one critical and another rated as important. The critical patch involve Windows TCP/IP and the important one is for a vulnerability in LSASS. As always, it's important to upgrade you system via Windows Update:
Today I've seen in Sophos blog a post about the proactive detection rate. Here you can see the results from the same test, but including the majority of the vendors, so you won't lose any information:
Scanner TOTAL July August September ======================================================= Panda 91% 97% 78% 95% AntiVir 87% 94% 74% 89% Ikarus 87% 88% 78% 92% Sophos 86% 94% 74% 87% BitDefender 81% 75% 78% 87% AVG 71% 59% 65% 84% Kaspersky 69% 59% 61% 82% Nod32 69% 56% 74% 76% Trend Micro 68% 56% 57% 84% F-Secure 67% 53% 61% 82% Symantec 66% 53% 52% 84% McAfee 55% 47% 61% 58% Avast! 53% 31% 65% 63% eTrust-VET 52% 44% 43% 63% Dr Web 51% 41% 65% 50% F-Prot 51% 28% 57% 66% Microsoft 48% 25% 65% 58% Norman 46% 44% 61% 39% ClamAV 42% 28% 39% 55%
Copyright © 2007 AV-Test GmbH
In Panda Research blog you can find more information.
Some months ago we showed you a tool based on graphs in order to classify malware. Today we'll show you another tool that we are currently using in the lab to determine whether a file is malware or goodware. This tool is called VMatchBinary.
Basically, what we do is to identify similar byte blocks, obtaining a checksum for each one. This way, we obtain different checksums for every file, and we can compare the checksums of one file against all the checksums of all the files we have in our database.
Many checksums of small and representative file blocks guarantee good results in the similarity identification at a file level. But the best thing to understand how it works is to see it in action, so click on the picture below and enjoy it!
SuperAntivirus's Blog 