Do-It-Yourself AV comparatives

I've just read a press release form AV-Comparatives where they announce a partnership with AntiMalware Test Lab. Long time ago we decided not to participate in AV-Comparatives tests, for a number of reasons. Our opinion is the following:

– The tests should be run by skilled people that must be able to distinguish a malware sample from a goodware one.
 
– The testers should have a malware test-bed, and of course it should include malware files, with no clean files, no damaged files, etc. It also has to be representative, it does not make sense to test malware that died 15 years ago.
 
– The testers should check the detection capabilities of each and every product. To do that you will run different samples and see what each product is able to do (behaviour blocking, heuristics, signatures, etc.).
 
– The testers should be vendor independent, to avoid any bias.
 
Even though the new alliance won't solve all the mentioned problems, at least we know that now there is someone that knows the difference between a Trojan and a goodware file. We'll be looking forward for new tests run, let's see if we can see something more scientific and serious than a simple "right click on folder, run scan". Anyone can do that at home.
 
Finally, there is something really serious going on that I have to point out: for the tests in 2008, AV-Comparatives is charging AV companies in order to appear in their tests: some of them are paying 8,000€, another ones just 4,000€, others 2,000€ and even others will be tested for free. Can we be sure that there will not be any bias when testing someone who paid him 8,000€ against another one that is being tested for free? I kindly ask you to have this in mind while reading a magazine comparative when the results are provided by AV-Comparatives.

Greetings from Amsterdam

It seems that today we are going to have good weather; this photo has been already taken from the Mövenpck Hotel. 2 days ago it was snowing, but the temperature has risen and it seems that we are going to have a sunny day:

Yesterday I gave a speech in the Black Hats Seminar, in the session "Black Hats Sessions Part VI: Hacking for profit". More than 100 people were present in the speech I gave about the cybercrime.

 

Throughout today and tomorrow the BlackHat Europe 2008 briefings, which have nothing to do with the Black Hats Seminars, are going to take place. The schedule can be consulted here. I hope to come across interesting information.

You are nominated…to distribute malware!!!

Since some days ago, we have been detecting some news related to BBB8 (Big Brother Brasil 8) that is being used as a social engineering technique in order to distribute malware.

Several weeks ago, the image of Giselle, one of the paticipants of this reality show, was used to distribute malware through the Orkut social network by enticing users to watch a YouTube video of her. When the user followed the link to the video, a message was displayed, notifying that a codec must be installed to view the video. Of course, this codec is in fact the Trojan detected as Orkut.AT.

The last example we have seen regarding BBB8 is an email inviting users to view a video of some erotic scenes of Taty and Marcos, who are contestants of this program as well. However, if any of the links included in the email is followed, the malicious code detected as Trj/Dadobra.AOC will be installed in the computer. It is designed to download malware oriented to steal access data to certain banking entities.

 

These are the BBB8 participants:

 

Who will be the following nominated to be the bait to distribute malware??? You decide. J

Microsoft Updates for March

As usual, every second Tuesday Microsoft published security updates for its products. On 11th March, Microsoft published four updates (from MS08-014 to MS08-017), all of them rated as critical and affecting Microsoft Office suite.

We recommend you to update your systems as soon as possible, as all this flaws could allow remote code execution to be run.

You can find more information about the security bulletins by clicking the following links:

MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution.

MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution.

MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution.

MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution.

 

Fake death of Fidel Castro

Today PandaLabs has detected W32/FakeDeath.A.worm. This worm spreads itself in an email message with the subject “Mala Noticia” (Bad news) and makes reference to the supposed death of Fidel Castro.

The message entices users to know more information about the news by clicking a link to a video about it.

When clicking the link to the supposed video (UnivisionMultimedia_flashplayer_swf.exe), we will be redirected to a website displaying the news published by the newspaper Diario Clarín on 30th of August 1997 about the fake death of the Cuban ex-president.

At the same time this website is displayed, a copy of the worm is being downloaded to the computer. The main aim of this worm is to spread itself via P2P programs.
 
Although our TruPrevent Technologies have automatically detect it, be careful if you get one of these.

Greetings from London

The 6th e-Crime Congress has just finished. With more than 600 delegates, this meeting is becoming one of the most important ones related to the fight against cybercrime. As a strategic sponsor, we had an exhibitor stand:

 

Speakers from around the world have come to share their knowledge and expertise, you can take a look at the program here. On Wednesday, at session 6 – Going Underground – I presented “The Business of Cybercrime”. You can take a look at the slides here.

February Adware/Spyware List

One more time, this month there haven’t been significant changes in the adware/spyware list; the first five positions seem immutable.

Both Adware/ActiveSearch and Adware/BaidurBar go down two positions, placing themselves in the 8th and 9th positions respectively.

Taking advantage of these changes, the free positions have been filled with Adware/Sweetbar and Adware/Wupd (in the 6th and 7th position).

With regard to those which leave the list, Adware/NaviPromo doesn’t move away too far and goes down 3 positions, placing itself in the 12th position.

Regarding the newcomers to the top Adware/Spyware list, the only one is PurityScan, which gains 4 positions and places itself in the 10th position.

New MS Access exploit

Last week, John Fellers sent us a sample that exploited a flaw in MS Access. We thought it was the same vulnerability sent to Bugtraq on November and announced  by McAfee in December. However a deeper analysis reveals that it's a new vulnerability. We are still analyzing the exploit to find out more information, though at first sight it seems to be a flaw in Jet Engine (msjet40.dll).

A simple search in Google (with the name of the mdb file as the query) reveals it was sent to a public forum in Nabble in February. Although these vulnerabilities allow remote code execution, Microsoft replied that they would not fix these mdb vulnerabilities, as it seems they will not acknowledge vulnerabilities which are from .mdb files:

"You appear to be reporting an issue with a file type Microsoft
considers to be unsafe. Many programs, such as Internet Explorer and
Outlook, automatically block these files. For more information, please
visit http://support.microsoft.com/kb/925330"

The discovered mdb file has an embedded file, detected by Panda as Trj/Keylogger.DB.

(thanks to Arrizen Perez, malware researcher from PandaLabs, and John Fellers, who sent us the sample)