CONTENTS in THIS ISSUE Fighting Malware and Spam

CONTENTS in THIS ISSUE Fighting Malware and Spam

OCTOBER 2010 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT SPAM COLLECTING Changing times Claudiu Musat and George Petre explain why spam feeds matter in the anti-spam fi eld and discuss the 3 NEWS importance of effective spam-gathering methods. Overall fall in fraud, but online banking page 21 losses rise National Cybersecurity Awareness Month NEW KIDS ON THE BLOCK Dip in Canadian Pharmacy spam New anti-malware companies and products seem to spring up with increasing frequency, many 3 VIRUS PREVALENCE TABLE reworking existing detection engines into new forms, as well as several that are working on their MALWARE ANALYSES own detection technology. John Hawes takes a 4 It’s just spam, it can’t hurt, right? quick look at a few of the up-and-coming products which he expects to see taking part in the VB100 13 Rooting about in TDSS comparatives in the near future. page 25 16 TECHNICAL FEATURE Anti-unpacker tricks – part thirteen VB100 CERTIFICATION ON WINDOWS SERVER 2003 21 FEATURE This month the VB test team put On the relevance of spam feeds 38 products through their paces on Windows Server 2003. John Oct 2010 25 REVIEW FEATURE Hawes has the details of the VB100 Things to come winners and those who failed to make the grade. 29 COMPARATIVE REVIEW page 29 Windows Server 2003 59 END NOTES & NEWS ISSN 1749-7027 COMMENT ‘Ten years ago the While mostly very tongue-in-cheek, a substantial amount of what he wrote was accurate. idea of malware He predicted that by 2010 the PC would no longer be the writing becoming most prevalent computing platform in the world, having a profi t-making been overtaken in number by pervasive computing devices – in other words, PDAs and web phones. industry simply He predicted that dramatically falling prices for wasn’t on the radar.’ commercial computing systems would result in their Helen Martin, Virus Bulletin commoditization and widespread use throughout the world, and he predicted that broadband Internet access CHANGING TIMES from most of the developed world would put much of the earth’s population online 24/7. By the time this issue of VB is published Virus Bulletin will have celebrated the 20th anniversary of the VB However, not all of his predictions were as accurate: he conference. predicted that in 2010 there would be nearly 500,000 viruses in existence – not 500,000 new viruses per month The inaugural VB conference took place in September or per week, but 500,000 in total. Today we see in the 1991 – before the term ‘malware’ had been dreamt up region of 50,000 new malware fi les every day. Indeed, and when ‘spam’ was still just a form of tinned luncheon in another paper from VB2000 Paul Ducklin described meat. The conference programme spanned two days how anti-virus vendors were in the habit of exchanging in a single-stream format, and amongst the material entire malware collections once a month – with a typical presented, delegates heard that IBM had over 400 collection ranging in size from 5MB to 10MB. Today, different computer viruses in its collection. typical malware collections occupy terabytes of disk Since then, of course, times have moved on – the space, and sharing new samples even on a daily basis conference now takes place over three days, in a takes gigabytes of network bandwidth. double-stream format, and the number of speakers and Steve’s paper also failed to pick up on possibly the delegates has more than doubled. Times have moved on greatest change we have seen in the malware scene – the in the industry too, and for anyone who wasn’t involved change in motivation of malware authors. in it 20 years ago, the idea that a security company would be proud to have 400 different pieces of malware Even in some of his seemingly more far-fetched in its collection seems hard to believe. descriptions of virus outbreaks – such as the one he wrote of that brought down the 25th largest bank in the world, But even ten years ago the situation was dramatically or the one that altered victims’ electronic tax returns, different from the world we live in today. there was no mention of malware authors issuing ransom In September 2000 the VB conference celebrated its 10th demands, syphoning money out of accounts or stealing birthday in Orlando. The keynote address was a paper data, and so on. Once again, this is a refl ection of how by IBM’s Steve White entitled ‘Virus Bulletin 2010 much the malware scene has changed – ten years ago – a retrospective’. In it, Steve wrote as if he was an AV the idea of malware writing becoming a profi t-making researcher living in 2010 looking back on the last ten industry simply wasn’t on the radar, while today, the years of the industry. profi ts generated by cybercrime worldwide are rumoured to match the revenues yielded by the illegal drugs trade. Editor: Helen Martin With such dramatic changes over the last ten years, one Technical Editor: Morton Swimmer has to wonder what the next ten years will have in store Test Team Director: John Hawes for the industry – to quote Eugene Kaspersky (see VB, Anti-Spam Test Director: Martijn Grooten October 2000, p.19), ‘I can’t predict precisely what will Security Test Engineer: Simon Bates happen in the future, but I’m pretty sure that computer Sales Executive: Allison Sketchley crime and cyber hooligans will not disappear.’ Web Developer: Paul Hettler Steve White’s VB2000 paper can be downloaded from Consulting Editors: Nick FitzGerald, Independent consultant, NZ http://www.virusbtn.com/conference/vb2000/ Ian Whalley, IBM Research, USA vb2000White.pdf – although I regret to say that despite Richard Ford, Florida Institute of Technology, USA our best efforts Virus Bulletin’s technical people are still unable to get the ‘touch references’ to work… 2 OCTOBER 2010 VIRUS BULLETIN www.virusbtn.com NEWS OVERALL FALL IN FRAUD, BUT ONLINE BANKING LOSSES RISE Prevalence Table – August 2010[1] A leading trade association for the cards industry in the UK has revealed that banking and credit card fraud fell overall Malware Type % in 2009, with a decrease in all areas apart from online Autorun Worm 9.21% banking, which saw an increase over the previous year. Confi cker/Downadup Worm 6.82% The UK Cards Association has reported that in 2009, online FakeAlert/Renos Rogue AV 5.77% banking losses in the UK totalled £59.7 million – a 14% rise on the 2008 fi gure. The increase in online banking Mdrop Trojan 5.51% losses despite decreases in fraud in other areas is believed StartPage Trojan 5.51% to be due to criminals using more sophisticated methods to Injector Trojan 4.88% target customers through malware, while the increased use Heuristic/generic Virus/worm 4.74% of advanced fraud detection tools by banks and retailers has successfully reduced fraud in other areas. Agent Trojan 4.51% OnlineGames Trojan 3.41% The number of phishing attacks recorded during 2009 rose, with a 16% increase on the number reported in 2008. The Adware-misc Adware 3.09% association also collated information on phone banking Heuristic/generic Trojan 2.79% fraud losses for the fi rst time in 2009, recording a total of Crypt Trojan 2.41% £12.1 million. Most of these losses will have been due to HTML-Fraud Phish 2.30% customers falling victim to phishing attacks either by cold calling or via email. VB Worm 2.30% AutoIt Trojan 2.29% CYBERSECURITY AWARENESS MONTH Downloader-misc Trojan 2.19% Waledac Worm 2.12% October 2010 marks the seventh annual National Cybersecurity Awareness Month sponsored by the US Zbot Trojan 1.83% Department of Homeland Security. Free materials such Bancos Trojan 1.70% as posters, banners and brochures are available to help Delf Trojan 1.57% educators raise awareness and a series of tip sheets provide Exploit-misc Exploit 1.47% in-depth information on how to stay safe in a variety of online settings. A number of awareness events will also Bifrose/Pakes Trojan 1.46% be running throughout the month, details of which are Hupigon Trojan 1.33% available at http://www.staysafeonline.org/ncsam. Small Trojan 1.27% Sality Virus 1.21% DIP IN CANADIAN PHARMACY SPAM Tanatos Worm 1.05% Levels of Canadian Pharmacy spam have seen a signifi cant Dropper-misc Trojan 1.01% drop following the closure of notorious spam affi liate Alureon Trojan 0.85% Spamit early this month. Banload Trojan 0.85% Spamit, one of the largest fake pharmacy affi liate PCClient Trojan 0.85% programs that bombard users with messages advertising pharmaceutical products from Canada, announced its Virut Virus 0.84% intention to cease operations at the start of the month, Themida Packer 0.76% claiming that increased attention on its business had made Others[2] 12.11% it impossible to continue. A statement on the program’s Total 100.00% website read: ‘Because of the numerous negative events [that] happened last year and the risen attention to our [1] Figures compiled from desktop-level detections. affi liate program we’ve decided to stop accepting the traffi c from 1.10.2010.’ Cisco and several other sources reported [2] Readers are reminded that a complete listing is posted at a decrease in global spam volumes immediately following http://www.virusbtn.com/Prevalence/. Spamit’s closure. OCTOBER 2010 3 VIRUS BULLETIN www.virusbtn.com MALWARE ANALYSIS 1 IT’S JUST SPAM, IT CAN’T HURT, METHODS USED RIGHT? Over the observation period, several activation methods were observed, which are documented in this section.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    59 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us