[SecurityRatty] tag: antivirus

Symantec's vision...

Fri, 10 Oct 2008 07:24:00 +0000

And so it begins...

Symantec bought out MessageLabs and is (in their own words) "combining MessageLabs’ deep expertise in the SaaS market with Symantec’s rich portfolio of technologies".

The interesting thing is that Symantec does not really lead in the anti-virus market (in terms of quality, not market share. All antivirus products are about the same) or antispam (MessageLabs is excellent here).

So, what could they possibly bring to the party that MessageLabs doesn't already have?

DLP.

MessageLabs has DLP but it is very simple and not really worth very much. The framework is certainly there though. Add some good DLP and voila - you have a product that is worth something.

Antivirus superhero comes to the rescue

Thu, 09 Oct 2008 20:00:00 +0000

Japan's cheap and pervasive high-speed Internet connections are finally catching up with the country.

Trend Micro: India is highest-spamming nation in Asia

Tue, 07 Oct 2008 20:00:00 +0000

India is the 7th largest spam sender in the world, according to Trend Micro Incorporated, a company dealing with Internet content security (also the makers of Trend Antivirus and other security software). India is the leader among Asian countries in spam, accounting for more than 4% of the total global spam. It is ahead of other Asian countries such as China (3.39%), Republic of Korea (2.57%) and Thailand (2.04%). Asia contributes 16.57% of the global spam volume.

A Diverse Portfolio of Fake Security Software - Part Eight

Tue, 07 Oct 2008 03:21:00 +0000

In the spirit of "taking a bite out of cybercrime", here are the latest fake security software domains, typosquatted and already acquiring traffic through a dozen of malware campaigns redirecting to most of them :

antivirus-scanner-online.com (67.205.75.14)

archivepacker.com (78.157.142.111)
winpacker.com
xh-codec.net

securedownloadcenter.com (89.18.189.44)
winupdates-server.com
browserssecuritypage.com
megatradetds0.com

quickscanpc.com (78.159.118.144)
clickchecker6.com

gensoftdownload.com (91.203.93.25)

online-av-scan2008.com (66.232.105.232)
anothersoftportal09.com
bigfreesoftarchive.com
celebs-on-video-08.com
celebs-on-video-2008.com
cleansoftportal2009.com
hot-p0rntube.com
hot-porn-tube-2008.com
hot-porn-tube2008.com
hot-porn-tube2009.com
justdomain08.com
new-porntube-2008.com
online-av-scan2008.com

s0ftvvarep0rtal.com
s0ftvvareportal.com
s0ftvvareportal08.com
s0ftwarep0rtal08.com
softportalforfun.com
softportalforfun08.com
softportalforfun2008.com
softvvareportal.com
softvvareportal08.com
softvvareportal2008.com
trustedsoftportal06.com
trustedsoftportal2008.com

antivirus-online-08.com (89.187.48.155; 218.106.90.227)
anti-virus-xp.com
anti-virus-xp.net
anti-virusxp2008.net
antimalware09.com
antivirxp.net
av-xp08.net
av-xp2008.com
av-xp2008.net
avx08.net
axp2008.com
e-antiviruspro.com
eantivirus-payment.com
ekerberos.com
online-security-systems.com
xpprotector.com
youpornzztube.com

sp-preventer.com (92.241.163.32)
spypreventers.com

u-a-v-2008.com (92.241.163.31)
uav2008.com

power-avcc.com (92.62.101.57)
power-avc.com
pvrantivirus.com

m-s-a-v-c.com (92.62.101.55)
ms-avcc.com
ms-avc.com

wav2008.com (92.241.163.30)
wiav2009.com
win-av.com
windows-av.com
windowsav.com

You know the drill.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Web Based Malware Emphasizes on Anti-Debugging Features

Mon, 06 Oct 2008 22:42:00 +0000

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Safe online? Or are you just saying that?

Fri, 03 Oct 2008 11:24:52 +0000

Why lie by telling a pollster youre safe behind a good AntiVirus, AntiSpyware, and Firewall program?
Is it worth having your ID stolen and your bank account emptied?
Get educated, and use what you learn.

clipped from www.eweek.com

Americans Confused as Ever over Cyber-security

The study shows little difference the percentage of Americans who had
anti-spyware software installed (82 percent) and the percentage who said they
had it installed (83 percent). Still, close to one-fifth of all users do not
have adequate spyware defenses.

AntiVirus XP ads on Google?

Fri, 03 Oct 2008 11:12:03 +0000

So, If I had clicked on this ad, and dnloaded this awful program and my puter was infected,,,,
Would Google be responsible?

clipped from www.2-spyware.com

Time for vengeance: AntiVirus XP distributors sued

Malware vendors hide well, however they do make mistakes. Distributors of Antivirus XP were bold enough and dumb enough to buy advertisements on Google Adwords! You get it right: someone looking for anti-virus software on Google search engine was offered Antivirus XP by official adds from Google. The scam was noticed pretty soon. Security experts all over the web guess that this mistake was the one that revealed names of AntivirusXP vendors. Victims of Antivirus XP can start celebrating as the distributors won’t get away easily.

Syndicating Google Trends Keywords for Blackhat SEO

Fri, 03 Oct 2008 00:19:24 +0000

Several hundred Windows Live Spaces and AOL Journals, are currently syndicating the most popular keywords provided by Google Trends, and are consequently hijacking the top search queries exposing users to Zlob codecs.

Here are some same bogus blogs used in the campaign, naturally pre-registered long before they executed it :

vinniedigg18 .spaces.live.com
journals.aol .com/iolatour16
fredabreak02 .spaces.live.com
thedaalerts01 .spaces.live.com
allisonpolls08 .spaces.live.com
rheabreak18 .spaces.live.com
racquellog17 .spaces.live.com
monikavideo11 .spaces.live.com
journals.aol .com/shelvakill27
tomekadigg26 .spaces.live.com
ivahnet19 .spaces.live.com
journals.aol .com/louisathere13
allisonpolls08 .spaces.live.com
valericatch03 .spaces.live.com
journals.aol .com/iolatour16
hadleycue01 .spaces.live.com
journals.aol .com/staceyliving01
collettebreak17 .spaces.live.com
journals.aol .com/nataliablog16
natalymore26 .spaces.live.com

A comprehensive listing of the blogs involved can be downloaded here.

What do all of these bogus blogs have in common? The fact that they are all being abused by a single malware campaign, and the Keep it Simple Stupid mentality only a lazy malware campaigner can take advantage of. All of the blogs as using a central redirection domain, shutting it down or blocking it renders the number of bogus blogs is circulation irrelevant. In this case, the domain in question is video.xmancer.org (216.195.59.75).

Here are the the rest of the domains participating in the campaign, as well as the parked ones at the corresponding IPs :

video.xmancer .org (216.195.59.75)
buynowbe .com
loveniche .com
antivirus-freecheck .com
jetelephone .cn
reducki .cn
woteenhas .cn
lilaloft .cn

clipztimes .com (78.157.143.235)
imagelized .com
vidzdaily .com

gotmovz .com (78.108.177.91)
dwnld-clips .com

movwmstream .com (77.91.231.183)
newwmpupdate .com
zaeplugin .com
movaccelerator .com
optimwares .com
piterserv .com

moviesportal2008p .com (72.232.183.154)
movieportal2008a .com
funnyportal2008l .com
starsportal2008p .com
softportal2008p .com
movieportal2008q .com

In short, despite that the campaign is poised to attract generic search traffic, it's a self-exposing blackhat SEO campaign since each and every blog participating is also linking to the rest of the ones within the ecosystem.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

IBM vets ID management, access control technologies on own systems

Wed, 01 Oct 2008 20:00:00 +0000

Rather than selling only stand-alone security tools, IBM is working to embed antivirus, firewall and other security features into all of its software products, software chief Steve Mills says.