Thursday, May 27, 2010

“New malware attack laughs at your antivirus software” plus 3 more

“New malware attack laughs at your antivirus software” plus 3 more

New malware attack laughs at your antivirus software

Posted: 10 May 2010 05:40 PM PDT

Google Finds Fake Antivirus Programs on the Rise

Posted: 28 Apr 2010 06:40 AM PDT

Fake antivirus software is becoming more prevalent on the Internet, with its creators using clever methods to fool users into installing the programs, according to a new report from Google.

Google conducted a 13-month study looking at some 240 million Web pages. The company determined that 11,000 of those domains were involved in distributing fake antivirus programs, and that those kinds of program comprise 15 percent of the malicious software on the Web.

There are thousands of versions of fake antivirus software, but all work on the premise of falsely telling users their computer has been infected with malware. The programs then badger users to buy the software, which often looks legitimate but has no real functionality.

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," according to Google's report. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Users are typically asked if they want to clean their machine, which causes the fake program to download. Fake antivirus usually spreads by social engineering ploys rather than by exploiting software vulnerabilities on the victim's computer, according to Google.

The scammers behind the fake antivirus software frequently use online advertisements using popular keywords, although Google says it filters those advertised URLs to get rid of malicious ones.

Google will blacklist those domains to warn people, but those developing fake antivirus software rotate the domains hosting their programs faster than ever to avoid the blocklist.

A domain hosting fake antivirus software used to serve up the content for up to 100 hours in April 2009, Google said. But that figure fell to below 10 hours in September 2009 and then to less than one hour in January.

"These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of IP addresses through multiple domains," the report said. "This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker's control."

Google also found that legitimate antivirus vendors were having more trouble identifying the fake programs due to an increased level of "polymorphism," a technique used to make an application look unique and evade malware scanners.

Fake antivirus programs haven't escaped scrutiny from regulators. Following a complaint from the U.S. Federal Trade Commission (FTC), a U.S. district court ordered six people and two companies to stop selling fake security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus.

As part of that case, the FTC levied a $1.9 million judgement against James Reno and his Web hosting company, ByteHosting Internet Service of Ohio, but later reduced the judgement to $116,697 in June 2009.

Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction.

Google Finds Fake Antivirus Programs on the Rise

Posted: 28 Apr 2010 06:58 AM PDT

Fake antivirus software is becoming more prevalent on the Internet, with its creators using clever methods to fool users into installing the programs, according to a new report from Google.

Google conducted a 13-month study looking at some 240 million Web pages. The company determined that 11,000 of those domains were involved in distributing fake antivirus programs, and that those kinds of program comprise 15 percent of the malicious software on the Web.

There are thousands of versions of fake antivirus software, but all work on the premise of falsely telling users their computer has been infected with malware. The programs then badger users to buy the software, which often looks legitimate but has no real functionality.

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface," according to Google's report. "In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match."

Users are typically asked if they want to clean their machine, which causes the fake program to download. Fake antivirus usually spreads by social engineering ploys rather than by exploiting software vulnerabilities on the victim's computer, according to Google.

The scammers behind the fake antivirus software frequently use online advertisements using popular keywords, although Google says it filters those advertised URLs to get rid of malicious ones.

Google will blacklist those domains to warn people, but those developing fake antivirus software rotate the domains hosting their programs faster than ever to avoid the blocklist.

A domain hosting fake antivirus software used to serve up the content for up to 100 hours in April 2009, Google said. But that figure fell to below 10 hours in September 2009 and then to less than one hour in January.

"These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of IP addresses through multiple domains," the report said. "This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker's control."

Google also found that legitimate antivirus vendors were having more trouble identifying the fake programs due to an increased level of "polymorphism," a technique used to make an application look unique and evade malware scanners.

Fake antivirus programs haven't escaped scrutiny from regulators. Following a complaint from the U.S. Federal Trade Commission (FTC), a U.S. district court ordered six people and two companies to stop selling fake security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus.

As part of that case, the FTC levied a $1.9 million judgement against James Reno and his Web hosting company, ByteHosting Internet Service of Ohio, but later reduced the judgement to $116,697 in June 2009.

Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction.

Windows security software hole can cripple antivirus

Posted: 11 May 2010 05:48 AM PDT

A just-published attack tactic that bypasses the security protections of most current antivirus software is a "very serious" problem, an executive at one unaffected company said today.

Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it's able to execute.

Calling the technique an "argument-switch attack," a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

McAfee antivirus to reimburse consumers for bad update | Fake antivirus software on rise, says Google | Microsoft warns of security hole in Windows 7, Server 2008 R2

"This is definitely very serious," said Alfred Huger, vice president of engineering at Immunet, an antivirus company. "Probably any security product running on Windows XP can be exploited this way." Huger added that Immunet's desktop client is not vulnerable to the argument-switch attacks because the company's software uses a different method to hook into the Windows kernel.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Some security vendors agreed with Huger. "It's a serious issue and Matousec's technical findings are correct," said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an e-mail.

"Matousec's research is absolutely important and significant in the short term," echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.

Other antivirus companies downplayed the threat, however. "Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario," a McAfee spokesman said in an email reply to a request for comment.

"The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run."

Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction.
Posted by at

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)