English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Opinions|On the way to better testing

Magnus
Kaspersky Lab Expert
Posted February 01, 14:09  GMT
Tags: Antivirus Testing
0.1
 

Have you ever found a false positive when uploading a file to a website like VirusTotal? Sometimes it happens that not just one scanner detects the file, but several. This leads to an absurd situation where every product which doesn't detect this file automatically looks bad to users who don't understand that it's just false positives.

Sadly you will find the same situation in a lot of AV tests, especially in static on-demand-tests where sometimes hundreds of thousands of samples are scanned. Naturally validating such a huge number of samples requires a lot of resources. That's why most testers can only verify a subset of the files they use. What about the rest? The only way for them to classify the rest of their files is using a combination of source reputation and multi-scanning. This means that, like in the VirusTotal example above, every company that doesn't detect samples that are detected by other companies will look bad - even if the samples might be either corrupted or absolutely clean.

Since good test results are a key factor for AV companies, this has led to the rise of multi-scanner based detection. Naturally AV vendors, including us, have been scanning suspicious files with each others’ scanners for years now. Obviously knowing what verdicts are produced by other AV vendors is useful. For instance, if 10 AV vendors detect a suspicious file as being a Trojan downloader, this helps you know where to start. But this is certainly different to what we're seeing now: driven by the need for good test results, the use of multi-scanner based detection has increased a lot over the last few years. Of course no one really likes this situation - in the end our task is to protect our users, not to hack test methodologies.

This is why a German computer magazine conducted an experiment, and the results of this experiment were presented at a security conference last October: they created a clean file, asked us to add a false detection for it and finally uploaded it to VirusTotal. Some months later this file was detected by more than 20 scanners on VirusTotal. After the presentation, representatives from several AV vendors at the event agreed that a solution should be found. However, multi-scanner based detection is just the symptom - the root of the problem is the test methodology itself.

Software|mwcollectd released

Magnus
Kaspersky Lab Expert
Posted December 22, 09:21  GMT
Tags: Antivirus Technologies
0
 

mwcollectd v4, a next-generation low-interaction malware collection honeypot, has just been released. It's written in C++, but the easy integration of additional Python modules means that malware researchers around the world can easily extend the honeypot with new protocols and features.

We're happy to be sponsoring this project, which was mainly developed by Georg Wicherski (one of our virus analysts in Germany) and Mark Schloesser, from RWTH Aachen University. It's published under the LGPL license. If you want to take a look at mwcollectd, it's here, and libemu, which is used by mwcollectd, is here.

comments      Link

Virus Watch|Happy birthday, Mac!

Magnus
Kaspersky Lab Expert
Posted January 24, 09:21  GMT
Tags: Apple MacOS, Non-Windows Malware, History of Malware
0
 

Thanks to my colleague Christian for providing the info for this post

Today, 24th January, the famous Macintosh celebrates its anniversary – it was 25 years ago to the day that Steve Jobs introduced the first Macintosh Computer, the 128K, at Apple’s AGM. It was the first commercially successful personal computer to feature a mouse and a graphical user interface rather than a command line interface – a big step at the time. With devoted Mac followers guessing and gossiping about what the future holds, let's take a quick look back at malware and security for Mac over the last few years.

Traditionally, malware writers have overlooked Mac in favor of targeting Windows with its bigger market share. But the proof-of-concept samples which appear periodically show that Macs aren't invincible.

We wrote about two such examples in 2006 – IM-Worm.OSX.Leap.a, which tricked users by pretending to be screenshots of Leopard, the latest version of OS X, and spread via iChat; and Worm.OSX.Inqtana.a, which exploited a Bluetooth vulnerability and attempted to infect other Bluetooth devices within range.

Research|Wardriving in Copenhagen, Denmark

Magnus
Kaspersky Lab Expert
Posted December 04, 13:27  GMT
Tags: Wardriving
0
 

We recently went on tour with some journalists through Copenhagen, the capital of Denmark, and took a quick look at the state of WiFi networks in the city. Copenhagen lies on two islands (Zealand and Amager) and is well known for its culture and the design of the city (as well as being the 14th most expensive city in the world according to Forbes List). That is the kind of information you can find in any guidebook, but what you won't find are statistics on wireless networks. So it seemed a good idea for us to take a look!

Opinions|Online surveillance still under discussion

Magnus
Kaspersky Lab Expert
Posted February 27, 10:19  GMT
Tags: Cybercrime Legislation
0
 

Today, on Wednesday 27th February at 10am, the German Federal Constitutional Court in Karlsruhe made an official statement regarding its verdict on online surveillance.

The final verdict: although online surveillance is permitted, this is only in cases where a overwhelming threat to the existence of extremely important legally protected interests exists, and certain specific criteria will have to be met. Additionally, a new basic right will be introduced, for the first time since 1983, when a basic right was introduced regarding the capacity of the individual to determine in principle the disclosure and use of his/her personal data. This new basic right is intended to guarantee the integrity of IT systems and the confidentiality of data held on these systems.

The catalyst for these proceedings was a collective complaint brought against a law in the German state of Nordrhein-Westfalen designed to protect the constitution. This law permits the installation of spy programs on the computers of alleged criminals and terrorists. Such software, designed to intercept passwords, read the contents of disks, intercept encrypted conversations and transmit all of this via the Internet to the investigating authorities, gave rise to the term 'online surveillance'.

Exactly what the practical results of today's verdict will be remain to be seen. It's clear that the Nordrhein-Westfalen law protecting the constitution will have to be amended. Meanwhile, discussions about the software – nicknamed the 'Bundestrojan' – will continue.

This won't have any effect on our work as an antivirus company. As has already been said, in spite of the fact that it's financed by the government, a Trojan which uses the same methods as spyware created by virus writers (which will very probably be detected by our proactive detection methods, such as heuristics, behavior analysis etc) has to be viewed as being potentially malicious. And although we will probably be able to detect the program, we wouldn't be able to classify it as the 'Bundestrojan'; it's very unlikely that the authorities will provide AV companies with samples, so we would simply have to classify it on the basis of its behaviour, just as we do any potentially unwanted program.

Comment      Link

News|The C64 hits 25

Magnus
Kaspersky Lab Expert
Posted December 12, 14:37  GMT
Tags: History of Malware
0
 

Talk about non-Windows malware and most people automatically think of Linux, MaxOS X etc. etc. But this very modern attitude overlooks a couple of interesting stages in the history of computer virology.

Some of you might wonder what I'm getting at here. Well, at the beginning of this week, IT luminaries such as Steve Wozniak (the co-founder of Apple) and Jack Tramiel (former Technical Director at Commodore and later Head of Atari) got together to celebrate the 25th anniversary of the the Commodore 64.

What a lot of people don't know – even these revered 8-bitters had computer viruses. Even though the Commodore used a Basic intepreter from Microsoft, the blame for these almost prehistoric bugs can't be laid at the Redmond company's door - back then, the majority of programs were written in pure assembler. In 1986, a hacking group – possibly the Bayrische Hacker Post group – developed the 'BHP' virus. It periodically caused the computer to cycle rapidly through all available sixteen colours on the display, showing the victim a message in German which said 'HALLO FATTY, THIS IS A REAL VIRUS!'. The text was followed by a serial number, which increased by a count of one with every infection. BHP hooked a number of interrupts, included one normally called when a reset is carried out. This ensured that it would be able to survive a reset.

Incidents|Feelings can be misleading

Magnus
Kaspersky Lab Expert
Posted June 26, 08:16  GMT
Tags: Internet Banking
0
 

Online banking and security still seem to have only the most tenuous relation to each other. Even though more and more German banks are moving towards implementing HBCI, an independent protocol for online banking, (entering a PIN number via an external card-reader, which may have its own display) the investment needed (between 70 and 170 euros) is frightening a lot of customers off.

It seems that some of the British banks have been thinking about this, and drawing their own conclusions. A recently published article covers a major British bank's refusal to implement two factor authentication: apparently the increased popularity of online banking shows that 'customers already feel safe on the Internet', without the need for extra hardware. But if the bank has the feeling that customers are blissfully happy, perhaps they should dig a little deeper.

Banks which don't implement appropriate security may find themselves dealing with satisifed customers like the German woman who recently came to us for help. Her antivirus solution (not ours, I should hasten to add!) malfunctioned. The consequence - a Trojan got away with a smooth 5000 euros from her account. The local prosecution service suspended the investigation, because the attack could only be traced back to a computer located at a university. The bank, meanwhile, has spent more than a month trying to push the blame back onto the customer. The happy customer, who thought that the combination of antivirus software and PIN/ TAN would keep her assets safe...

Comment      Link

Incidents|GoogleBlock

Magnus
Kaspersky Lab Expert
Posted June 15, 11:44  GMT
Tags: Google
0
 

A few days ago the Inquirer published a interesting little article talking about how Google hadn't returned the search results he wanted, but instead told him his computer might be infected with a malicious program. And today one of our clients got caught the same way – the ubiquitous search engine was displaying the same error message to lots of the company's staff.

I'm interested in why this happened. It's not very difficult to find a possible answer: a lot of spammers use Google to find the emails of potential victims and automate this task by using little scripts which may be run from infected machines. So Google can implement a temporary block which is lifted when the user correctly responds to Google's captcha by entering the letters and numbers shown, proving that s/he is not a spambot.

We've managed to reproduce the suspicious behaviour that can get a human user getting locked out of Google. And once the user's been locked out, his/ her IP address get's blacklisted. This can be a problem if the user is coming in via a proxy server – it will be the proxy that will be seen as the attacker, and the proxy that gets blocked. Which means that all the users coming in via the same proxy will also be subject to the same restrictions, until someone correctly solves the captcha. It would of course be helpful if the Google warning clearly stated that it could be the proxy, rather than the user's computer, which is suspected of being a bot. We've suggested this to Google, and we'll let you know their response.

Of course, it might not be a false alarm at all - there might be an infected computer on your network, and Google raising the red flag could be the first sign of infection. But even though Google's search capability may be awesome, a dedicated antivirus program is still going to be the most reliable way of catching malicious programs.

Comment      Link

Incidents|Strangers on a train

Magnus
Kaspersky Lab Expert
Posted May 10, 11:46  GMT
Tags: Mobile Malware
0
 

We're always warning users to be wary of files sent via Bluetooth from unknown sources. And this is why I was so surprised during a train trip the other day – I saw first hand evidence of how trusting people are when it comes to their mobiles.

A woman sitting in front of me took a call on her smartphone. A few minutes later a man who she clearly didn't know asked if he could have her 'cool ringtone'. She agreed, but for some reason he couldn't persuade his smartphone to get the file via Bluetooth. Finally he asked her to give him her phone so he could copy the file directly from the memory card. She agreed without hesitating, handed over her smartphone...he copied what he needed to copy, handed the phone back, and left the compartment.

It's possible that I'm suffering from an excess of occupational paranoia, and that the man really was interested only in the ringtone. I can't be sure. However, I can be sure that he had access to all the data the woman had saved, not to mention the opportunity to copy malicious programs onto her phone. Maybe I am overly paranoid – but as long as I see people continuing to be so casual about phone security, I'll keep telling them what they're doing wrong.

As for the woman, she didn't just get my ideas on security – she'll be getting a free virus scanner for her smartphone too.

Comment      Link

Events|Cabir, the star of the show

Magnus
Kaspersky Lab Expert
Posted March 20, 13:10  GMT
Tags: Mobile Malware, Conferences, Exhibitions, Cabir
0
 

Tomorrow will be the last day of CeBIT and everyone's extremely busy. We still found the time to visit the Physikalisch-Technische Bundesanstalt (the national meteorology institute providing scientific and technical services) in Braunschweig together with a German TV crew.

And why did we go there? Although the room may look like a big recording studio, the spikes on the wall aren’t to ensure clean sound, but to disperse all radio waves inside the room. Additionally, the metal plated walls and floor create a Faraday cage, making sure that all waves stay inside the room. In short, it’s a perfect location for mobile malware testing.

This gave us the opportunity to show the cameras just how Cabir, the first known smartphone virus, spreads. There are only a few known cases of Cabir infections in the wild in Germany, but everyone in the room understood that mobile malware is a real threat.

The chances of getting infected in your home country may be low. But there are other regions – like parts of Asia – where Cabir is more widespread. And that’s why we never tire of repeating the security professionals mantra: never install a program on your mobile phone if you're not sure where it came from, and if you don't need Bluetooth, turn it off! Even (or perhaps especially) at CeBIT.

Comment      Link