The other week I blogged about the newly accepted AMTSO documents.
Over the next weeks, I'll go through all the documents individually in some more detail and why they are important.

The first document we're going to have a look at is the Best Practices for Validation of Samples document.

Samples are obviously a crucial component in good testing. There are other important aspects such as proper configuration of the products and interpretation of the (scan) results.

However when we think about testing samples come to mind first and foremost.
When we're talking about validation we're strictly looking at making sure all samples in a set are functional. So this doesn't include looking at either relevance or classification of a sample.

Why is validation important? Because non-loadable files will pose no threat to the user. Therefore they don't have to, and even shouldn't be detected.

Having non-loadable files in the set will influence the test results. Let's have a look at a theoretical example. We have a 100 KB large network worm which is detected by AV product A, B and D, but C does not detect it.

Now let's look at what happens when the worm loads. As this worm is trying to infect a honey pot the connection gets broken after only 80KB of the file was transferred.

Suddenly the test results look completely different:

• Product A still detects this file as it has a signature in the first 80KB of the original file.
• Product B no longer detects this file as it had a signature that relied on the last 20KB of the file.
• Product C sees a miss-match between the info in the PE header and the actual file size and suddenly starts detecting this file heuristically.
• Product D no longer detects it as it has an emulation-based detection for this particular worm. With the worm no longer loadable it can't be emulated.

The document primarily focuses on the validation of PE (portable executable) files as these make up the vast majority of today's malware. Ideally the sample handler tries to actually execute the sample in a secure environment as this will give the most accurate results. If that's not possible for reasons such as time or resource constraints the document gives hints for statically checking if a sample is loadable.

You can find all of the published documents here.

It’s already May and almost half a year since Christmas. There’s more than six months until next Christmas.

That’s no excuse not to use the Christmas theme in spam, it would seem. After all, every festive season it’s a sure fire winner.

So why not exploit its popularity in February, March, April or May?

Below are some messages we received on 27 March and 29 April.

This message includes the usual text extolling the virtues of Viagra. At the end of the message 12 tablets are offered for free for Christmas.

When I got spam messages in German containing Christmas greetings in February, I thought the spammers had just forgotten to remove the extra lines with their seasonal greetings or offers of presents. The same idea occurred to me in March. In April I was at a bit of a loss. But earlier today when I received a free offer of 12 Viagra tablets for Christmas, I understood that the spammers were most probably planning ahead.

You never know, maybe the spammers meant that if you buy a pack of Viagra today, you’ll get another pack for free by Christmas. Who knows what goes on inside their heads? In any case, the issue of freebies is nothing new.

I'm at the Interop Las Vegas show which is again taking place in the Mandalay Bay convention center. This is my first time in Vegas and I'm finding it quite the experience.

Yesterday I talked about the dangers of social networks and the bigger issue of implicit trust around it. Today I'll be talking about the methods attackers are using and how the malware ecosystem works.

Just like many of our competitors we also have a booth at Interop. Stop by booth #1212 and see us when you have the time.

Last week there was a lot of media attention devoted to a phishing attack on Facebook, one of the biggest social networking sites with around 200 million registered users. It was attacked namely because it is so popular and has so many users.

Interestingly, attacks on smaller but equally popular social networking sites are also based on the principle of social engineering. For example, we recently detected a new wave of phishing attacks on the site Odnoklassniki (Russian for ‘classmates’), which is extremely popular in the former USSR. The site currently boasts approximately 35 million users.

It’s the same old scheme: a trusted contact sends you a message with a link to an external resource. The fake message looks like a real one because it contains your name, and sometimes even a nickname that only your friends would use.

During the first full week of May a portion of the AV researcher community gathered in sunny Budapest, Hungary.

The first order of business was attending the third annual CARO workshop. The workshop was attended by more than one hundred researchers from all over the globe.

Appended to the workshop was an AMTSO member meeting. The gathering of people was significantly smaller at about forty people which included Dennis Nazarov and myself from Kaspersky Lab.

We arrived with a plan to vote on four documents:

1. Best Practices for Validation of the Samples,
2. Best Practices for Testing In-the-Cloud Security Products,
3. Analysis of Reviews Process, and
4. Issues around the creation of malware for testing purposes.

After review the membership agreed that Issues Around the Creation of MAlware for Testiong Purposes is not ready for voting. This is by far the most controversial document AMTSO is working on.

Recently we released a product especially for netbooks, so we’re performing compatibility tests on newly released netbooks in an ongoing way. The other day we bought a brand new M&A Companion Touch to test. After initial checks, the testing group contacted me since they suspected a malware infection. Could this be yet another example of a factory-infected device?

A scan detected the following malware: Worm.Win32.AutoRun.aayn, Rootkit.Win32.Agent.hwq and Packed.Win32.Krap.g. For anyone interested, here are the MD5s:

Worm.Win32.Autorun.aayn: 0x4f90e62489e5a891a1d9520408164b8c
Rootkit.Win32.Agent.hwq: 0x7f289b08a41ef6c26b684dc4d95028ee
Packed.Win32.Krap.g: 0x1928c09bdb7d2c7d1180bf2105e1315a

After some analysis I was able to determine that these files had been present since February 2009, a long time before we got the netbook.

The AutoRun worm spreads to removable devices, exploiting weaknesses in how Microsoft implemented the functionality. I blogged about the problem over at zdnet. What probably happened is that somebody used an infected USB stick and hooked it up to the machine while installing some drivers for it.

The true purpose of this worm is to steal passwords for a number of online games, such as Lord of the Rings and Maple Story. It also uses a special downloader mechanism. The PE files are encoded and pre-pended by a fake RAR header to fool security solutions. We detect such 'malformed' files as Trojan.Win32.Ramag.

This case shows once again that even brand new products can leave the factory infected. Safeguarding against infected new devices is particularly difficult. Doing an offline scan with an up to date security solution normally is the most effective solution. As there will have been a time lapse between the device getting infected and you getting your hands on it, your security solution should have no problem detecting the malware.

Naturally, we've informed M&A of our findings - but since the device is out there, we are also warning users.

It’s been a busy time in our spam lab. Sure, spam never goes away, but in May alone we’ve had spam linked to Mother’s Day

and spam linked to Victory Day, a major public holiday in Russia celebrating the end of World War II on 9th May. The message below is themed to fit the patriotic sentiments of the holiday, but the text at the bottom advertises printing services.

It’s often argued that *nix systems are secure, and there aren’t any viruses or malware for such systems. This hasn’t been true for a long time, as two recently detected malicious programs prove.

The first is Trojan-Mailfinder.Perl.Hnc.a, a perl script which connects to a command server to get text and a recipient list for spam mailings.

The second program is Trojan-Dropper.Linux.Prl.a, an executable for Linux and FreeBSD. The file decrypts the perl script, launches the perl interpreter and then gives it the decrypted script.

Hello from the Middle East! I’m in Kuwait City where I’m speaking at the Kuwait ICT Security Forum. The topic of my presentation? Web 2.0 attacks, of course –that’s where it’s at these days.

One of the biggest points when I talk about web 2.0 threats is the importance of social engineering, or the “human vulnerability”, as I like to call it, in getting innocent users’ computers infected. Social engineering has been around for just about ever, way before any social networking sites, but right now, with everyone and their dog using sites like Facebook, Twitter, etc., it seems to me the two go hand in hand. Social engineering, social networking – not so hard to spot what these two have in common, is it?

We’ve recently seen a massive increase in phishing attacks on the Facebook login page. Attackers have been using Facebook’s internal message system to send short messages that direct users to “fbaction.net”, a website purposely designed to clone Facebook’s log-in screen.

Why do the bad guys want Facebook passwords? Simple: malicious code distributed via social networking sites is 10 times more effective in terms of successful infection than malware spread via email. Users are far more likely to click on a link received from a trusted friend (or a trusted friend’s dog!) rather than a link in a random spam message.

Don’t be a victim: consider creating a bookmark for the login page, or typing www.facebook.com directly into the browser address bar. Even better, think about using HTTPS, especially if you are browsing from a public network: https://www.facebook.com.

This advice doesn’t only apply to Facebook, of course. Here’s to happy socializing! Or should I say... safe socializing?

It’s no surprise that spammers have jumped on the swine flu bandwagon. We’ve been seeing a lot of short, pithy messages, ranging from the relatively innocuous

to ones clearly designed to exploit the current widespread public unease:

The link leads to a site which isn’t offering anything new – I spent a while trawling it for swine flu vaccines, but didn’t find anything apart from the usual Viagra, Cialis, and conventional cold remedies.

Maybe this is for the best – any swine flu treatment offered by spammers would undoubtedly be fake, just like most of the rest of their wares.