15 Sep Lab Matters - The Evolution of Anti-Malware Protection Ryan Naraine
14 Jul Cloud Security vs Cybercrime Economy: The Kaspersky Vision Ryan Naraine
04 May Malvertising on ImageShack David Jacoby
13 Jun A milestone in the former USSR Eugene
26 May No compromises here Costin Raiu
05 Apr Fast is good David
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Kaspersky Lab chief technology officer Nikolay Grebennikov joins Ryan Naraine to discuss the evolution of anti-malware software. Grebennikov talks about the changing face of the malicious threat facing desktop users and the additional components added to Kaspersky's anti-malware products to move beyond signature-based detection of threats. He goes into detail about heuristics and emulation, behavior-based detection and newer proactive technologies to handle real-time malware detection.
In this webcast, Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, shares his extensive knowledge of the driving forces that power the modern cyber-criminal ecosystem and discuss the way that cybercrime operates. He covers the latest developments in the security technologies and describes how he sees the security industry developing in the nearest future. Additionally, Eugene pays particular attention to showing how modern cloud security solutions not only protect users and businesses, but can seriously impede the cyber-criminals' black economy, thereby significantly reducing cyber-crime.
Today while conducting research on the alleged Latvian power hack, I came across some interesting malvertising on imageshack, where pictures of the purported hack have been hosted.
Advertising on the page loads a exploitable Java vulnerability that Kaspersky recognizes as Exploit.HTML.CVE.2010-4452.m, which then tries to download Trojan.win32.TDSS.cgir. TDSS as some of you may recognize is a rootkit that can access Windows at its lowest levels and can prove extremely difficult to remove.
Upon opening the page, the advertisement loads, and a connection to http://--removed--ediagroup.com/enc/jv.html is made. This launches the actual exploit. A second page http://--removed--ediagroup.com/load.php?2 is loaded which drops the Trojan containing the TDSS malware.
Kaspersky already detects both the exploit, as well as the Trojan payload. This serves as a reminder of the importance of keeping your Anti-virus up to date.
We will update with further details as they become available.
Once upon a time, back in the USSR, I accidentally got a virus on my computer, an Olivetti M24.
And I started my anti-virus career. That was in September (or October) 1989. And the first record was added to my first utility to fight computer viruses (well, in this case, just one computer virus). It was a challenge for me to analyze the code - and develop an anti-infection routine. I was so curious, and of course I didn't realize that it would become so serious.
Now there's an industry, now there are thousands of people developing anti-* solutions (including hundreds in my company). And just last night we had a major milestone - we added the 200,000th record to our antivirus databases. Cruel world...Two hundred thousand antivirus records! And the number will continue to increase - we're already up to 200,157 records.
A couple of worried users have contacted us to ask if KAV is going to drop detection for old boot/DOS viruses in the future, or for extinct Trojan downloaders.
At the moment, we've got no plans to do that. It could compromise detection and actually, given the way our engine works, dropping detection for DOS viruses would result in an insignifiant speed increase - less than 5% faster.
The risk of getting infected by Michaelangelo is probably pretty small nowadays, but it can't be entirely discounted. So rest assured, we'll keep on detecting those old boot and DOS viruses and the dead Trojan downloaders.
Like us, you might have seen a recent discussion about antivirus vendors response times.
Just like the vendors involved, we believe that speed of response to new threats and update frequency are vital.
That's why we provide hourly updates. Day in, day out, regardless of whether a particular threat makes headlines. This ensures that our users have access to effective protection against the 200+ new threats which appear ever day.
Even though our response times weren’t included in the discussion mentioned above, we consistently deliver a fast response. And that’s what’s most important.
It looks as though people have heard about our latest updates -1400 signatures and about 25 new unpackers added in one week - and are hurrying to get their hands on our software.
Here are some statistics so you can see how our updates have evolved:
|Year||Records added per day||Total records in database|
|1998||15||05.01 - 20172|
|1999||18||20.01 - 25733|
|2000||26||07.01 - 32572|
|2001||25||05.01 - 42233|
|2002||15||01.01 - 51495|
|2003||53||01.01 - 63082|
|2004||87||01.01 - 82515|
approx. 200 this week
|01.01 - 114506|
21.10 - 155372
Exactly two years ago we introduced our extended databases.
These databases protect against AdWare, RiskWare and PornWare. Some people like to refer to the extended databases simply as anti-spyware protection, but we actually detect much more than just that with the help of these databases, most notably RiskWare programs.
Back then we still had cumulative updates and the extended databases consisted of three components: advware.avc, riskware.avc and pornware.avc.
Later two of those names changed to adware.avc and obscene.avc. Since the beginning of this year we simply have combined them into extxxx.avc database, where the x stands for a decimal figure. However, we've actually been detecting these types of threats for much longer than two years.
Before we introduced the extended databases the detection of AdWare etc. was included in x-files.avc.
Two years ago it was special to have a separate option to cover such threats, now it is a much more common feature for antivirus programs.
You can select the extended databases by going to KAV's settings, clicking on Threats and exclusions, and then selecting the extended database.
Be sure to read the pop-up message when choosing a database from the dropdown list.
We released our last cumulative update at the end of this January. What are the advantages for our customers?
However, our new system of antivirus updates is available only via the Kaspersky Updater module.
In spite of the steps taken by IT industry, the evolution of the Internet is
accompanied by the evolution of malicious code. Proof of this is our statistics on the number of new entries to the signature base for Kaspersky Anti-Virus.
|Number of signatures added to Kaspersky Anti-Virus database every year |
(2001 - 2004)
Our graph shows that the number of malicious programs continues to increase. And it seems certain that this trend will continue - and we will continue to detect increasing numbers of viruses, worms, Trojans and other malicious programs.
We will be publishing some more detailed statistics on our antivirus databases in the near future. Watch this site...