05 Feb Brazilian Masquerade Dmitry Bestuzhev
25 Jun The Day The Stuxnet Died Costin Raiu
08 Nov Fake Kaspersky Antivirus Maria
31 Aug One Leopard, two Trojans Aleks
20 Dec The darker side of online virus scanners Aleks
05 Apr Kaspersky Anti-Virus Web Scanner Costin Raiu
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A free AV product protecting a Windows XP machine, right?
Over the weekend, someone wrote to us complaining that Kaspersky Lab was sending spam. Naturally, this came as a bit of a surprise, seeing as how we do nothing of the sort; in fact we do quite the reverse: we combat spam. Of course, we wanted to find out why a user had come to the conclusion that Kaspersky Lab was sending spam to them.
The email that the user complained about had all the hallmarks of a typical online scam: behind the nice pictures reminiscent of Kaspersky Lab’s official advertising there was a link that had absolutely nothing in common with the company’s products. The cybercriminals had done a good job: the email not only looked like an official email from Kaspersky Lab but the “From” field was a good imitation as well.
After clicking the link, a user unwittingly ends up on a website with an offer to buy a program called Best Antivirus Online. It has to be said that the image of the “product box” on the web page was not unlike that of Symantec’s signature design – black font against a predominantly yellow background. To buy the program, the user had to enter their credit card details and email address so they could receive further instructions. We followed these step as part of our investigations, but received no more instructions at the email address we specified. It is quite possible that users could have received more instructions on how to download the fake antivirus at the time the spam was active.
This is not the first time cybercriminals have made use of Kaspersky Lab products. We have noticed on several occasions that the distributors of fake antiviruses have tried to make their “product” interfaces similar to those of KIS or KAV. Spammers distributing offers of cheap software often stress in their emails that Kaspersky Lab’s products are available on their sites at bargain prices.
This level of awareness by the cybercriminals is a clear indication that Kaspersky Lab products are popular and trusted. They are taking advantage of users’ trust in Kaspersky Lab as a social engineering tool, hoping that the familiar green design will lull users into a false sense of security and make them click the malicious link.
It should be noted that not only Kaspersky Lab has attracted the attention of malicious users. A week or so ago, we received similar messages that imitated a mailing from Adobe. The link in the message led to a suspicious-looking “pdf reader”. The site’s template was identical to the template used for Best Antivirus Online, only the color scheme was different. In early October, a similar site was linked to emails with offers to download a new version of iTunes dedicated to Steve Jobs. The color scheme then was completely different, but the site template was the same.
At the time the user wrote to us, Kaspersky Lab products detected both the spam messages and the malicious site distributed in them. But we not only urge users to trust our products but to also be vigilant when surfing the net. And remember: no reputable company would send spam messages!
On 28th August, the latest update for MaxOS X was released - Snow Leopard. Version 10.6 differs in one very telling way from previous versions - for the first time in Apple's long history, the company's implemented an antivirus scanner.
Rumours about the antivirus function in the release build of Snow Leopard surfaced a few days ago. Screenshots showing a window detecting one of the well-known Trojans for MacOX were published on the Internet. The effect was pretty explosive - it wasn't so long ago that Apple made a very inconsistent statement about the necessity (or rather the lack of it) for antivirus for their operating system.
Official company spokespeople declined to comment on this issue prior to the release of version 10.6, hinting that after 28th August, they might be able to say more. And now the release date has been and gone, with the facts of the matter that managed to leak out having now been confirmed.
Online antivirus services such as VirusTotal (www.virustotal.com) and VirusScan (http://virusscan.jotti.org) have been around for a few years now. Services like this mean that any user can scan a suspicious file for malicious code online. These services differ from the online scanners offered on antivirus vendor sites by scanning files with several antivirus products simultaneously. For instance, VirusTotal currently uses 32 antivirus products to check suspicious files!
But as so often happens, something that can be used for good – helping users check the integrity of their files – can also be used by virus writers. They quickly caught on to the fact that services like the ones mentioned above could be used to test how well their creations can evade popular antivirus solutions. If a new Trojan or worm can be detected by an antivirus, the author will deliberately modify it until it isn't detected any more. The result? The heuristics used in the vast majority of antivirus products are helpless when confronted by such carefully prepared malicious programs.
By default, VirusScan, VirusTotal and other services send all suspicious files to antivirus companies. If a file is detected by, say, 10 antivirus products, and the other 22 don't detect it, the file will be sent to the 22 relevant virus labs for analysis and to be added to the antivirus database. This significantly reduces the time taken by antivirus companies to react during epidemics and also increases the overall detection rate. If the user doesn't want a file to be sent to the antivirus company, then s/he has to disable this option when scanning the file.
However, there's a rumour in virus writing circles that all files are sent to virus labs, regardless of whether or not the option is enabled. Cyber criminals are now offering a solution for the tin-foil hat brigade – similar services designed expressly for virus writers. You have to pay to use the service, but there's a guarantee that no file will be sent to an antivirus company.
Kudos to our development folks who've come up with a public beta version of the interesting KAV Web Scanner, a free service which scans your computer for viruses, and runs directly from a web page on our site.
We encourage everybody go ahead and take a look:
Please keep in mind this is not a finished product so we are especially interested in any opinions and/or suggestions you may have. Feedback, queries and (ahem) bug reports should go to: webscannerbeta (at) kaspersky (dot) com
Microsoft has released a beta version of its antispyware program.
Response from the IT community has been mixed so far, not surprisingly.
For instance, today we received a report about MS AntiSpyware flagging
a suspicious file:
"c:\winnt\system32\notpad.exe" was detected as a Remote Administration Tool.
This file - which was a French version of notepad - would normally be called notepad.exe. For some reason, we don't know why, the file was renamed as notpad.exe.
When we looked closely, it was clear what this file was. So we figured that MS AS had a faulty signature meaning this particular French version of notepad is detected as ItEye RAT.
Not every version (language, build) of every (Windows) file gets tested to check for false alarms, so this might have slipped by.
However we quickly realized that it was the combination of file name/location that made MS AntiSpyware go off.
In fact, the beta version of MS AntiSpyware detects any file with the name "notpad.exe" - even a completely empty one - residing in %sysdir% as being this particular RAT.
So at least a part of the "ItEye RAT" detection is strictly based on filename/location, which can result in situations like these.
Because of this, we think it's best to detect files by file signatures, not location.
Microsoft has just announced the availability of their Anti-Spyware software tool, based on previous code purchased at the end of the past year from NY-based "Giant". The software download is a 6.4MB executable which can be obtained from:
Keep in mind that as any other beta software, this may have unexpected results. Test it on a spare system before running it on your production servers!
Also keep in mind that KAV can detect and remove many kinds of spyware by simply activating the download and usage of 'extended databases', in the Updater Configuration panel.
I read an interesting article recently on the cost of anti-virus products. The article considers the increasing cost of some anti-virus products, as vendors try to steer users towards product suites that include not just anti-virus, but also personal firewall, anti-spam and IDS. The article concludes with the message that users should shop around and not allow themselves to be pressured into buying a suite from a single vendor.
It's hard to argue with that: it makes perfect sense. However, it's a shame that price and brand recognition are considered here to be the only criteria. As if all other things are equal. Sadly they're not. What about a product's ability to protect you from attack? Isn't this a key factor in deciding which product to use?
It's true that it's not always easy for customers to determine which product is best, but that's not to say that it doesn't matter. And a vendor's track record in a range of independent tests is always a good guideline when looking at a product's performance. There's a paper in the 'Publications' section of the ESAC [European Scientific Antivirus Centre] web site if you're interested in further information.
Shop around? Definitely. But remember that cost isn't the only factor and don't let poor detection be the price you pay for selecting a cheaper product.