Creepy kitty

Their social engineering team hasn't run out of ideas yet, but the attacks are starting to look a bit creepy. Here is a screenshot of the latest Storm related attack site:


























It's not reproduced all that well on this blog posting, but the image is a flash file, and the cat's head vibrates up and down rapidly.
So now they are taking on that group of people that forward disgustingly "cute" pictures of animals.

At the bottom of this page, when visited with Firefox, the authors include a treat -- if you don't want to download and run the malicious "SuperLaugh.exe" file hosted on the site, they'll run it without your permission by attacking the Windows Media Player vulnerability. If you use Firefox, be sure to update it by clicking Help -> Check for Updates...
The pages attack IE and Opera also, so be sure to update them if you haven't already.
All exploits from these Storm related web pages are stopped by Threatfire as always...

Which one is best?

That question always comes up. Any computer guy that has anything to do with security at all hears it while they are eating, while they are at a wedding, while they are hiking, wherever. "Which scanner should I be using?" It's not exactly the easiest question to answer, and it's one that the industry struggles to answer.

Reviewers have a hard time answering the question...Andreas Marx, a well known reviewer, presented problems with fundamental ways in which the products are tested here. Another well known reviewer, Andreas Clementi, blogged about the issue as he sees it here.

Every day, there are fresh malicious drive-by sites and new emails with executable payloads. It's not all that difficult to submit these executables to http://virusscan.jotti.org or http://www.threatexpert.com. This one, getexe.exe, was downloaded and run without permission by a malicious web site in our lab a few hours ago:




















Unfortunately, the source code (both delphi and asm) has been available for this LdPinch for a few years now. The first version came out in 2001, written by a "student" in Russia. So, let's optimistically try another set of scanners and take a look at some other av scanners' detection results:

























Seriously? How does a computer professional recommend security software when they see results like that? Which is best?

To be honest, if you've already found one that you like, is stable, and rates well consistently in reviews, it's probably pretty good. But you've also most likely paid quite a bit for it and don't know it's weaknesses. You can try a free av here: http://www.pctools.com/

There are always a tradeoffs for security products, between accuracy, speed, performance and overall effectiveness -- it's very difficult to find the right balance. One of the best signature-based scanners' strengths is accuracy against known threats, but I believe it's not timeliness or effectiveness against new, unknown, or changing threats (that have been publicly available, along with their source code, for years, ahem).

We always fall back to the line that Threatfire is a fantastic free complement to any av solution, whatever you're running...it will stop the new, unknown, and changing threats, even the one from this afternoon that we ran across:

Set aside the confusion of identifying which scanner is best. You can snag a free copy at http://www.threatfire.com/.

That's all the shameless self-promoting we have for now...

Threatfire v3.0 awarded PCMag Editors' Choice

PCMag.com published a review of Threatfire alongside a handful of other competing "non-signature anti-malware" products. They gave us the "PCMag Editors' Choice" award and 4.5 stars out of five. I love seeing statements like this one from reviewer Neil Rubenking:


"ThreatFire 3's ability to block installation of malware strictly by identifying bad behavior is phenomenal. It did a better (and faster) job than Norton AntiBot and even beat out Spy Sweeper, our current Editors' Choice for signature-based antispyware. This free tool is an excellent addition to your security arsenal"

You can read the PCMag article here.

Virus Bulletin 2007 a success

The VB2007 conference was a fine one this year in Vienna, Austria, with plenty of great presentations from some talented researchers.

PC Tools researchers' papers were selected for two of the "Last minute technical presentations" this year.
My talented colleague Sergei Shevchenko presented his automated analysis system "Threat Expert". You can check out the system here.

Slides from the "Storm - Malware 2.0 has arrived" presentation can be found at the Virus Bulletin web site here.
Appropriately enough for such a current and relevant threat, there seemed to be quite of bit of interest in my presentation's content from other AV vendors and researchers. Thanks to everyone for your comments and feedback following the presentation.
As always, our Threatfire product continues to prevent storm's behaviors in the wild. If you haven't already, you can download it for free at the Threatfire website.

A couple of other favorite presentations (that weren't from Sergei and myself) were Alex Hinchliffe's paper "Patching. Is it always with the best intentions?" and Roel Schouwenberg's "Targeted Banker malware on demand". Very interesting and well researched.
The papers were a part of the conference, and other excellent papers can be found at the virus bulletin. If you haven't subscribed to the Virus Bulletin, you can find it here.