Archive for the ‘AntiMalware Solutions’ Category
Monday, October 12th, 2009
Yesterday’s AMTSO conference brought with it formal announcements of Board positions, new tools for the AMTSO to offer testers (be sure to join the group!) and potential new efforts. There were some Board updates due to terms expiring, and discussion about the group’s directions. The meeting and its agenda are posted at the site’s meeting link.
The group continues to pursue ways to improve testing methods, and finding and collecting malware has always been an issue for improvement. The group is attempting to ensure testing samples that are current, and providing testing matter that exercises products in ways adequate to support reviewer conclusions.
Various papers were discussed and only two of these put up for vote. The group passed the two important papers today that will be posted to the website soon — “Issues in Creating Samples for Testing”, and “Network AV Testing”.
Monday, December 8th, 2008
Sometimes you get a crystal ball prediction and gimmickry. Sometimes you get something with real insight. Dave Aitel’s real insight on DailyDave this morning focused on a NY Times article about the U.S. federal government’s National Security Presidential Directive 54/Homeland Security Presidential Directive 23 that Bush signed in January 2008:
“Faster, smashter. When I see 30 billion dollars, I can tell you what you’re going to get, as a taxpayer, for your money: Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits. Big rooms full of large screens correlating information that has absolutely no relevance to security. You can’t correlate what you can’t see. You can’t patch what you don’t know about.
Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it’s because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don’t work against 0day.
I guess what I’m trying to say here is that at this point the attackers are just “reasonably competent”. When it comes to offensive information security, we ain’t seen nothing yet.”
NPR, the Washington Post, and the NYT have all been spending more time reporting on computer security. It was very interesting to hear a guest on Boston NPR’s hour long “On Point” this morning discussing characteristics of Secretary of Defense Robert Gates’ laptop and other PC based resources at the U.S. Department of Defense, as well as the legal arm-twisting used to silence individuals that have participated in security breach investigations. And therein lies the real problem. All the discussion in the world about network security is useless when talk about real issues is silenced, and the individuals that need to protect their organization’s data do not understand or cannot describe what they need to protect it from.
Tuesday, December 2nd, 2008
If you find yourself installing and running cracks and keygens that you’re downloading over Limeware, stop what you’re doing. First, stop using cracks and pirated software. Secondly, nothing truly is for free.
Limewire users have been seeing various keygens offered over their P2P connections. Over the past few days, there have been multiple releases of AVG LICENSE KEY CRACK BY [SSG].ZIP, HALO KEYGEN BY [ZWT].ZIP, REALTEK AUDIO DRIVER CRACKED BY -=ROGUE=-.ZIP, and NERO 9 NO PATENT CRACK BY ZWT.ZIP. And surprise, surprise, all of these files come with a little treat inside, crack.exe. We’ve seen this sort of keygen package bundled with some severe malware in the past, and we continue to see downloaders and adware installed by this stuff.
Taking a quick look, we find that this dropper will disable the Windows Security Center and Firewall. It will then scan through the system32 directory, attempting to find a random dll name string to borrow from, and then select some digits from the system time to create its dropped dll name string, always ending with “32.dll”. For our ThreatExpert report, the malicious downloader file name created was “glu3232.dll”, and we can identify pieces of the code used to create a random portion of the name here:
and the concatenation of that semi-randomized string with “32.dll” here: