Two Kaspersky Lab products – Kaspersky Endpoint Security 8 for Windows and Kaspersky Internet Security 2012 – have won prestigious awards in independent testing conducted by the authoritative British magazine Virus Bulletin in April 2012

View post:
Kaspersky Endpoint Security 8 for Windows Tops Corporate Solutions in VB100 Test

Apologies if you're bored with my banging on about PC support scams, but it seems that there are plenty of people who aren't. At any rate, some of my previous blogs on the subject have attracted more comments than any of my blogs on other topics, and in fact,

Proliferation

ZeroAccess is one of the most talked and blogged [1], [2] about rootkits in recent times. It is also one of the most complex and highly prevalent rootkits we have encountered and which is still continuing to evolve. The ZeroAccess rootkit is distributed via both social engineering as well as exploitation. A recent blog post by our colleagues at McAfee, describes some of the odd methods this rootkit adopts to get installed on machines without getting noticed.

One of the goals of this rootkit is to create a powerful peer-to-peer botnet, which is capable of downloading additional malware on the infected system. This botnet is reportedely [3] involved in clickfraud, downloading rogue antivirus applications, and generating spam.

This Google map of the United States shows McAfee VirusScan consumer nodes reporting unique ZeroAccess detection over the past week.

Our consumer data for the past month shows close to 4,000 unique systems detecting ZeroAccess daily. And the trend is continuing upward.

Installation

In my recent analysis of this rootkit , I was looking to understand the initial installation mechanism. The installation of ZeroAccess involves overwriting a legitimate driver on disk with the malicious rootkit driver. Usually Step 1 varies in different variants i.e. some variants would directly overwrite a legitimate driver and some others would first inject the malicious code in trusted processes like explorer.exe and then, from the injected code, overwrite the driver (this is done to bypass various security products and to make analysis more challenging). During Step 1, the original driver code is kept in memory. The driver, which is overwritten in Step 2, is randomly selected (details here [1]), in our discussion below we assume CDROM.sys is being overwritten. Step 2 to Step 8 are fairly static in variants of ZeroAccess. Once the driver is overwritten by malicious code it is loaded in kernel space. The first task of the kernel mode code is to ensure that it sets up the malware to survive reboots and to forge the view of overwritten driver (CDROM.sys).

Lets move on to see how this scheme works in Step 5 – Step 8. In Step 5,  ZeroAccess intercepts disk i/o by hooking DeviceExtension->LowerDeviceObject field in the driverdisk DEVICE_OBJECT. So now any disk i/o would go through rootkit’s malicious routine. In Step 6, the kernel mode code has the access to clean image of CDROM.sys driver stored in memory and to survive reboots it flushes the file using ZwFlushVirtualMemory API to disk. The request to flush the clean image is interestingly sent to the file CDROM.sys, which at first glance looks counter intuitive. Why would the rootkit want to the write clean image to the file it just infected in Step 2?  Looking more closely, the rootkit actually uses its disk i/o redirection framework. So, when this request to store the clean image of file on disk traverses through the virtual driver stack shown in Step 7, it is encrypted and redirected ( Step 8 ) to the rootkits “protected” folder that it created in Step 3, instead of going to the actual CDROM.sys.

A gift for 10th anniversary of AVP Cambridge, UK, November 1, 1999 – An authoritative British magazine for computer viruses countermeasures Virus Bulletin published the results of the following comparative tests. AntiViral Toolkit Pro (AVP) from Kaspersky Labs Int. managed to gain its tenth VB 100%…

Read the original post:
AVP received its 10th Virus Bulletin 100% award

Mac computers running the beta version of avast! Free Antivirus for Mac were not infected by the Flashback Trojan.

“We’ve confirmed our app’s detection abilities for Flashback within the test lab and with reports from our beta testers,” says Jiri Sejtko, director of AVAST Virus Lab operations.

The Flashback Trojan linked to the Mac botnet is a derivative of last year’s DevilRobber Mac OS X Trojan. The AVAST Virus Lab now has 18 variants of this malware in its antivirus database.

“With an estimated 600,000 infected Macs, this botnet is just a large example that the Apple operating system is not immune from malware,” said Jiri. “Add a growing market share that makes Mac an attractive target for the bad guys together with a user base that insists they do not need a security app – you have all the conditions in place for an epidemic to rip through.”

The latest Flashback variants can infect vulnerable Macs without requiring the victim to enter a password. “Mac malware has historically been dependent on social engineering – convincing the user to enter the required password. Now these days are over and Mac users can pick up malware just by visiting an infected website,” adds Jiri. “Welcome to the real world.”

Flashback is a logical step in Mac malware’s steady evolution, he points out. Initial malware samples were rather simple, just compiler-generated code, with no encryption whatsoever, but it has since evolved to be more “custom”, with encrypted strings and code, and structured to avoid security apps like LittleSnitch(firewall software for Mac OS) or Apple’s XProtect. During 2011, there were some large-scale attempts to spread Mac malware via Google Image poisoning.

“It takes 1-2 years for malware guys to adapt to a new technology – it took a similar time when they switched from DOS to Windows. This latest botnet did not fall out of the clear blue sky. The conditions have been building for some time and I’m glad that our security app will soon be available for Mac users,” says Jiri.

avast! Free Antivirus for Mac is currently in the late  BETA stage. It includes the latest avast! antivirus engine, three shields (Web, File, and Mail) and the WebRep reputation and anti-phishing plugin for Safari browser. avast! Free Antivirus for Mac builds on the AVAST Software tradition of providing a full-fledged security app which is completely free. More details coming very soon.

More:
avast! Free Antivirus for Mac and the Flashback botnet

AntiViral Toolkit Pro is the absolute leader in Virus Bulletin tests Cambridge, UK, April 3, 2000 – According to the results of the following comparative tests of different anti-virus products published in the April issue of the British magazine Virus Bulletin (www.virusbtn.com), Kaspersky Lab’s…

Here is the original post:
Kaspersky Lab’s AntiViral Toolkit Pro receives VB100% award

Missing homework used to be blamed on the family dog, but now the focus has shifted to the computer. And sometimes – as this user note shows – malware really is to blame.

“My avast! Free version will not let me check teacher’s blogs at my daughter’s high school website.  avast! just started blocking this site about 1 week ago.  We can’t find any way on avast! Free to “allow” a trusted site.  What do we do?” wrote a concerned parent from Harrison High School in Georgia.

The problem was not with avast! – the school’s site (http://harrisonhigh.org) really did have an infection.

“For unprotected visitors, it was the same schema as usual, says Jan Sirmer, analyst at the AVAST Virus Lab. “A screen with a fake AV appears in browser and forces you to download that AV and pay money for it.”

“The attack, not surprisingly , focused on WordPress,” he adds. “There were redirections to sub-sites at rr.nu. There we detected more sites such as cie69svoi.rr.nu and  ordonv12ectorct.rr.nu. Those sites redirected visitors to a site with the rogue antivirus.”

In this case, the concerned parents did the right thing. Instead of switching their avast! off to they could visit this “trusted” site, they wrote a note to the AVAST Virus Lab. That likely saved them from installing a fake antivirus on their computer.

The AVAST Virus Lab is not sure how this school site came to be infected. It could have been vulnerable through outdated software or simply had the malware brought into school on an infected memory stick. Issues with WordPress and connected plugins are common. A recent review of over 6,000 infected sites with the “.com” top level domain showed that 13.6% of them involved WordPress vulnerabilities.

But, the moral of the story is clear: If you get a malware alert, pay attention. Especially if it is a trusted site like your kid’s school.

How the Virus Attacks Mobile Phones? What is Timofonica? What is SMS-Messages and SMS-Gate? Is it Possible for this Virus to Infect My Mobile Phone. How Big of a Problem are Wireless Viruses for Wireless Operators? Is this Related to the ILoveYou Virus? What Can Users Do if Their Phones Get…

Here is the original post:
TIMOFONICA Virus: Questions and Answers

Only the inadvertence of the virus writer saved the world from a global epidemic Cambridge, UK, July 3, 2000 – Kaspersky Labs Int., an international anti-virus software development company, announces the discovery of a new Internet-worm “Dilber.” It carries an extremely dangerous payload and, to…

Original post:
Dilber: A Shuttle Full of Viruses

Moscow, Russia, September 4, 2000 – Kaspersky Lab, an international anti-virus software development company, announces the discovery of W2K.Stream virus, which represents a new generation of malicious programs for Windows 2000. This virus uses a new breakthrough technology based on the “Stream Companion” method for self-embedding into the NTFS file system.

Go here to read the rest:
A New Generation of Windows 2000 Viruses is Streaming Towards PC Users