Category Archives: Security News

On this page you will find links to selected IT-security related news articles from various sources, including news from conferences and some test results. Posts in this category might be written by externals and students. If you find some interesting news, please let us know!

Malware in the media – July’s “ignorance is bliss”

Published by:

The Internet of Things (IoT) promises to make life easy, but Panda calls it “the next cyber security nightmare” and CSO ranked “the Internet of malicious things” as the number one threat for 2017. Shortly after the NotPetya ransom-worm, the first ever WIFI-worm was unveiled: broadpwn!

On July the 27th Nitay Artenstein demonstrated the first successful WIFI-worm attack at the Blackhat USA 2017 event. Broadpwn used a vulnerability of the Broadcom WIFI chipset which could potentially impact over one billion smartphones. Luckily both Google  and Apple released a patch before public disclosure (ignorance is bliss).

Immediately another WIFI-related scoop came to mind, a practical joke published on July the 18th by Purple, a WIFI marketing and provisioning company. 22.000 people accepted a free WIFI EULA without reading and committed themselves to 1,000 hours of community service, like cleaning toilets at public events (is ignorance really a bliss?).

Combine the agility (by air) of the broadpwn worm with the eagerness of people seeking free WIFI, and the IoT suggests a gloomy outlook of titanic ignorance proportions. But is it really that dark? Let’s have a look at what positive influences can be expected from legislation, law and the increasing insights of the (IT) industry itself.

According to Bitdefender, a Swedish governmental outsource blunder exposed sensitive military data, and the names, addresses and photos of people in the witness protection program. Maybe the resignation of two Swedish ministers and the recent targeted ransom-worm attacks on critical infrastructure are a wakeup call for politicians.

When both the general public and government show little concerns about privacy and security, there is little incentive for smart product vendors to adopt their procedures, protocols and software to the security standards required by the cloud and the Internet of Things.  

So our last hope is the (security) industry itself. In our Pi-hole blog we have already noted that antivirus software vendors have partnered with hardware vendors. Tencent and Tesla have taken this partnership a step further. Tencent now owns five percent of the Tesla shares and helps Tesla to improve the security of the car control systems of the Model X. Maybe these cross-industry alliances are the way to tackle the security challenges of the IoT. After all, it makes sense when IT is an integral part of a smart product, IT-security also has to be an integral part of that smart product.

Spotlight on security: Bob Dylan & Dalai Lama on threats & transparency

Published by:

At first glance the WannaCry and NonPetya outbreaks are no different from the CryptoLocker outbreak of 2015 or the CryptoWall outbreak of 2014. Some of us may even remember the first file-encrypting malware, called PC Cyborg Trojan (aka AIDS Trojan) discovered in 1989. So security insiders may ask themselves in despair: How many fools does it take, to make the same mistake over and over again?

To quote Bob Dylan, “the times they are a changing”, because the recent outbreaks of crypto-ransomware changed the mindset of public, press and ultimately politicians:

  • The first ever case of cyber cooperation at EU level between the national Computer Security Incident Response Teams.
  • The first EU-wide legislation on cyber security to harmonize and harden network and infrastructure security for both critical infrastructure (energy, water, banking, etc.) and digital infrastructure.
  • The first framework for a joint EU diplomatic response to malicious cyber-attacks against one of its members.
  • The NATO Cooperative Cyber Defence Centre of Excellence concluded that “the global outbreak of WannaCry and NotPetya called for a Joint Response from International Community”.

Politicians finally realize that cyber-attacks are covert and cross border by nature. Ironically the cloud of confusion related to cyber-attacks also impacts the security industry itself.

According to the Dalai Lama, “A lack of transparency results in distrust and a deep sense of insecurity”. This sense of insecurity was addressed in recent Senate Intelligence Committee hearings in which unsubstantiated allegations were made against Kaspersky Lab. In a response, Eugene Kaspersky, CEO of Kaspersky Lab, said he would allow his source code to be reviewed by US officials, adding that he was ready to testify before U.S. lawmakers as well. “Anything I can do to prove that we don’t behave maliciously I will do it.” 

Code reviews are not uncommon to acquire government contracts in the China, Russia and the US (the EU officially prefers open source software). Besides intellectual property issues, source code is the intellectual capital of a software firm. By disclosing the source code, a company risks leaking its competitive advantage. Symantec for example refused to disclose their source code to the Russian FSTEC, but other IT companies like Cisco, IBM and McAfee agreed.

At AV-Comparatives we contribute to transparency by providing systematic testing of security software. Being the first test lab to be both ISO and EICAR certified, we have committed ourselves to maintaining the highest standards.

Malware in the media – June’s “fire in the hole”

Published by:

Fire in the hole is a warning that an explosion is about to occur. In old days coal miners used to yell this three times before igniting dynamite. In those days dynamite was used to break rock and dig tunnels to excavate coal. The military adopted this expression to warn of an impending explosion.

This month’s initial candidate for this blog was an adware with a name related to explosions ‘Fireball’. Fireball is operated by a Chinese digital marketing agency. This browser hijacker is bundled with signed software and turns infected PC’s into so called zombies (to generate ad-revenue). According to claims of Checkpoint Fireball had infected over 250 million PC’s. The estimate of Checkpoint was based of the number of page visits to which the browser hijacker redirected infected PC’s to.

Microsoft posted an article explaining that they identify the Fireball adware family since 2015. The monthly data gathered by the Malicious Software Removal Tool (MSRT) from 500 million PC’s worldwide showed a much lower spread of infection. From September 2016 until June 2017, less than 11 million Fireball infections were neutralized by the MSRT. While the threat is real, the reported impact of this adware family may be overblown. 

Therefore this month’s malware in the media title goes to infrastructure attacking malware. June was the month in which Ukraine and the successors of Stuxnet dominated the media. First ‘Industroyer’ and ‘Crash Override’ were discovered by ESET (Industroyer) and Dragos (Override) six months after they had caused an outage in Ukraine. What made this malware special was that it specifically, autonomously and automatically targeted electricity infrastructure (McAfee).

Within a fortnight ‘Petya.A or NoPetya’ another offspring of Stuxnet wrote headlines around the world. This malware had compromised the servers of accounting software. IT-systems of clients were infected by an update pushed out by these servers containing this NoPetya malware. Again Ukraine was hit hard (ESET). Soon Comae Technologies and Kaspersky Labs discovered that this malware was no ransomware but a disk wiper with no intend or option to recover the deleted files.

This behaviour and the coincidence that ‘Petya.A or NoPetya’ is the diminutive of ‘Pjotr’ or ‘Petro’  which happens to be the first name of the current President of Ukraine (Petro Poroshenko) fuelled speculations of cyber warfare. Speculations or not it is a clear warning that companies and governments have to rethink their digital defences for critical infrastructure. We would like to finish with a quote of ESET Senior Malware Researcher Anton Cherepanov: “The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world”: Fire in the hole . . .

Spotlight on security: Pi-hole a blackhole for Internet advertisements

Published by:

Starting from June, AV-Comparatives will highlight an interesting event, idea, initiative, announcement or product which will make the digital world a safer place to surf and live in. We will kick off with an interesting piece of software originally developed for the Raspberry Pi, called Pi-hole.   

Pi-hole is basically an adblocker which works at the network level. Pi-hole now also runs on Linux hardware and virtual machines. You may think big deal, I already use a a host file or browser extension to block trackers and advertisements. On top of that I am using Android, Apple and Windows devices, not Linux. So why does Pi-hole deserve to be highlighted in our new “spotlight on security” blog series? Well, besides blocking advertisements at the earliest stage possible (at first DNS request) it has some interesting features and applications. Furthermore, Pi-hole is open source and free to use.

Your old TV set-top and your new Smart TV already connect to the internet. Soon your car will inform your air conditioning or central heating that you are leaving work and start the microwave or oven to prepare your meal. The Internet Of Things (IoT) will increase the number of devices connected to the internet in our house. Blocking advertisements by installing software on clients will become a tedious task. Most of these devices probably won’t allow you access to the OS or pre-installed software anyway. This is where Pi-hole comes to the rescue. Pi-hole is a black hole in which internet ads and bugs disappear by blocking trackers and advertisements and trackers at the network level for all IoT-devices in your home.

People unfamiliar with linux can rest assure. The installation of Pi-hole is well documented and supported with an automated one step script, which can be copied from a website. Pi-hole has a well-designed and easy-to-use web interface, so anyone can whitelist domains or add blocklists. The Web interface offers a wealth of information, informing you what goes on in your network. The graphical interface shows how many ads were blocked, a query log, and more, like top domains visited and top advertisers blocked.

The smartphone has had a huge impact on how we communicate and socialize with other people. Will the IoT have a similar effect on how the digital agents on our devices communicate with each other?  Some antivirus companies are already anticipating the new security issues this network of interrelated devices will cause. AVG (Ally), Bitdefender (Box) and Norton (Core) have announced or launched antivirus solutions embedded in routers developed for the home and SOHO (Small Office and Home Office) market. At AV-Comparatives, we will be keeping an eye on this new trend and will keep you informed of the latest developments.

Malware in the media – May’s lesson

Published by:

Month after month, our Real-World Protection Tests show an increase in ransomware prevalence.  For people following the security industry, this is no surprise, since many security vendors (e.g. Adaware and Avast) have been predicting this.

The “star” of this month’s media attention was WannaCry. The high media coverage was caused not only by its massive outbreak in over 150 countries in a few days (according to CrowdStrike), but also because it has all the elements of an exciting 007 movie: a plot with a national security agency causing the problem (Emsisoft: “WannaCry outbreak caused by NSA exploits”); a conspiracy theory with an evil organization (The Shadow Brokers), possibly connected to a rogue nation (Symantec: “WannaCry attack shows strong links with North Korean Lazarus Group”); a young hero (22-year-old Marcus Hutchins, AKA MalwareTech) saving the world from further damage by activating the built-in kill switch by the quick registration of an internet domain name.

Despite all the media attention, it was not WannaCry but the Jaff ransomware that affected the most victims in May (eScan: “Ransomware variants vying for top slot”). Jaff ransomware is often delivered through spam emails containing a PDF attachment. When the attachment is opened, an embedded word document with macros is started. If the user ignores the macro warning and lets them run, a copy of the actual ransomware will be downloaded and executed.

Safe computing habits and an updated system with an antivirus program will protect against most ransomware attacks. The infection statistics for the recent WannaCry outbreak clearly illustrate the importance of an updated security product and operating system. Contrary to initial belief it was not XP, but Windows 7 systems that were worst hit by the WannaCry ransomware (98% of cases, according to Kaspersky Lab’s Costin Raiu).

Whilst Microsoft’s inclusion of basic antivirus protection in Windows 8.1 and 10 is in principle commendable, there are a couple of areas of possible concern which should be noted. Firstly, the same name (Windows Defender) is used for the antispyware-only program in Windows 7 as for the full antimalware program in Windows 8.1/10; some security researchers think that security-unaware PC users may believe their Windows 7 systems are fully protected without additional antivirus software, which they are not. Secondly, as ESET point out (based on Microsoft data), a monoculture of security software would make far more systems vulnerable, as attackers would only have to work out how to bypass a single antivirus program.

Proactive protection against the WannaCry ransomware (not the exploit)

Published by:

The WannaCry ransomware has been a major news story over the last few days. It has infected hundreds of thousands of computers worldwide (mostly in Russia), including some well-known companies and institutions. All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures, but we decided to find out which of these programs would have blocked the malware sample (not the exploit) proactively, i.e. before the the outbreak started and the malware samples became known. We ran a proactive protection test, i.e. we used vulnerable Windows 7 systems with definitions prior to May 12th. A WannaCry malware sample was then executed on offline systems. The list below shows which of the tested programs would have protected the system, and which did not.

Adaware Pro Security Protected
Avast Free Antivirus Protected
AVG Free Antivirus Protected
AVIRA Antivirus Pro Protected
Bitdefender Internet Security Protected
BullGuard Internet Security Protected
CrowdStrike Falcon Prevent Protected
Emsisoft Anti-Malware Protected
eScan Corporate 360 Protected
F-Secure SAFE Protected
Fortinet FortiClient Not protected
Kaspersky Internet Security Protected
McAfee Internet Security Not protected
Microsoft Security Essentials Not protected
Panda Free Antivirus Protected
Seqrite Endpoint Security Protected
Tencent PC Manager Protected
Symantec Norton Security Protected
Trend Micro Internet Security Protected
VIPRE Advanced Security for Home Protected

As can be seen above, a majority of these products protected against this ransomware, but over 200,000 systems worldwide were compromised by it nonetheless. New variants might appear, and results for the next outbreak could look different. Users are advised to keep their systems patched, enable AV protection (i.e. do not disable features) and keep it up-to-date, as well as practising safe computing.

* This test only looked whether the ransomware part (WannaCry ransomware) would have been blocked.

ESET (removed from table above) would like to point out that their network protection module detected the exploit/spreading part (EternalBlue exploit) – and therefore protected the users – already since April 25th.

This blog post was updated on May 18th.

Introducing AV-Comparatives’ Malware Protection Test

Published by:

The Malware Protection Test is an enhancement of the File Detection Test which we performed in previous years. It assesses a security program’s ability to protect a system against infection by malicious files; what is unique about this test is that in addition to checking detection in scans, it additionally assesses each program’s last line of defence. Any samples that have not been detected e.g. on-access are executed on the test system, with Internet/cloud access available, to allow features such as behavioural protection to come into play.

Continue reading

Sample quality for the Malware Protection Test

Published by:

The test set for Malware Protection Test  consisted of about 38,000 samples. As we only use samples that have been analysed by our own in-house automated sandboxes, the quality of our sets is very high. Unlike some other testers, we only use malware in our tests, and do not include PUAs or other controversial software. What is malicious and what is “potentially unwanted” is sometimes debatable. We welcome feedback from vendors; however, the decision as to whether something can or cannot be classified as malware is ultimately up to us, even if our decisions may sometimes be regarded as imperfect.

Continue reading