Thursday, December 21, 2017

AV products do work, folks.

I see a lot of criticism of anti virus products... they can't keep up... they miss nation-state malware... people need magical new solutions... etc. Yesterday, I tested the day's ransomware against ten products that I had readily to hand, namely, Webroot, Sophos, Avast, Symantec, Windows Defender, Panda, Avira, MalwareBytes, FProt, and Eset.

I try to do what I call Real World testing. I install products with their default options, just like an average user might. I don't specifically update the signature databases. If they update, fine. If they don't, oh well. I only use the malware of the day, rather than stuff that is a few days old (and probably extinct). I execute the malware, just as the attackers would like their victim to do, and see who detects it.

Simple, really.

Yesterday's ransomware was spread via an email, with a vbs attached. The pitch in the email is to get you to open the attachment, which executes the vbs, which then goes out to a website, and downloads and executes the ransomware.

In my testing, I simulated that by executing the vbs, and ... wait for it... nine out of the ten products nailed it, either with a generic sig, or by blocking access to the website!

This is a Good Thing (tm), and well done guys and gals.

Of course, this still doesn't answer the vexatious question of what happens when they don't have a sig, but, in the fullness of time, we will find out. I can't do this every day, but I will try to add more products to the mix, and see what happens.

Stay tuned, and keep safe.

Wednesday, October 25, 2017

BadRabbit, etc, yawn

So, anyway, the world has seen another ransomeware worm, and it has been effective, and it has hurt some folks.

Guess what? It is a given that there will be more.
Here's why.
When I started in antivirus, waaaaaaay back in 1987, there were only three ways to tell if something was malicious.
(1) You saw it do something malicious
(2) You reverse engineered it, and saw it contained code that _could_ do something malicious if it wanted to, or,
(3) Someone's signature scanner _told_ you it was malicious.

The problem with the first one is that it could cause a support call. "I think this program is doing something bad. Please come and sort it out." This causes a support call, and this is anathema in a corporate environment.
The problem with the second one is that it's really hard, and takes a _lot_ of effort. Humans are essentially and inherently lazy, so no one wants to do this much.
Option three, a scanner, either blocks something, or says nuffink. The upside is that if it blocks it, all is well, and this does _not_ cause a support call, but if it's a ransomware worm, or nation-state stuff, like Duqu 2.0, it gets away, and really, really, really hurts.

Regrettably, nothing has changed, and there are still only three ways.

Waaaay back in the early 90s, corporations chose scanners, and voted with their pocketbooks.

This made a certain amount of sense, when there were only a few thousand pieces of malware, but the problem with signature scanners is that they have great difficulty seeing new things. The Bad Guys understood this, and started finding ways to make new variations of their code as frequently as possible. This is automatable, by, for example, changing a few chunks of unimportant code, or changing the packing, or the encryption algorithm, or both.
Today, we see a million new, and unique pieces of malware every day.
This is a natural consequence of choosing signature scanners, back in the early 90s.
We can not keep going like this, or one day, there will be ten million new samples every day, or a hundred million.
There is a simple-ish solution.
Detect that it's doing something malicious.
No, it's not easy, but it's smarter, and the right thing to do.
And, we testers need to stop testing scanners, once a month, against old malware that probably doesn't exist any more, and start testing how everyone detects the day's new stuff.
It's the only way forward.
Stay tuned here, folks.

Tuesday, October 10, 2017

Less than 50% detections

Today's ransomeware score... six missed (one detected stuff, but the malware encrypted the drive anyway, so that's a miss), five blocked, but with sigs... none with behavior detections.

Today's md5 is c50b81f99269bd05299df41dee8844da.

F-Secure is added to the test.

Missed were Webroot, Windows Defender, Panda, Avira, Trend.

Eset detected stuff, and removed what it saw, but the malware got away, so it's a miss.

Kaspersky, Sophos, Symantec and F-Secure blocked it with a sig.

Avast blocked it, but also blocked my software, so that's a false positive. False positives are anathema in a corporate environment, otherwise we could all use Solly's Perfect.bat, which never misses anything...

(Perfect.bat is "Echo %1 is malware"... never misses anything bad, but has a few false positives. This can be fixed, as well, which we can talk about later)

Guys... the malicious behavior with ransomware is obvious. We shouldn't be missing any of these. Please step up. I know we can do it.

Stay tuned.

Monday, October 9, 2017

Who caught today's ransomware?

So, as readers of my blog will know, I am trying to find out who can trap malware, without having a signature for it, and without false positives. In other words, as it executes.

For today's test, I had a piece of ransomware, that had arrived in a buddies inbox yesterday. A quick check of its md5 on VirusTotal showed just a few sig detections.

I currently have ten products under test. They are the end-point versions of WebRoot, Kaspersky, Sophos, ESet, Avast, Symantec, Windows Defender, Panda, Avira, and Trend. I would have installed McAfee, except that it keeps barfing on one of the files it installs. It says mcmscins.dll, in the McTemp directory, is either not designed to run on Windows, or it contains an error. I tried calling their tech support about it, but the guy said he could find no record of that error. I expect this will sort itself out sometime soon, and I'll be able to add it to the test set, but that's a story for another day.

Five products missed it completely. One found a sig in memory, but it still got away, so that's really a miss. Two blocked it with a sig. Two found it with heuristics. I'll get to the names in a bit, but here's how the test works.

(1) I first run the malware on an unprotected Win7-32bit vm, and see what it does.
(2) All products are installed with default features. It is important to note that some products have extra features that can be turned on specifically to block ransomware by protecting some folders, but I am running with defaults.
(3) I don't update the signatures. The vms are only up for a minute or two, so most of the products don't have time to update, and I do that deliberately.
(4) Windows Defender is switched off in all vms, except, obviously, it's own test vm.
(5) To be fair, products could also have blocked the initial downloader, or even the website that it tried to reach for the ransomware. I did not test that, as it was outside the scope of this test.

Please remember that I am not knocking signature scanners, as they are an absolutely vital layer of defense, but with greater than a million new and unique samples every day, it's not possible to add sigs for them all. Remember also that, although within a few days most scanners will have had sigs added, some malware is changing every day, and only exists for one day. The real threat is not what was around a week ago. It's what's around today.

The MD5 of the malware under test is BE499852672E9A1E5D222427978EA421.

Please also remember that just because a product misses something today, it doesn't mean it's weak. Now, if it consistently misses, day after day, that might be a different story, but the world is a safer place if everyone gets stronger. The five that missed were Webroot, Windows Defender, Avira, Panda and Trend. The one that found a sig in memory (it named it Kryptic, iirc), but it still got away, was ESet. Two two that blocked it with a sig were Sophos and Avast. The two that caught it with behavior and/or heuristics, were Kaspersky and Symantec. Well done, lads. And lasses.

Let's see what tomorrow brings.

Cheers all.

Sunday, October 8, 2017

This is probably important

So, last week, I was looking at a bit of malware that was posting to gmail.com/upload.php. This was obviously a non-existent url, so I was wondering ... why?

In the fulness of time, with a bit of help from some friends, I came to understand that it was only pretending to write to gmail.com/upload.php, and it was just trying to cover its tracks. This was a Dimnie variant, with a great write-up here. (Thanks Kevin. You know who you are.)

There was this write-up, and another by Symantec at about the same time, and the nub of the matter are these points:

(1) Dimnie had been around for a few years by the time it was finally noticed in March of 2017. This means it is subtle.
(2) Dimnie achieves persistence by injecting itself into running processes. It would probably go away if the computer was rebooted, but that doesn't happen often.
(3) The versions that Paloalto and Symantec saw seemed to surveil the target. They looked for what processes were running, possibly for extra vulnerabilities, that might be used later. This means nothing, right?
(4) Initial versions installed a keylogger, but the framework was sufficiently flexible that anything could be installed. The bottom line here is that if ever you let malware loose on your computer, it is no longer yours. It belongs to someone else.
Think about this...
In my initial tests, only one product blocked it by behavior.
It took three years to be noticed the first time, in March 2017. It doesn't seem to have been seen much since then, and I stumbled on it by accident.
This either means that there have been no new versions since March, or ... given that we know they are subtle, could it be that they are simply changing it every day, as with the other bit of malware that I blogged about earlier? We could well have been missing them since March.

In my opinion, given also that its primary objective sure _feels_ like surveillance, this proves that we must start focussing on non-signature malware detection. Again, I'm not knocking signature scanners... they are vital.... we simply have to do more, and it's up to us testers to focus on testing that, rather than just sigs.

Stayed tuned, folks.

Wednesday, October 4, 2017

A first "generic detection" test

So, anyway, this is interesting...
As I mentioned in an earlier blog post, I'm interested in finding out who can detect malware "generically", as opposed to signature detection.
To achieve this, I find a pretty new bit of malware, something with low scanner detection, and run it against an unprotected machine, to see what it does. I then run it, in turn, against each of my protected machines, and see who blocks it.
Currently, I have just six products installed, but they are major av products. The malware sample is almost certainly a new variant of a trojan generally named Dimnie, but here's the interesting thing...
Only two of the six products detected it, and they detected it with a signature. They got the name wrong, but that's irrelevant. No one detected it "generically".
I'm not naming products (at this point), and I'm not knocking signature scanners. They are an absolutely vital layer of defense, and, with greater than a million new and unique, samples every _day_, it is not possible for them to catch all samples every day. (Unless we use Dr Solly's Perfect.bat, of course, but that's story for another day)
This simply proves how vital it is that we testers start looking at "generic" detections.
A White-lister would have stopped it, of course, but they have their own set of issues, especially in a corporate environment, or when confronted with macro or scripted malware.
Now I need more products installed, and more new samples.
Watch this space some more.

Wednesday, September 27, 2017

It's time for a new emphasis on testing styles, kids.

So, anyway, I've been looking at a particular piece of malware for the last four or five days, and I've noticed something interesting. They change it _every_ day. It's not server-side polymorphism, but they deliberately change it every day. It still does about the same thing, which is to take you to some place to try to get you to install a fake Flash player, or tells you that your computer has a virus, and you must call this 800 number immediately, etc. Nothing fancy. The first time I search its MD5 on VirusTotal, I get ten or twelve detections. I tend to do that late in the day, and I suspect that if I checked when it was first released, I'd get even fewer detections. The next day, if I search the same MD5, I get twenty to twenty-five detections, and the next day, I get forty or forty-five detections. This makes sense, as this is a natural consequence of samples being shared among vendors, but, guess what? That sample doesn't exist any more, but every day, there is a new one, with low detections, doing the same thing. Oh, and with just a little looking around, I found a different sample doing the same thing. This probably means there are lots more. Put another way, when you have something of the order of a million new and unique samples each day, there are probably lots of samples being missed by signature scanners, some because of deliberate tricky stuff, and others, just because of the sheer numbers. Given a few days, or a couple of weeks, most will be added, but in the mean time, the world is exposed, and if the malware is a worm, or Nation-state stuff, you don't want to be missing these things. The good news is that all antimalware products have multiple ways of detecting bad things, aside from signature scanners, but someone has to test them, to see how effective, or otherwise, they are. What I propose to do is to find new, or poorly detected malware, and test them by executing them against products, and see if they are caught... or not. To start with, I just have half a dozen of the main products, and not many brand new samples, but I expect both will grow. Watch this space.

Tuesday, September 19, 2017

What can we learn from Equifax?

So, anyway, this year the world has taken a couple of pretty big hits, between Equifax and RansomWorms like WannaCry. It's time to see what we can learn from them. Let's think about Equifax first. Although it left a bigger mark, it's a simpler solution. Patch, damnit! Patch! It's got nothing to do with some poor soul's music degree, or lack of degree. The patch was released months ago, and it was simply a grievous mistake to not patch, but people are human, and, unlike my dear readers, very few of us never make a mistake. It's also worth remembering that, just as humans are only human, all software has a weak underbelly if you look hard enough. One of my favorite security truisms is that security and functionality tend to exist in an inverse relationship. What this means is that the more functional you make something, the less secure it tends to be, and the world demands that we build for functionality. What this means is that someone will always be discovering a problem with something we care about, and if there's a patch available, patch it. Job done. Well, _that_ job's done, but there are other issues... You might be spear phished. You might get a malware infection. There are plenty of those to go around. You might have un-patchable IoT devices on your network. This is all still emerging. We will talk about these things at other times, but remember this ... there is no panacea. Remember that the best security is like layers of swiss cheese. Any one layer has lots of holes, but if you layer another slice on top, they cover up each other's holes. Put enough layers on top of each other, and you are much stronger. Never invulnerable, but _much_ stronger. This, unfortunately, is a part of the fabric of the Internet, and is simply a cost of doing business. It hurts, but it is what it is. Take care out there, folks. Www stands for World War Web.

Monday, March 13, 2017

Hi folks, For the first time in several years, I am able to blog at will, and, going forward, I will do my very best to find interesting topics. This one is a little mundane, but you gotta start somewhere, and, although it's not earth shattering, it's worth a mention. About every other day or so, I get an email along the lines of ... "have you ever thought to work from home? roger look over the attached invitation! Your secure password(for the document) is: 421233" and, attached, is a protected pdf. If you are naive enough to try to open the pdf, you are taken to a website that tries to get you involved in their business scheme. I'm sure they consider it marketing, but I consider it dangerous, because it is really difficult to tell whether or not it's taking you to an attack site. There are two really good security rules of thumb here... (1) Never open a pdf from someone you don't know. (2) Never open _any_ document, or any sort, from anyone you don't know, if it's password protected, because it makes it hard for your antivirus to scan inside it, to determine if it's safe or not. Keep safe out there, folks. Remember 'www' stands for World War Web.