6 C
Wednesday, November 22, 2017
Home Tags Spyware

Tag: Spyware

ByNeil J. Rubenking Vipre has been a name to conjure with in the antivirus business for quite some time.

The product has changed over the years, bouncing from company to company and, at one point, incorporating spyware protection from the well-regarded CounterSpy. Perhaps all that moving around wasn't the best for its health.

The current incarnation, ThreatTrack Vipre Antivirus 2016, isn't your best choice for comprehensive protection.
It did improve its antiphishing and malicious URL blocking scores significantly over the tests we ran on last year's edition, but it fared poorly in tests by independent antivirus labs. You have plenty of purchase options with Vipre. You can pick one, three, five, or 10 licenses and subscribe for one, two, three, or four years.

There's a discount for more licenses and longer subscriptions, of course. Protecting a single PC for one year costs $39.99, while a 10-license four-year subscription goes for $269.99, quite a bit less than what you'd pay for 40 single licenses (almost $1,600!). Installation is simple, if not precisely quick. You fire up the installer, copy and paste your license key, and click a button labeled Agree & Continue.

That's it.

The installer checks for program updates, performs the installation, downloads the latest virus definitions, and runs a scan for active malware. You don't have to do a thing, except perhaps get some coffee or a snack.
I found the full installation process took about 10 minutes. Vipre's main window retains the look introduced with the previous edition.

Buttons let you launch or schedule a scan.

A status panel reports on the latest scans and updates.

A couple of links let you manage your account or the program's settings.
It's very slick and simple. So-So Malware BlockingA full system scan with Vipre took 46 minutes, just a little longer than the current average.

Clearly the program performs some kind of optimization during that first scan, as a repeat scan completed in just five minutes.

AVG AntiVirus Free (2016) took 27 minutes for an initial scan on this system and two minutes for a repeat scan.

F-Secure Anti-Virus 2016 cut the time even more, with a 15-minute first scan and just over one minute to repeat the scan. Of course, speed means little unless it's coupled with accuracy. My hands-on malware blocking test starts when I open a folder that contains a few dozen known malware samples.
Vipre immediately leapt into the fray, eliminating 79 percent of the samples on sight. When I launched the surviving samples, it detected a few, but didn't completely prevent installation of executable files.
It managed 86 percent detection and an overall score of 8.1 points in this test. Two products share the top overall score.

Avast Pro Antivirus 2016 detected 100 percent of these same samples, and Bitdefender Antivirus Plus 2016 detected 93 percent.

Because Avast didn't completely prevent installation of malware traces, it earned 9.3 points, the same as Bitdefender.
Vipre's score puts it well below the median for this test. Of necessity, my samples in that hands-on test get used for many months. However, in my malicious URL blocking test the samples (provided by MRG-Effitas) are as new as I can manage, typically no more than a day or two old.

The test is simple enough.
I take the sample URLs and launch each in a browser protected by the product under testing.
I note whether it steers the browser away from the dangerous URL, eliminates the executable payload during download, or sits idly, doing nothing to prevent the download.
I continue until I have data for 100 malware-hosting URLs. When I tested Vipre's previous edition, it blocked just 38 percent, all of them during the download process.

This time around, Vipre's Search Guard and new Edge Protection components stepped up to raise the protection level impressively.

Between the two components, Vipre blocked access to 84 percent of the malware-hosting URLs.

Edge Protection did most of the work, though Search Guard (the one place you can still see Vipre's old snake icon) lent a hand. Vipre's 84 percent protection rate is pretty darn good; only five products have done better.

At the top of the heap are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each of which managed 91 percent protection. See How We Test Malware Blocking Improved Phishing Detection Malware-hosting websites are definitely dangerous, but you can also get into serious trouble by voluntarily entering your login credentials on a fraudulent website.
Imagine if a phishing site snagged your Amazon password, or the credentials for your online banking! Last year Vipre tanked this test.

This year's results are much, much better. To start my antiphishing test, I visit a number of sites that track these frauds.
Specifically, I scrape URLs that have been reported as fraudulent but not yet classified and blacklisted.
I open each URL simultaneously in a browser protected by the product under test and by antiphishing veteran Norton.
I also try each URL against the native protection of Chrome, Firefox, and Internet Explorer.

There's a lot of variation in the types of phishing URLs, and in their cleverness, so I report the difference between the detection rate of the various products, rather than hard numbers. Vipre's detection rate was just 6 percentage points behind Norton's, the same score managed by BullGuard Antivirus (2016).
Vipre also handily beat all three browsers. Roughly two-thirds of current products failed to beat at least one of the browsers, and half of those performed worse than all three browsers. See How We Test Antiphishing Sad Lab Results Vipre's scores in my own tests ranged from so-so malware blocking to excellent phishing protection.
It didn't fare as well with the independent testing labs.
ICSA Labs does certify Vipre for malware detection and cleaning, and West Coast Labs certifies it for detection.
It managed VB100 certification in eight of the last 10 tests by Virus Bulletin.

But the scores go downhill from there. In the latest three-part test by AV-Test Institute, Vipre earned 3 points for protection, 3 for performance, and 6 points for usability.

This last figure means that Vipre avoided screwing up by identifying valid apps and URLs as malicious.

But with 6 points possible in the important protection category, a score of 3 points is pretty bad.

Avira Antivirus 2015, Bitdefender, and Kaspersky Anti-Virus (2016) all managed a perfect 18 points in this same test. Vipre's one success with AV-Test involved avoiding false positives, but in tests by AV-Comparatives false positives proved problematic.

This lab tags products with Standard certification as long as they meet all essential capabilities.

Better products can earn Advanced or Advanced+ certification, while those that don't make the grade just rank as Tested.

And whatever the basic rating, enough false positives can drag it down. I follow five tests out of the many performed by this lab.
In latest instances of those tests, Vipre earned Advanced once and Standard twice, but failed the other two tests, both times due to false positives.

That looks especially bad compared with Bitdefender and Kaspersky, which took Advanced+ ratings in all five. See How We Interpret Antivirus Lab Tests Bonus FeaturesThe Email and Privacy settings pages demonstrate that Vipre offers a number of features above and beyond the basics of antivirus.
It checks your incoming and outgoing email for malware, quarantining any problems it finds.

And it quarantines phishing messages—but not spam; antispam is reserved for the Vipre suite.

The email protection works with desktop clients only, not Web-based email, and if your email client uses non-default ports you'll need some technical skills to make it work. Vipre's Social Watch component scans your Facebook page for malicious links. Naturally you have to log in to Facebook in order for it to work. You can stay logged in and set it to scan every so often, or log out for privacy.  When you enable the secure file eraser feature, it adds an item to the right-click menu for files and folders.

After you confirm that you want a particular file or folder gone forever, it overwrites the file's data before deletion, to prevent forensic recovery of sensitive data.
I'm just as happy that it doesn't let you configure this feature, since most users aren't remotely qualified to select between the available algorithms. As you browse the Web and use your computer, you leave behind a trail of clues that a nosy person could use to reconstruct your activities.
If that bothers you, the history cleaner component can help.
It will wipe out browsing traces for many popular browsers, recent file lists for popular applications, and a number of Windows-based traces.

There's a checkbox to show only programs that you actually have installed, but in my testing it did not seem to work.
I definitely don't have Safari, Opera, or ICQ in the test system, yet they remained visible even when I checked the box. Some Ups, Some Downs ThreatTrack Vipre Antivirus 2016 performed significantly better than the 2015 edition in some areas.
It scored quite a bit better in my antiphishing and malicious URL blocking tests, probably thanks to the new Edge Protection.
Its score in my hands-on malware-blocking test was so-so, much the same as last year, but if I see top scores from the labs, I give them more weight than my own test. Unfortunately, Vipre's labs scores aren't good at all. Antivirus is a big field, and I've identified a number of Editors' Choice products.

Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely take top honors from all of the independent labs. McAfee AntiVirus Plus does well in lab tests and my own tests, and one subscription protects all of your Windows, Mac OS, and mobile devices.

And Webroot SecureAnywhere Antivirus remains the tiniest antivirus around, with an especial focus on ransomware.

Any one of these will be a better choice for your system's antivirus protection.
Google addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update.  The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component.

The most severe vulnerability is the remote code execution flaw in Mediaserver that could be exploited through multiple methods, including email, Web browsing, and MMS, when processing maliciously crafted media files. Mediaserver still vulnerable Google has patched more than two dozen Mediaserver flaws since August, when the original Stagefright flaw was disclosed.
Since then, Google's internal security team has been identifying and fixing other security vulnerabilities scattered throughout the rest of the Mediaserver and the libstagefright library code. The steady stream of Mediaserver vulnerabilities has slowed, as this month's update fixed only two critical flaws (CVE 2016 0815, CVE 2016 0816) and three high-priority issues in Mediaserver. "During the media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process," wrote Google in the security bulletin. Google also patched an information disclosure vulnerability in libstagefright (CVE 2016 0824), two elevation of privilege vulnerabilities in Mediaserver (CVE 2016 0826, CVE 2016 0827), and two information disclosure vulnerabilities in Mediaserver (CVE-2016-0828, CVE 2016-0829).

They are all rated as high priority because they cannot be used for remote code execution, but they can be used by attackers to gain elevated capabilities, such as Signature or SignatureOrSystem permissions, which most third-party apps should not have access to.

The information disclosure flaws can be used to bypass security measures, while the elevation of privilege flaw could be used by a malicious app to execute arbitrary code. The critical flaw in libvpx (CVE 2016 1621) is related to previous Mediaserver vulnerabilities, as attackers could exploit this issue to cause memory corruption and remote code execution as the mediaserver process.

The flaw can be triggered with remote content, such as MMS messages or playing media files through the browser. Multiple elevation of privilege bugs fixed The remaining critical vulnerabilities are elevation of privilege flaws.

The Conscrypt bug (CVE 2016 0818) could allow a specific type of invalid certificate to be trusted, resulting in a man-in-the-middle attack.

A malicious app could trigger the flaw in the Qualcomm performance component (CVE 2016-0819) to execute arbitrary code in the kernel.

The only way to repair the compromised device would be by re-flashing the operating system.

The Kernel Keyring bug (CVE 2016-0728) will also let a malicious app execute arbitrary code locally, requiring reflashing the operating system. However, the Kernel Keyring component is protected in Android versions 5.0 and above because SELinux rules prevent third-party applications from accessing the vulnerable code, according to the bulletin. The final critical vulnerability in the MediaTek Wi-Fi kernel driver (CVE 2016 0820) could also be abused by a malicious app. While another MediaTek flaw (CVE 2016 0822) could result in arbitrary code execution, it was rated only as high priority because the attacker would first have to compromise the conn_launcher service, "which may not even be possible," Google said. The patches for Qualcomm and MediaTek components are posted on the Google Developer site and not in the Android Open Source Project repository. High priority and medium priority bugs also addressed Google fixed a mitigation bypass vulnerability in the kernel (CVE 2016 0821) that could let attackers bypass security measures in place.

The vulnerability is related to a change made to poison pointer values in the Linux kernel back in September.

The updates also addressed an information disclosure vulnerability in the kernel (CVE 2016 0823) that could result in malicious apps locally bypassing exploit mitigation technologies like ASLR in a privileged process.

The bug was also fixed in the Linux upstream back in March 2015. The information disclosure vulnerability in the Widevine Trusted Application component could allow code running in the kernel context to access information in TrustZone secure storage, Google said in its bulletin. Like the high-priority Mediaserver flaws, this bug could be used to gain permissions typically not granted to third-party apps.

The final high-priority bug is a remote denial-of-service flaw in Bluetooth that could allow an attacker within a certain distance of the target device to block access.

The attacker could cause an overflow of identified Bluetooth devices in the component, leading to memory corruption and service stop.

The issue could potentially only be fixed by flashing the device, Google said. The two moderate-priority bugs are in the Telephony component and the Setup Wizard.

The information disclosure vulnerability in the telephony component could allow an app to access sensitive data on the device.

The elevation of privilege vulnerability in Setup Wizard can be exploited by an attacker who has physical access to the device and can perform a manual device reset. Patch if possible None of these issues have been exploited in the wild. Builds LMY49H or later and Android M with Security Patch Level of "March 01, 2016" or later contain fixes for these issues.

The Build information is available through the Settings app on Android devices, under the About phone option.

The Security Patch Level is shown in the same location on Android M devices and some Samsung devices running the latest Lollipop versions. Since phone makers and carriers control when the updates are actually pushed to Android devices, for most users, the best ways to stay up-to-date with the security fixes are to buy Nexus devices, upgrade to newer devices frequently, or install custom Android versions themselves. Partners, including handset makers and phone carriers, received the bulletin on Feb. 1.

The Nexus devices will receive over-the-air updates and the patches are expected to be posted to the Android Open Source Project repository. Non-Nexus devices will follow schedules determined by the manufacturers or the carriers. While Samsung has committed to updates for its latest models, many Android phones remain on older versions. Google's Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which both warn users of potentially harmful applications about to be installed. Introduced in Android 4.2, Verify Apps works by scanning all .apk packages downloaded from Google Play and other sources for potentially harmful applications. "Google's systems use machine learning to see patterns and make connections that humans would not," Elena Kovakina, a senior security analyst at Google, said in Febrary at the Kaspersky Lab Security Analyst Summit. Verify Apps scan for known attack vectors and scenarios such as phishing, rooting operations, ransomware, backdoors, spyware, harmful sites, SMS fraud, WAP fraud, and call fraud.

Because it's enabled by default, most malicious attacks are thwarted, Kovakina said.

An example is the recent Lockdroid malware, which could have affected a large percentage of Android devices, but turned out to have not infected any Android users. Even if users can't update their Android devices to the latest versions, the SafetyNet and Verify Apps features filter out the majority of bad apps which could take advantage of these flaws.
The famous munition t-shirt--the way security data might have to have been shared if proposed trade restrictions under the Wassenaar Arrangement were approved.After nearly a year of protests from the information security industry, security researchers, and others, US officials have announced that they plan to re-negotiate regulations on the trade of tools related to "intrusion software." While it's potentially good news for information security, just how good the news is will depend largely on how much the Obama administration is willing to push back on the other 41 countries that are part of the agreement—especially after the US was key in getting regulations on intrusion software onto the table in the first place. The rules were negotiated through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, an agreement governing the trade of weapons and technology that could be used for military purposes. Originally intended to prevent proliferation and build-up of weapons, the US and other western nations pushed for operating system, software, and network exploits to be included in the Wassenaar protocol to prevent the use of commercial malware and hacking tools by repressive regimes against their own people for surveillance. These concerns appear to have been borne out by documents revealed last year in the breach of Italy-based Hacking Team, which showed the company was selling exploits to Sudan and other regimes with a record of human rights abuses.

And security systems from Blue Coat were resold to a number of repressive states, including Syria's Assad regime—which may have used the software to identify and target opposition activists. But the framework the State Department brought back from Wassenaar contained language that "was too broad and would harm cybersecurity," Harley Geiger, director of public policy at the security and penetration testing tools vendor Rapid7, told Ars. The initial rules proposed under new provisions negotiated by the State Department in 2013—which arose from trade restrictions introduced initially by France and the United Kingdom—were intended to prevent "bad" countries from obtaining technology like "IMSI catchers" for intercepting cell phone calls, network surveillance tools, and spyware.

But the language would have placed export licensing controls on a broad range of technology, software, and services related to legitimate computer security, including systems specifically designed to block malware, penetration testing tools, and possibly even security training. The same sort of rules once restricted the export of commercial-grade encryption, placing it under International Traffic in Arms Regulations (ITAR).

The perl code for RSA encryption was famously printed on a t-shirt in protest of its classification as an "ITAR controlled munition." The implementation that Commerce proposed, Geiger explained, may have prevented companies from sharing information about potential exploits with overseas subsidiaries.

Companies that provide penetration testing services, such as Rapid7, would run into difficulty providing those services overseas. "The number of licenses you would have to apply for normal cybersecurity operations would multiply greatly," Geiger said. Normally, US regulations implementing Wassenaar protocols are simply issued.

But the Commerce Department's Bureau of Industry and Security (BIS) took the unusual step of opening proposed exploit rules up for public comment.

The immediate feedback to the first set of rules proposed was almost universally negative.

The rules' language is flawed partially because of the broad interpretation of what "intrusion" technology is.

The regulations proposed swept up defensive software systems as well because they include information about exploits. The Electronic Frontier Foundation, the Center for Democracy and Technology, and Human Rights Watch joined in submitting comments about the proposed rules.

The groups warned that the rules were overly broad—they placed restrictions on cybersecurity software, for example, because the software "may incorporate encryption functionality." Rapid7's team commented that the proposed rules would "establish controls on 'technology required for the development of 'intrusion software,' which would regulate exports, re-exports and transfers of technical information required for developing, testing, refining, and evaluating exploits and other forms of software meeting the proposed definition of 'intrusion software.' This is the type of information and technology that would be exchanged by security researchers, or conveyed to a software developer or public reporting organization when reporting an exploit." The rule, they argued, would have a chilling effect on security research. The outcry led to congressional hearings on the proposed rules' impact, which led to the inter-agency panel's reconsidering of the rules. "Today’s announcement represents a major victory for cybersecurity here and around the world,” said Rep. Jim Langevin (D-R.I.), who led the Congressional effort to stop the proposed rules, in a statement issued on Tuesday on the conclusions of that panel to re-negotiate. "While well-intentioned, the Wassenaar Arrangement’s ‘intrusion software’ control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products." The EFF was similarly enthusiastic about the decision, posting news of the shift under the headline, "Victory!" But while optimistic, Geiger—who joined Rapid7 from the Center for Democracy and Technology in January—remains cautious about how much will be renegotiated.

The agreements cover intrusion "technology, software and systems" as separate categories, and the wording of the decision he had seen didn't indicate if all three would be addressed—or if only "technology" (hardware) would be. "These controls should be removed completely to enabler legit cybersecurity activity," Geiger said. "But if it's not possible, we think the reforms should be comprehensive, and not just include technology but also software and systems and change the definition of intrusion software."
Chaos Computer ClubGerman police are now permitted to infect a suspect's computers, and mobile devices with special trojan software to monitor communications made with the systems, the country's interior ministry has confirmed. The malware can only be deployed when lives are at risk, or the state is threatened, and will require a court order to allow police officers to infect the machines of alleged criminals. However, the government-developed malware must not be used to monitor other activities on the system, or to change data or programs.
It follows a decision by Germany's Constitutional Court in 2008, which ruled that the an individual's private life should have absolute protection, and that eavesdropping must be limited to a person's communications with the outside world. But Frank Rieger, a spokesperson from the famous Chaos Computer Club (CCC), has cast doubt on the German government's pledge to adhere to those standards with its trojan software.
In an an article on the Deutschlandfunk website (in German), Rieger noted that it was very hard to create malware that can be used to monitor communications in a way that does not infringe on the protected private sphere. The CCC has been tracking Germany's authorised malware for some years now. Back in 2011, the hacker association analysed a previous trojan used and written by the German police and found that: "The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs." Even worse, CCC reported at the time that "significant design and implementation flaws make all of the functionality available to anyone on the Internet." This, of course, remains the fundamental problem with any such "official" malware: once a vulnerability has been created in a system, there is always the risk that others will find and exploit it too. It's possible that the fear that the home-grown trojan may not be good enough to survive a court challenge is behind the German government's consideration of commercial spyware from the controversial Gamma Group, whose products have been used around the world, notably by repressive governments against political activists. The Deutschlandfunk report also quoted a politician from the Green party, who pointed out that—whichever trojan software was chosen—the use by the German government of program flaws in order to insert the police malware on a suspect's computer was inherently problematic.

Arguably, instead of helping to improve security for the millions of Germans likely to be affected by a serious bug, the authorities could leave it unpatched so that they can exploit the flaw for their trojan. Moreover, as noted by Rieger, once those bugs are eventually fixed, the German authorities will need to find other vulnerabilities to exploit, and may even start bidding for them in one of the dodgy zero-day marketplaces. The legal constraints on the use of government malware imposed by the German's Constitutional Court contrast painfully with the UK government's proposals in its draft Investigatory Powers Bill, dubbed a Snooper's Charter, which seeks to give the police and intelligence agencies unlimited and secret "equipment interference" powers to break into systems, change software there, and spy on everything the user does. This post originated on Ars Technica UK

Sophos Home

Some antivirus vendors pitch their products directly to consumers, some focus instead on big-business protection, and some do both. For quite a while, antivirus giant Sophos has stayed on the business side of the market. With the recent release of the free Sophos Home, consumers can now enjoy the same level of antivirus protection as the Fortune 500 on up to 10 Windows and Mac OS devices. As it comes from a business orientation, Sophos Home includes some sophisticated management features not typically found in consumer-side free antivirus products. To get started with the product, you create a free account, which gives you access to an online dashboard. You can log in to the dashboard from any PC or Mac to install the software directly, or send a link to install Sophos on another device. McAfee AntiVirus Plus (2016) is one of the very few competitors to offer this kind of remote management. The installer notes that getting the product installed can take up to 15 minutes, which seemed unusually long to me. But indeed, it did take almost precisely that long. After installation, it downloaded updated antivirus definitions and launched a full scan. The scan took 37 minutes, just slightly less than the current average. A repeat scan wasn't significantly faster. Simple InterfaceWhether you install Sophos on a Mac or a Windows box, its main window exhibits a pleasant simplicity. A large banner across the top displays your security status, with a button to view any pending alerts and another button to open the online dashboard. You can click to launch a full scan, which displays its progress right in the main window. And there are on/off switches for Automatic Virus Protection, Web Protection, and Potentially Unwanted App Detection.  There's one little problem with the Sophos Home user interface: every time you open it, you have to respond to a User Account Control prompt. That's not quite as bad as ESET Smart Security 9, which requires a UAC response every time you respond to a firewall program control popup, but it still seems unnecessary. Labs Love ItThe independent antivirus testing labs don't specifically include Sophos Home in their testing, but Sophos Cloud Endpoint Protection comes under scrutiny by all of the labs that I follow. According to Sophos, the free consumer product "uses the same award-winning technology from Sophos that protects millions of business people worldwide," which makes sense. Why would the company develop a separate technology for the free product? Both ICSA Labs and West Coast Labs certify Sophos both for malware detection and malware removal. Looking at results from Virus Bulletin, it appears that Sophos stopped participating some months ago. However, Sophos did participate in four of the most recent 12 tests and earned VB100 certification each time. Bitdefender Internet Security 2016 and ESET took VB100 in all 12 of those 12 tests. AV-Test Institute evaluates antivirus products from three different angles, protection, performance, and usability. In the all-important protection test, Sophos earned 6 of 6 possible points, and it managed 5 points for performance. Its 5.5 point score for usability indicates that to some small degree it flagged valid programs or websites as malicious. Sophos earned 16.5 of 18 possible points, which is quite good. However, several products earned a perfect 18 in the latest test, among them Bitdefender, Kaspersky Internet Security (2016), and Symantec Norton Security Premium. The researchers at AV-Comparatives perform a dazzling variety of tests; I closely track five of those tests. Sophos participated in four of these. It earned the top rating, Advanced+, in the performance test, and managed Advanced in the file detection, zero-day detection, and real-world dynamic tests. Dennis Technology Labs aims to replicate the user's actual experience as closely as possible.  Every day, researchers locate real-world malicious URLs that host drive-by downloads and other attacks, using site-ripping tools to capture the entire website. For testing, they use a playback system to expose each product to exactly the same attack. Products can receive certification at five levels: AAA, AA, A, B, and C. Sophos earned the best possible rating, AAA, with excellent detection and no false positives. Test results for the antivirus technology shared by Sophos Home and the Endpoint Protection product are very good. However, Kaspersky and Bitdefender in particular have done even better. See How We Interpret Antivirus Lab Tests Accurate AntiphishingThe Web Protection component in Sophos Home watches incoming HTML data and blocks access to dangerous websites of all kinds, including phishing sites. In testing, it proved quite accurate. For this test, I gather a collection of URLs that have been very recently reported as fraudulent, so recently that they haven't yet been analyzed and blacklisted. I launch each URL simultaneously in five browsers. One browser is protected by the product under testing, naturally, and another by Norton, which has consistently proven to be an antiphishing whiz. The other three rely on the fraud protection built into Chrome, Firefox, and Internet Explorer. Out of more than 30 recent products, only one, Bitdefender, has outperformed Norton in this test. More than two-thirds of the products earned a detection rate lower than at least one of the browsers, and half of those failed to beat any of the browsers. I'm happy to say that Sophos isn't among this losing crowd. The Web Protection component's phishing detection rate came in just 4 percentage points below Norton's; only a handful of competitors have done better. And Sophos beat out the built-in protection of all three browsers, by varying amounts. See How We Test Antiphishing Effective Malicious URL BlockingIn addition to antiphishing, Web Protection naturally covers fending off websites that host malware or spyware, or that are known to be dangerous. Here again, Sophos turned in an excellent performance. For this test, I use a feed of newly discovered malware-hosting URLs supplied by MRG-Effitas. The test is quite simple. I try to launch each URL in turn, discarding any that result in an error message. For the ones that are still live, I note whether the antivirus prevents all access to the URL, catches and eliminates the malware payload during download, or completely misses the attack event. Out of 100 active malicious URLs, Sophos protected against 90 percent, almost all of them by completely blocking access to the URL. It identified several different kinds of problems. For some, it reported Malicious Content, identifying the detected malware. Others it blocked with a message that spyware was found. And it flagged quite a few as High Risk, also identifying malware found on the site. Only two recent products have scored better in this test. Norton and McAfee both managed 91 percent protection, edging out Sophos by a single percentage point. Less Impressive Malware BlockingI saved reporting on my own hands-on malware blocking test for last, because the results aren't as stellar as the other tests. This test starts when I open a folder containing my current collection of malware samples. Like many of its competitors, Sophos started checking these samples the moment I opened the folder. The transient popups that Sophos uses to report threat detection deserve a mention. Many products display a transient notification near the bottom right of the desktop. Some incorporate multiple detection events into a single notification, others stack up notifications so you can view them one by one. Sophos displays a modern-looking transient banner near the top right of the screen. If there are multiple events, it displays as many as three banners, one below the other. And if there are more than three the new ones take their place as the older ones fade out. It's different, but it works. Over the course of several minutes, Sophos detected and eliminated 61 percent of the samples. That's not bad, but many competitors wiped out even more of these samples on sight. AVG AntiVirus Free (2016) and Panda Free Antivirus (2016) eliminated more than 80 percent of the samples at this stage. Next, I launched the surviving samples one at a time, noting whether Sophos detected the attack and using a hand-coded tool to verify how thoroughly it blocked those that were detected. Sophos missed roughly a third of the survivors. Another third managed to plant one or more executable files on the test system despite the product's attempt at protection. With 86 percent detection and an overall score of 7.9 points, Sophos doesn't look good in this test. Most of the time my hands-on results jibe with results from the labs. When they don't, I give the labs more weight. They have dozens of experts working on antivirus analysis, after all. See How We Test Malware Blocking Remote ManagementI mentioned earlier that you install Sophos Home on a Windows or Mac OS device by logging in to the Home Dashboard. Once you've installed protection on a device or two, you can use the dashboard to remotely monitor and control your installations. The dashboard's summary page lists all of your devices, along with the number of alerts, threats cleaned, and websites blocked. It also reports the time of the latest update. Below this you get a list of all recent alerts. For alerts involving detection of a Potentially Unwanted Application (PUA), you can remotely choose to ignore the detection or ask Sophos to clean up. Clicking on a particular device in the dashboard gives you more remote control abilities. You can trigger a scan, or remove Sophos from the device. And you can toggle the on/off status of the same three components featured on the local product's main page: Automatic Virus Protection, Potentially Unwanted App Detection, and Web Protection. A Choice to ConsiderSophos Home uses the same technology that gets rave reviews in the service's business-focused Cloud Endpoint Protection. It gets very good ratings from the independent testing labs, and it earned high scores in my hands-on antiphishing and malicious URL blocking tests. I did find its performance in my hands-on malware-blocking test unimpressive, though. Three free antivirus products have earned the title of Editors' Choice, Avast Free Antivirus 2016, AVG AntiVirus Free (2016), and Panda Free Antivirus (2016). If you're looking for free antivirus protection, these are definitely worth consideration. But since it costs nothing to try a free antivirus, consider giving Sophos Home a whirl, too. You may find that its simple interface and remote management suit your needs.
When your formerly speedy PC starts to stutter and drag, you may be inclined to pin the blame on your antivirus. Hey, it's an easy target, right? Chances are good, though, that any slowdown is due to things like over-filled hard drives or too many programs running in the background. IObit's Advanced SystemCare Ultimate 9 has the answer for you—it combines antivirus protection with a full suite of system tune-up tools. At $29.99 per year for three licenses, it costs a less than many competing standalone antivirus products. Unfortunately, the core antivirus protection didn't hold up in my testing.  IObit's main window reports your current security status and features three extra-large glowing icons that launch a Quick, Full, or Custom Scan. Tested on my standard clean virtual machine, the full scan took 26 minutes, which is good, given that the current average is almost 40 minutes. Some antivirus products actively avoid rescanning known good files, making repeat scans very fast. AVG AntiVirus (2016) and Total Defense Anti-Virus (2015) zoomed through a repeat scan in about one minute. IObit doesn't seem to attempt this kind of scan optimization. Easy StartWhen you launch IObit's installer, you see a simple screen with one big button that simultaneously accepts the product license and launches the installer. The install process completed. To finish the process, I updated antivirus definitions and activated the product to enable real-time protection. After I finished activation, the program presented me with a big screen full of additional features and settings, most of which were flagged as enabled. Clicking a link activated the features that weren't enabled by default: Surfing Protection, Registry Deep Clean, and Secure File Deletion. I noticed that even though I activated the program, it still displayed an advertisement across the bottom, offering me an 80 percent discount on IObit's Drive Booster 3 Pro, along with "super gifts." This kind of internal advertising is found throughout the program. The Action Center notifies you about security problems, but also touts special deals on other IObit products. An Exclusive Offers button on the scan-complete screen likewise takes you to an advertising page. Some users may find these elements annoying. Mediocre Malware ProtectionIObit uses Bitdefender's antivirus engine, so, in a perfect world, its lab-test scores would track precisely with the excellent scores attained by Bitdefender Antivirus Plus 2016. However, the independent labs state very clearly that test results apply only to the actual product that was tested. None of the labs include IObit in testing, so the only test results I can rely on are my own. My own testing shows that IObit's protection doesn't track with Bitdefender's at all. To start my malware-blocking test, I open a folder containing my current set of malware samples. The minimal file access that occurs when Windows Explorer checks a file's name, size, and creation date is enough to trigger real-time protection in many antivirus products, including IObit. After a few minutes, it had eliminated 75 percent of the samples. Bitdefender wiped out 79 percent at this point, but the set of samples caught on sight by the two products didn't completely match. IObit missed some that Bitdefender caught, and caught one that Bitdefender missed. When I continued the test by launching the samples that weren't wiped out immediately, the two products diverged further. Some of the samples IObit caught after launch managed to install executable traces on the test system, a problem that didn't happen with Bitdefender. Overall, IObit detected 82 percent of the samples and scored 7.9 of 10 possible points. Bitdefender detected 93 percent and managed 9.3 points. That's the top score among products tested using this same set of samples. Bitdefender shares that top score with Avast Pro Antivirus 2016. Tested using my previous malware collection, Webroot SecureAnywhere Antivirus (2015) managed a perfect 10 points. In order to precisely compare how thoroughly different antivirus products fend off malware attacks, I necessarily use the same set of thoroughly analyzed samples for quite a while. My malicious URL blocking test, on the other hand, always uses the very latest malware-hosting URLs, supplied in a daily feed by MRG-Effitas. I load URL after URL, noting whether the antivirus keeps the browser from reaching the URL, wipes out the payload during download, or sits idly twiddling its thumbs. I continue until I've captured data for 100 active malware-hosting URLs. Throughout this test, IObit teetered back and forth, almost evenly balanced between wiping out downloads and completely missing all detection. I began to think that its Surfing Protection component wasn't designed for this sort of test. Near the end, though, that component did kick in to block precisely one URL at the browser level. IObit's overall score of 50 percent protection is a little better than the current average, but nowhere near Bitdefender's 74 percent protection. Top scorers in this test are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each with 91 percent protecton. See How We Test Malware Blocking Poor Protection Against PhishingThe Surfing Protection browser add-in serves to block both malware-hosting URLs and other types of dangerous URLs. That includes phishing sites, those nasty frauds that masquerade as PayPal, your bank, or some other secure site, attempting to steal your login credentials. Given that this component blocked access to just one in 100 malware-hosting URLs, it couldn't fare worse in the antiphishing test unless it earned a big fat zero. It actually scored better than that, but still failed to impress. For this test, I gather URLs that have been reported as fraudulent, but that haven't yet been verified and blacklisted. I launch each URL on five test systems, each protected in a different way. One system uses the product under testing, of course, and another uses Norton, a long-time antiphishing winner. The other three rely on protection built into Chrome, Firefox, and Internet Explorer. Since the nature of current phishing sites varies from day to day, I report results as the difference between the detection rate of the product and of the other four test systems. IObit's detection rate was a full 76 percent lower than Norton's, which puts it in the bottom quarter of recent products, score-wise. Kaspersky Anti-Virus (2016) came very close to tying with Norton, while Bitdefender is the only recent product that actual outperformed Norton in this test. All three browsers handily beat IObit, despite Chrome having an apparent bad day. The lesson is clear—don't turn off your browser's fraud protection, because IObit won't take its place. See How We Test Antiphishing Clean and OptimizeAntivirus is just part of what you get with this product. IObit's full-scale system tune-up utility, similar to Iolo System Mechanic 14, is included in Advanced SystemCare Ultimate. Note, though, that while you can use the Iolo product on any number of computers, cleanup with IObit is limited to the three licenses that come as part of your subscription. Once you get past the Antivirus page, the rest of this product is devoted to system cleanup and optimization. The Clean and Optimize page lets you launch a scan to clean up unwanted junk that may be slowing your system, among other things. Just half of these modules are enabled by default, probably because those not enabled can take a long time to finish. I was mildly surprised to find Spyware Removal and Security Defense in this collection (the latter says it will prevent spyware installation). I would think those belong with the antivirus. The components that are enabled by default sweep your system for spyware, boost your Internet speed, fix broken shortcuts, eliminate junk files and Registry items, and sweep away activity traces that could compromise your privacy. Running a scan using just these components took just a couple of minutes. On completion, it offered a summary of found problems with the option to dig in for detail and even exempt certain items from cleanup. Most users will probably just click the big Fix button. Before making any changes, IObit creates a rollback record. That way if by some mischance the cleanup causes trouble, you can undo its changes using the Rescue Center. As with the antivirus scan, the final page offered an Exclusive Offer button, encouraging me to buy more IObit products. The components not checked by default serve to defrag the Registry and hard drives, check for drive errors, optimize system settings for speed, and fix Windows vulnerabilities. I started a scan using all of the components, and was pleasantly surprised to find that it took just a few minutes more. The process of fixing found problems took about 30 minutes this time, since it included installing a few Windows updates and partially defragging the hard drive. But that's really quite a reasonable time to perform those deeper optimizations. Speed UpApparently speeding up your system isn't quite the same as optimizing it, so IObit offers a separate Speed Up page with four choices: Turbo Boost, Startup Accelerate, Deep Optimization, and App/Toolbar Cleaner. Turbo Boost is something you'll use sparingly, for times when you really need every ounce of performance. It terminates unnecessary applications and services and sweeps the system to release RAM that's allocated but not in use. Note that IObit maintains a tiny desktop widget that reports RAM and CPU usage—you can click its broom icon to sweep for RAM that can be released. By default, Turbo Boost operates in Work Mode. You can configure it to use Game Mode, which terminates even more services. Economy Mode aims to minimize power consumption so you can keep using a laptop whose battery is low. The Startup Accelerate component simply lists the programs that launch at system startup and lets you manage them. On the basic Startup Accelerate page, I couldn't figure out what to do. The two items listed just had Ignore in the Action column, and when I clicked it for one, that item vanished. Clicking the link for advanced configuration made things clearer. In this mode, I found I could set each item to enabled, disabled, or delayed, much like the similar feature in Norton. Its Deep Optimization list displayed Windows features, including Intelligent Disk Accelerate and Fast Startup, but reported them already optimized. Other tabs listed add-ins that launch with various browsers and non-essential Windows services. When I clicked for details under Deep Optimization, IObit offered a laundry list of settings to speed hard drive access, network connections, and overall system speed. Finally, the App/Toolbar Cleaner didn't show a thing, because it didn't find any suspicious browser apps or plugins. Avast and Panda Antivirus Pro 2016 offer similar toolbar clean-up tools. Toolbox and Action CenterYou may be a bit overwhelmed the first time you open IObit's Toolbox page. This page sports more than two dozen icons representing various types of utilities from IObit. Some are not currently installed, but can be downloaded (represented by a down-arrow icon overlay). Some of those must be purchased separately. Others are, those with no icon overlay, are already present, but may require payment for Pro features. To help you deal with icon overload, IObit now includes the option to put your favorite tools at the top. The only one of the toolbox items that's related to antivirus protection is a button for IObit Malware Fighter. Given this product's abysmal performance in our testing, I can't imagine why you'd choose to install it. As noted earlier, the Action Center tab touts a "VIP exclusive offer" to purchase other IObit products at drastically slashed prices. If you're not interested, just click the link to hide these offers. You'll also find IObit's software updater list in the Action Center. On my test system, Chrome, Firefox, and Java all needed update. IObit handled them as automatically as possible, though finalizing the Java update did require my participation. Given that Java and browsers are subject to extreme scrutiny by malefactors seeking security holes, keeping them up to date is very important. Not the Antivirus You're Looking ForIObit Advanced SystemCare Ultimate 9 uses Bitdefender's antivirus engine, yet its test results don't come close to Bitdefender's. The independent antivirus labs don't include it in testing. And where Bitdefender is the only current product that has beaten Norton in our antiphishing test, IObit scored near the bottom. As an antivirus, this product doesn't impress. Our Editors' Choice picks for commercial antivirus protection are Webroot SecureAnywhere Antivirus, Kaspersky Anti-Virus, and Bitdefender Antivirus Plus. All three cost $10 more than IObit, but that's a well-spent 10 bucks, as they offer much, much better protection. If you want antivirus plus system optimization, choose one of these products and add a top-rated tune-up product.

Doneo Castle

Even the best antivirus products are fairly utilitarian. You run a scan, make sure real-time protection is turned on, check that malware definitions are up to date, that sort of thing. Naturally the websites for these products are also strongly focused on the task of wiping out viruses (and on getting you to upgrade to a more advanced product). Doneo Castle, which the company claims is the "safest place on earth," varies from the norm. Its main Web page displays an imposing castle, and a sepulchral voice intones the product name ("done-oh castle") when you visit. Fun, right? And you get "completely clean data," without the need for a local antivirus. It's a lovely fantasy, but in reality, relying on this castle's walls to protect you would be a big mistake. Plans and PricingYou won't solve the mystery of Doneo Castle by signing up for a free trial. The closest you can come is an $8.99 refundable Happy Month subscription. There are plenty of other options: A $22.99 Safe Season subscription covers you for 90 days, and a $36.99 Six and Sound subscription is good for six months. For $69.99 you get a Best Year of protection for two devices. There's also a limited-time one-device $49.99 per year offer. They're Bad, We're GoodAccording to the Doneo Castle website, existing antivirus products "have the elementary structure of their first generation," and "still use a 20 year old algorithm which checks all files one by one against their virus database." They have a "primitive client-based structure" and can't match products in "resent [sic] years" that operate in the cloud. Current antivirus products "start scanning after the entrance of a virus in the system, which in any case put your security in danger." There are a few problems with those statements (besides the spelling and grammar). In truth, modern antivirus products use layer upon layer of protection. The old-fashioned signature-based detection system is still present, in most cases, but it doesn't work alone. Behavioral analysis, cloud-based detection, URL reputation checking: There are many technologies that go beyond Doneo Castle's claims, as you can see in our reviews of competing products. In particular, some products are very good at preventing malware from ever reaching your system. I run a test using very new malware-hosting URLs, checking whether products prevent the malware payload from reaching my test system. Symantec Norton Security Premium and McAfee AntiVirus Plus (2016) both earned 91 percent protection in this test. That's a far cry from "scanning after the entrance of a virus." Completely Clean Data?So what does Doneo Castle actually do? Once installed, it functions as a Virtual Private Network (or VPN), diverting all your Web traffic through the company's servers. According to the website, "All data before entering to your device will be checked against viruses, spyware, and malware by several engines." As a result, you receive "completely clean data." Doneo Castle relies on AVG's technology, along with the antivirus fighting powers of Avira Antivirus 2015 and Bitdefender Antivirus Plus 2016. Now, you may wonder why the company would rely on the same "primitive" and "20 year old" antivirus techniques decried by its own Web page. Sorry, I can't answer that. I did check with those three antivirus companies, asking about their partnership with Doneo Castle. The two that responded knew nothing about it; one mentioned bringing in the legal department. Difficult InstallationOnce you've signed up for the service, you can use your email address and password to enter the Chamber—the online dashboard for Doneo Castle. Don't try this on an old, small monitor. Unless your desktop is at least 1,280 pixels wide, you won't be able to see all of the Chamber, and there's no horizontal scrollbar. I had to widen my virtual machine's desktop in order to test this product. If you can't see all of the Chamber, you might not notice that you have some more work to do. Your incoming Internet traffic won't be sanitized until you install the VPN component, called Doneo Bridge. Fortunately, there's a utility to perform the installation. Unfortunately, it didn't entirely work in testing. I downloaded the DoneoBridgeCreator application, overriding Chrome's warning that it might be dangerous. I ran it, with no apparent effect. After some investigation, I found that it only worked if I right-clicked the file and chose Run as administrator. How many average consumers would figure that out? The company fixed this problem just before I completed the review. The fix seems to work, though of course, it doesn't help customers who hit the earlier problem and gave up. Once the utility finished its work, I did find Doneo Bridge as an available network connection. Alas, it rejected my attempt to log in, stating "Connections that use the L2TP protocol over IPSec require the installation of a machine certificate." It took quite a bit of digging to sort that one out. Naturally the real problem didn't relate to a certificate. It seems the installer failed to populate the Doneo Bridge connection's authentication properties with the correct pre-shared key. Going back to the Chamber, I found a link to "instractions [sic]" for manually installing Doneo Bridge. Poring over the steps (more than 20 of them) I found the key, entered it manually, and finally managed to connect to the Doneo Bridge. Whew! The instructions for manually installing the connection are specific to an earlier version of Windows—I'm guessing Windows 7. If you try to follow them in Windows 8.x or Windows 10, you'll hit a wall. Just before the release of this review, the company contacted me, reporting that they'd fixed the missing key problem. I verified that indeed the Doneo Bridge installer now runs correctly and doesn't need the Run as administrator workaround. Once again, though, this doesn't help users who gave up on encountering the problem before it was fixed. Poor ProtectionI double-checked that the product was installed correctly by attempting to download the EICAR test file, from the Anti-Malware Testing Standards Organization (AMTSO) Security Features Check page. Doneo Castle correctly blocked access to direct download of the file, though it failed the drive-by download test using the same test file. My malicious URL blocking test does use direct download, so it was time to proceed. For this test, I use a feed of recently discovered malware-hosting URLs, generously supplied by MRG-Effitas. When I run this test on a full-scale antivirus tool, I give equal credit for blocking URL access and for wiping out the malicious payload. With Doneo Castle, URL-blocking is the sole line of defense. I found that it took a very noticeably long time for the browser to open many of the URLs; I assume this was due to processing time on the Doneo Castle servers. In some instances, I got a large notification in the browser window stating that Doneo Castle blocked an infected file. It listed the filename and also displayed the three antivirus engine names with a checkmark next to the ones that detected the malware. Doneo Castle's accuracy was disappointing. Out of 100 malware-hosting URLs, it blocked just 31. That's a far cry from the promise of "completely clean data." As noted earlier, some products managed 91 percent protection in this test. Comparing it only with URL-based blocking by other products, Doneo Castle still doesn't look great. McAfee and Trend Micro Antivirus+ Security 2016 managed 85 percent strictly at the URL level. A product that offers nothing but Web-based protection needs to be really, really good at it. Doneo Castle isn't. Further DifficultiesAfter I managed to connect to the Doneo Bridge, I observed that nothing changed back in the Chamber. It still advised me to set up Doneo Bridge. Worse, after a reboot the bridge connection was lost, without any indication or warning. The average user wouldn't notice the loss of Doneo Castle protection, and would probably have a tough time figuring out how to log into it again. Among the choices on the Chamber's left-rail menu are My Key (to manage username and password), Statistics, FAQ, and Contact Us. These, along with the other left-rail menu items, did nothing. It turns out this was because I was running the product in a virtual machine. For some reason, Doneo Castle only works with Firefox inside VMware VMs. On a physical test system it functioned correctly under Firefox, Chrome, and Internet Explorer. Clicking the Statistics button got me a more detailed list of URLs that passed or failed Doneo Castle's safety check. It even listed which of the three antivirus engines blocked a bad URL. The Gift menu item is echoed by a Gift button. This lets you give "days of your own residency at Doneo Castle" as a gift. Basically, you shorten your own subscription period by offering a portion of it to a friend. Not surprisingly, the Purchase button and menu item both work fine. They bring up a page that lets you extend your subscription. Have Fun Storming the Castle, Boys!I really wanted Doneo Castle to be a winner. The imposing castle on the home page is so much more interesting than almost any competing site. I even sort of like the slightly wacky stream-of-consciousness screeds on the main page, e.g. "Our Leader Vint Cerf, Father of the Internet, crossed over to the telco side of the force. Cerf Vader and legions of imperial stormlawyers are now defending the death stars against the insignificant ISPwoks." (Not joking.)  Unfortunately, the protection just doesn't perform as promised. Perhaps in the future (or in a galaxy far, far away) Doneo Castle will reappear and make good its promise of "completely clean data." Until then, stick with our Editors' Choice antivirus products Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, and Webroot SecureAnywhere Antivirus. And don't believe anyone who says those products are relying on primitive 20-year-old technology.
Researchers with Kaspersky Lab identify how the Asacub mobile banking Trojan is making use of the same infrastructure as a Windows spyware Trojan. Security firm Kaspersky Lab is warning of an evolving threat f...
We were recently analyzing a family of mobile banking Trojans called Trojan-Banker.AndroidOS.Asacub, and discovered that one of its C&C servers (used, in particular, by the earliest modification we know of, as well as by some of the more recent ones) at chugumshimusona[.]com is also used by CoreBot, a Windows spyware Trojan. This prompted us to do a more detailed analysis of the mobile banking Trojan. The earliest versions of Asacub that we know of emerged in the first half of June 2015, with functionality that was closer to that of spyware Trojans than to banking malware. The early Asacub stole all incoming SMS messages regardless of who sent them, and uploaded them to a malicious server. The Trojan was capable of receiving and processing the following commands from the C&C: get_history: upload browser history to a malicious server; get_contacts: upload list of contacts to a malicious server; get_listapp: upload a list of installed applications to a malicious server; block_phone: turn off the phone’s screen; send_sms: send an SMS with a specified text to a specified number. New versions of Asacub emerged in the second half of July 2015. The malicious files that we are aware of used the logos of European banks in their interface, unlike the early versions of the Trojan, which used the logo of a major US bank. There was also a dramatic rise in the number of commands that Asacub could execute: get_sms: upload all SMSs to a malicious server; del_sms: delete a specified SMS; set_time: set a new time interval for contacting the C&C; get_time: upload the time interval for contacting the C&C to the C&C server; mute_vol: mute the phone; start_alarm: enable phone mode in which the device processor continues to run when the screen goes blank; stop_alarm: disable phone mode in which the device processor continues to run when the screen goes blank; block_phone: turn off the phone’s screen; rev_shell: remote command line that allows a cybercriminal to execute commands in the device’s command line; intercept_start: enable interception of all incoming SMSs; intercept_stop: disable interception of all incoming SMSs. One command that was very unusual for this type of malware was rev_shell, or Reverse shell, a remote command line. After receiving this command, the Trojan connects a remote server to the console of the infected device, making it easy for cybercriminals to execute commands on the device, and see the output (results) of those commands. This functionality is typical of backdoors and very rarely found in banking malware – the latter aims to steal money from the victim’s bank account, not control the device. The most recent versions of Asacub – detected in September 2015 or later – have functionality that is more focused on stealing banking information than earlier versions. While earlier versions only used a bank logo in an icon, in the more recent versions we found several phishing screens with bank logos. One of the screenshots was in Russian and was called ‘ActivityVTB24’ in the Trojan’s code. The name resembles that of a large Russian bank, but the text in the screen referred to the Ukrainian bank Privat24. Phishing screens were present in all the modifications of Asacub created since September that are known to us, but only the window with bank card entry fields was used. This could mean that the cybercriminals only plan to attack the users of banks whose logos and/or names they use, or that a version of Asacub already exists that does so. After launching, the ‘autumnal version’ of the Trojan begins stealing all incoming SMSs. It can also execute the following commands: get_history: upload browser history to a malicious server; get_contacts: upload list of contacts to a malicious server; get_cc: display a phishing window used to steal bank card data; get_listapp: upload a list of installed applications to a malicious server; change_redir: enable call forwarding to a specified number; block_phone: turn off the phone’s screen; send_ussd: run a specified USSD request; update: download a file from a specified link and install it; send_sms: send an SMS with a specified text to a specified number. Although we have not registered any Asacub attacks on users in the US, the fact that the logo of a major US bank is used should serve as a warning sign. It appears the Trojan is developing rapidly, and new dangerous features, which could be activated at any time, are being added to it. As for the relationship between Asacub and the Corebot Trojan, we were unable to trace any link between them, except that they share the same C&C server. Asacub could be Corebot’s mobile version; however, it is more likely that the same malicious actor purchased both Trojans and has been using them simultaneously. Asacub today Very late in 2015, we discovered a fresh Asacub modification capable of carrying out new commands: GPS_track_current – get the device’s coordinates and send them to the attacker; camera_shot – take a snapshot with the device’s camera; network_protocol – in those modifications we know of, receiving this command doesn’t produce any results, but there could be plans to use it in the future to change the protocol used by the malware to interact with the C&C server. This modification does not include any phishing screens, but banks are still mentioned in the code. Specifically, the Trojan keeps attempting to close the window of a certain Ukrainian bank’s official app. Code used to close a banking application In addition, our analysis of the Trojan’s communication with its C&C server has shown that it frequently gets commands to work with the mobile banking service of a major Russian bank. During the New Year holidays, the new modification was actively distributed in Russia via SMS spam. In just one week, from December 28, 2015 to January 4, 2016, we recorded attempts to infect over 6,500 unique users. As a result, the Trojan made the Top 5 most active malicious programs. After that, the activity of the new Asacub modification declined slightly. We continue to follow developments related to this malware.
Perhaps one of the most explosively discussed subjects of 2015 was the compromise and data dump of Hacking Team, the infamous Italian spyware company. For those who are not familiar with the subject, Hacking Team was founded in 2003 and specialized in selling spyware and surveillance tools to governments and law enforcement agencies. On July 5, 2015, a large amount of data from the company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach. Previously, “Phineas Fisher” did a similar attack against Gamma International, another company in the spyware/surveillance business. The hacking of Hacking Team was widely discussed in the media from many different points of view, such as the legality of selling spyware to oppressive governments, the quality (or lack of…) of the tools and leaked email spools displaying the company’s business practices. One of these stories attracted our attention. How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team So reads the title of a fascinating article written for Ars Technica by Cyrus Farivar on July 10, 2015. The article tells the story of Vitaliy Toropov, a 33-year-old exploit developer from Moscow who made a living by selling zero-day vulnerabilities to companies such as Hacking Team. In the Ars Technica article, Cyrus writes the following paragraph, which shows the original offer from the exploit seller: Excerpt from the Ars Technica article For a company like Hacking Team, zero-days are their “bread and butter” — their software cannot infect their targets without effective exploits and zero-days, especially those that can bypass modern defense technologies such as ASLR and DEP. Those exploits are in very high demand. The trade between these two continued until they finally agreed on purchasing an Adobe Flash Player zero-day, now defunct, for which Vitaliy Toropov promptly received a $20,000 advance payment. A good salesman, Vitaliy Toropov immediately mailed back and offered a discount on the next purchases. So writes Cyrus, in his Ars Technica story: Excerpt from the Ars Technica article This section of the story immediately spiked our attention. A Microsoft Silverlight exploit written more than two years ago and may survive in the future? If that was true, it would be a heavyweight bug, with huge potential to successfully attack a lot of major targets. For instance, when you install Silverlight, it not only registers itself in Internet Explorer, but also in Mozilla Firefox, so the attack vector could be quite large. The hunt for the Silverlight zero-day In the past, we successfully caught and stopped several zero-days, including CVE-2014-0515 and CVE-2014-0546 (used by the Animal Farm APT group), CVE-2014-0497 (used by the DarkHotel APT group) and CVE-2015-2360 (used by the Duqu APT group). We also found CVE-2013-0633 a FlashPlayer zero-day that was used by Hacking Team and another unknown group. We strongly believe that discovery of these exploits and reporting them to the affected software manufacturers free of charge makes the world a bit safer for everyone. So while reading the Ars Technica story, the idea to catch Vitaliy Toropov’s unknown Silverlight exploit materialized. How does one catch zero-days in the wild? In our case, we rely on several well-written tools, technologies and our wits. Our internal tools include KSN (Kaspersky Security Network) and AEP (Automatic Exploit Prevention). To catch this possibly unknown Silverlight exploit we started by investigating the other exploits written by Vitaliy Toropov. Luckily, Vitaliy Toropov has a rather comprehensive profile on OVSDB. Additionally, PacketStorm has a number of entries from him: This one caught our attention for two reasons: It is a Silverlight exploit It comes with a proof of concept written by Vitaly himself One can easily grab the PoC from the same place: Which we did. The archive contains a well-written readme file that describes the bug, as well as source codes for the PoC exploit. The exploit in this PoC simply fires up calc.exe on the victim’s machine. The archive includes a debug version compiled by the author, which is extremely useful to us, because we can use it to identify specific programming techniques such as specific strings or shellcode used by the developer. The most interesting file in the archive is: SilverApp1.dll:Size: 17920 bytesmd5: df990a98eef1d6c15360e70d3c1ce05e This is the actual DLL that implements the Silverlight exploit from 2013, as coded by Vitaliy Toropov. With this file in hand, we decided to build several special detections for it. In particular, we wrote a YARA rule for this file which took advantage of several of the specific strings from the file. Here’s what our detection looked like in YARA: Pretty straightforward, no? Actually, nowadays we write YARA rules for all high-profile cases and we think it’s a very effective way to fight cyberattacks. Great props to the Victor Manuel Alvarez and the folks at VirusTotal (now Google) for creating such a powerful and versatile tool! The long wait… After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015. On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos). This file was compiled in July 21, 2015, which is about two weeks after the Hacking Team breach. This also made us think it was probably not one of the older 2013 exploits but a new one. It took us some time to analyse and understand the bug. When we were absolutely sure it was indeed a new zero-day exploit, we disclosed the bug to Microsoft. Microsoft confirmed the zero-day (CVE-2016-0034) and issued a patch on January 12, 2016. Technical analysis of the bug: The vulnerability exists in the BinaryReader class. When you create an instance of this class you can pass your own realization of the encoding process: Moreover, for the Encoding process you can use your own Decoder class: Looking at the BinaryReader.Read() code, we see the following: Indeed, the “index” value was checked correctly before this call: But if you will look deeper inside InternalReadChars (this function is marked as unsafe and it is using pointers manipulations) function you will see the following code: The problem appears because the GetChars function could be user-defined, for instance: Therefore, as you can see we can control the “index” variable from user-defined code. Let’s do some debugging. This is a Test.buf variable, where 05 is the array length before triggering the vulnerability: After calling BinaryRead.Read method we are stopping in InternalReadChars method (index is 0): After this call we stopped in user-defined code: This is a first call of user-defined function and we return incorrect value from it. In the next iteration, the “index” variable contains the incorrect offset: After we change the offset we can easily modify memory, for instance: This is a Test.buf object after our modifications in decoder method: So, is this the droid you’ve been looking for? One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one. One final note: due to copyright reasons, we couldn’t check if the leaked Hacking Team archive has this exploit as well. We assume the security community which found the other zero-days in the HackingTeam leaks will also be able to check for this one. If you’d like to learn how to write effective YARA rules and catch new APTs and zero-days, why not take our elite YARA training before SAS 2016? Hunt APTs with Yara like a GReAT Ninja (with trainers Costin Raiu, Vitaly Kamluk and Sergey Mineev). The class is almost sold out! Kaspersky products detect new Silverlight exploit as HEUR:Exploit.MSIL.Agent.gen.
The Raspberry Pi Foundation was offered cash to smuggle malware onto its bargain-basement credit-card-size computers, we're told. Liz Upton, the Foundation's director of communications, today revealed an email from a "business officer" called Linda, who promised a "price per install" for a suspicious executable file. "Amazing. This person seems to be very sincerely offering us money to install malware on your machines," said Liz. The name of the company Linda claimed to represent was redacted, so we are unable to check the veracity of the offer. Plus the email, dated Wednesday, does contain a number of odd details – like writing exe. rather then .exe, and using "u" in place of "you." Some of the language also points to someone whose first language is not English. Amazing. This person seems to be very sincerely offering us money to install malware on your machines. pic.twitter.com/1soL0MIc5Z — Raspberry Pi (@Raspberry_Pi) December 23, 2015 It's fair to say Linda's approach wasn't exactly professional. However, the offer seems genuine, and it shines a light on the murky world of paid-for malware distribution. There are countless examples of software nasties being installed on systems via unrelated applications – toolbars and spyware bundled with legit-looking apps, mainly. Sometimes the developer directly plants the dodgy code, but more often than not the malware comes from a third-party willing to pay for access to PCs and devices. While some malware is relatively benign and easy to remove, others severely compromise computers – allowing them to hold files to ransom, snoop on passwords, hide within operating systems, and so on. Some ad-injecting software nasties even come bundled with new PCs, right, Lenovo? More than five million Raspberry Pis have been sold to date, which is quite an install base. The Foundation declined Linda's offer, and described her company as "evildoers." ® Sponsored: Building secure multi-factor authentication
Hacking Team code is the most professionally developed Android malware ever exposed.