14.1 C
London
Thursday, November 23, 2017
Home Tags The Blacklist

Tag: The Blacklist

Carpool Karaoke is just the beginning.
It's nearly 2017, and Word macros are STILL spreading malware The miscreants behind the Nymaim malware dropper have updated their code to include better obfuscation and blacklisting against security software. Analytics outfit Verint, which discovered the latest version and offers its analysis here, says the new code base targets phishing rather than the drive-by-download approach favoured by the original version of the malware. Nymaim has been around since 2013, but has gone through few iterations to try and stay ahead of threat researchers.
Verint asserts that attacks are rising, up 63 per cent compared to last year. They write that the variant has “new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting”. The blacklist check happens pretty soon after the payload launches: it uses a Maxmind query to learn how the victim machine is connected to the Internet, and checks the query results for names of common security solutions (Fortinet, Cisco, Trend Micro and the like). If it finds a match against the blacklist string, the Nymaim payload stops without trying to download the next stage payload. The sample Verint's researchers got their hands on arrived as a macro in a compromised Word document. ®

Ashampoo Anti-Virus 2016

The vast majority of antivirus products come from companies that design nothing but security software.

Ashampoo Anti-Virus 2016 is a big exception to that rule.

Based in Oldenburg, Germany, Ashampoo offers dozens of applications, including system utilities, multimedia software, CAD programs, business tools, and more.
In my testing, the product worked quite well, but I'd feel safer with an antivirus that has been vetted by the independent antivirus testing labs.Security companies typically must keep a team of researchers busy, analyzing the latest malware and devising defenses.

That makes sense; it's their business! But you wouldn't expect to find a similar team working at a general-purpose software house like Ashampoo.

And you won't—Ashampoo licenses Emsisoft's antivirus engine, and Bitdefender's as well, leaving those two to do the research and development. I was somewhat surprised to find that a one-year Ashampoo license costs $49.99, 10 dollars more than Emsisoft Anti-Malware 11.0, Bitdefender, and many others.

Emsisoft also offers many levels of volume discount prices; switch your order from one license to two and you pay 30 percent less for each; go to three and it's 50 percent. When I filled in larger numbers on the Ashampoo site, it simply priced them out as multiples of the one-license price, no discount. However, my company contact pointed out that there's almost always a deal of the day, or deal of the week, in place, so that "close to none of our customers ever had to pay full retail prices for any of our products." Like Emsisoft, Ashampoo's main window features a big status panel that's green as long as everything is humming along nicely.
If something's not configured correctly, it turns red and offers a button to fix the problem.

Four other panels cover scans, quarantine, updates, and bonus tools. Like Emsisoft (I'm going to get tired of saying that!) it echoes these panels in a menu across the top.

But unlike Emsisoft, there's hardly anything to configure.

Ashampoo's aim is to keep things simple. In addition to the expected full, quick, and custom scans for malware, Ashampoo includes a separate scan for removable devices.
I'm not sure how necessary that is.
Some products, notably Panda Free Antivirus (2016), can actually modify your removable devices to prevent infection by autorun-launched malware.

That's a more worthwhile feature. No Help From the LabsSerious security companies submit their software to independent testing labs.

This serves to validate their technology, and also helps them identify any areas that need more work.

Certainly it's impressive when a vendor's website can display top-level certification from multiple labs. Three of the labs that I follow test Emsisoft Anti-Malware, and four of them include Bitdefender Antivirus Plus 2016.

Both products score very well.
Since Ashampoo licenses technologies from both of these, one might be tempted to assume it would score just as well. However, the labs themselves make one thing very clear; their results apply only to the tested product, period.
I've observed for myself that vendors don't always make proper use of the technology they license, or don't license the entirety of the other vendor's technology. None of the labs I follow test Ashampoo itself, so for this review I don't have any guidance from the labs.

That's a shame.

The fact that Kaspersky Anti-Virus (2016) and Bitdefender get such high lab scores gives me plenty of confidence to recommend them. Impressive Malware BlockingIt was sheer coincidence that I wound up testing Emsisoft and Ashampoo at the same time.
I didn't know about the connection until later.

And in truth, I wouldn't have guessed it from the way the two behaved in my hands-on malware blocking test. To start this test, I simply open my folder of samples, which is enough to get some products scanning.
If nothing happens, I click on each sample. When that doesn't get a rise out of the antivirus, I copy the samples to a new folder.

That's the point where Emsisoft's default real-time protection kicked in.

But Ashampoo didn't react at all until I attempted to launch the samples. On the one hand, a Trojan that's just sitting on disk, never launched, isn't actively harmful.

But on the other hand, if your antivirus were to crash or get turned off, and if that Trojan were somehow launched, you'd have trouble.
I'd feel safer with an antivirus that doesn't wait until the last minute.

And no, you can't configure it to do otherwise. When I did start launching the samples, Ashampoo caught almost all of them instantly, before they executed a single line of code.

This left Windows a tad confused, displaying the message "This file is currently not available for use on this computer," but it was effective. I was a bit disturbed to find that Ashampoo's default action on detecting malware is to just prevent execution, leaving the file in place.
In addition, from time to time Ashampoo displayed the message, "Restarting antivirus engine. Please wait." Did that mean the antivirus was temporarily inactive? Probably not, but it raised my worry level. I did find that clicking the More Options button afforded me some more sensible choices. Here I could block the file and quarantine it, or block and delete it.

But it also gave me the option to allow execution and whitelist the file, or allow and whitelist "this infection." Why would you do that? My company contact admitted that "this is indeed a possible gateway, especially if the PC is used by an inexperienced user," but that it was necessary due to the possibility of false positives. My own thought is that the antivirus should block and quarantine found malware by default.
In the event of a false positive the user can rescue the item from quarantine.

For testing, I always chose block and quarantine. One sample that did manage to launch gave Ashampoo some trouble.

The sample itself was a Trojan that looked like a chat application, but once it got running Ashampoo reported behavior suggestive of spyware.
I clicked Block again and again, but the warning kept recurring.

There was no option to always block the behavior. My only other choices were to allow the action or to whitelist the program.

As a tester I had an easy out; I just reverted the virtual machine to a clean state.

The average user would be stuck clicking Block over and over again. On the plus side, Ashampoo tied Webroot SecureAnywhere AntiVirus (2016), with 100 percent detection of the samples. Webroot also earned a perfect 10 points in this test; Ashampoo's 9.8 points is better than any other product tested with my current set of samples or the previous set.

Emsisoft scored 9.4 points, which is still pretty good. Note that this is a big improvement for Ashampoo.
Its previous edition, tested against my previous malware collection, earned just 7.5 of 10 possible points, a poor score. Good Malicious URL BlockingMy malicious URL blocking test revealed the tight connection between Emsisoft and Ashampoo.

This test uses malware-hosting URLs very recently discovered by researchers at MRG-Effitas.
Since I had both products in hand, I ran their malicious URL blocking tests simultaneously.
In almost every case, the products behaved identically.
If one blocked access to the URL, so did the other.
If one wiped out the file during download, so did the other.

And if one did nothing, so did the other. In addition, both products use a somewhat unusual technique for blocking these dangerous URLs. Most antivirus utilities divert the browser to a warning page.

Ashampoo and Emsisoft just block the connection, leaving the browser to display an error message.

A transient popup lets the user know what happened. Ashampoo blocked 67 of 100 samples at the URL level and eliminated another 21 during download, for a total of 88 percent protection.

That's pretty good, but Avira Antivirus Pro 2016 recently managed 99 percent protection. Prior to that big win, the highest score was 91 percent, shared by Norton and McAfee AntiVirus Plus (2016). See How We Test Malware Blocking Suspicious BehaviorWhenever I see an antivirus that reports on suspicious behavior, I immediately wonder if that feature might be triggered by valid programs as well.
In some cases, my hand-coded test utilities are seen as suspicious, which is completely reasonable.

For example, a program that launched hundreds of malware-hosting URLs, and that's never been seen outside of one particular computer? That's suspicious! Ashampoo left my tools alone, and let most of my collection of sample valid programs install and run without issue.
It did report one sample as suspicious, accusing it of injecting code into other processes.
Indeed, this utility has to take control of Windows Explorer somewhat in order to control icon placement on the desktop.

But that alone doesn't make it malicious. In my testing, just two programs triggered suspicious behavior warnings, one malware sample and one legitimate utility.

That's not as bad as Emsisoft, which reported suspicious behavior by fully a third of my valid programs, or Comodo Antivirus 8, which warned about as many as five different behaviors for some.
I'm just not a fan of behavior monitoring systems that warn about single, simple actions, leaving the user to make the security decision. Poor Phishing ProtectionAshampoo handles phishing sites (fraudulent sites that try to steal your security credentials) the same way it does malware-hosting sites.
It pops up a transient warning and prevents the browser from accessing the site. However, its antiphishing performance left a lot to be desired. For this test, I gather a large collection of URLs that have been reported as fraudulent but haven't yet been verified and blacklisted.

By the time a phishing URL is on the blacklist, it very well may have vanished.
Invariably, quite a few of the reported URLs are already dead by the time I try them in testing. I simultaneously launch each URL in five browsers, one protected by the product under test, one by long-time phish-killer Symantec Norton Security Premium, and one apiece by the protection built into Chrome, Firefox, and Internet Explorer. In this test, Ashampoo's scores tracked very closely with those of Emsisoft, but slightly lower.

Both are among the lowest scores for recent products.

Ashampoo's detection rate lagged 79 percent behind Norton's and well over 50 percent behind both Internet Explorer and Chrome.
It did beat Firefox, but in my tests Firefox seems to be in an antiphishing slump.

Don't rely on Ashampoo for phishing protection. Note that Bitdefender owns the all-time top score in this test; apparently Ashampoo didn't license antiphishing. See How We Test Antiphishing Bonus ToolsAshampoo comes with six bonus tools, but several of them are too advanced for the average user.

As the Tools window warns, each time you launch one of these, the program must restart with Administrator privilege, meaning you'll have to respond to a User Account Control prompt. The File Wiper can come in handy if you need to delete sensitive information so thoroughly that it can't be recovered even with forensic hardware.

By default, it overwrites a file's data seven times with different bit patterns and then deletes it. You can crank it down to three or one overwrites.

The technicians I've talked with at DriveSavers say that even a single overwrite makes a file extremely hard to restore.

Going the other direction, you can select the Gutmann Method, which overwrites files 35 times. Naturally the trade-off is time—more overwrites take longer.

But even at the highest level, the process didn't take long.
I dropped a folder containing 50MB of files onto the File Wiper and clicked Destroy.

The process took 25 seconds. Note that many products offering secure deletion don't let the user tweak details like the number of overwrites.

ThreatTrack Vipre Antivirus 2016 is an example. Worried about someone tracking your Internet antics via traces left in the browser? The Internet Cleaner wipes browsing traces for Internet Explorer, Firefox, Opera, Chrome, Safari, and Edge.

Data removed includes cookies, caches files, and browser history, among other things.

There's an option to exempt certain cookies from deletion; it comes preloaded with URLs for Amazon, eBay, and Ashampoo.

Click Delete now and your browsing traces quickly vanish. Like Norton, Ashampoo includes a tool to manage those programs that launch at startup. Norton reports each program's resource usage, and its prevalence among Norton users.

Ashampoo takes a different tack, reporting on the program's average rating by Ashampoo users, if available. You can add your own rating, if you like.
It also reports on Internet Explorer plug-ins.

To reversibly disable any item from launching at startup, just un-check the box. Of course, the change doesn't take effect until you reboot. The remaining three tools are for experts, not average users. One of them searches for files on NTFS-formatted drives that contain Alternate Data Streams or ADSes, but points out that while a malicious program may hide data in an ADS, valid programs use them too.
Indeed, the only ADS found on my test system was in the Ashampoo installer! The Layered Service Provider Viewer lists all LSPs on your system and flags any that aren't standard. Once again, these may be perfectly valid. My test system necessarily uses two LSPs from VMware.

Finally, the Hosts File Checker looks for possible malicious modification of the Hosts file, which overrides the normal mapping of domain names to IP addresses.

Geeky! Great Scores Aren't Quite EnoughUsing technology licensed from Emsisoft and Bitdefender, Ashampoo Anti-Virus turned in an excellent score in our hands-on malware-blocking test and a very good score in our malicious URL test.
It scored poorly in the antiphishing test, though, and the independent testing labs have nothing to say about it.
If you're desperate to use Emsisoft's antivirus technology, you're probably better off getting it directly from Emsisoft, unless you're really excited by Ashampoo's bonus tools. Better still, choose one of our four Editors' Choice products.

Bitdefender Antivirus Plus gets great lab scores; Kaspersky Anti-Virus rates even higher. Webroot SecureAnywhere AntiVirus aced our in-house antimalware test, and it uses an amazingly tiny amount of resources.

All three cost less than Ashampoo. You might think at first that McAfee AntiVirus Plus is more expensive, but your subscription lets you install protection on any number of Windows, Mac, or mobile devices.

And all four companies are squarely focused on security.
There are so many sites that store passwords in the clear that normally when I come across one, I make a mental note to never trust it with anything too important, or to find a similar service that actually does care about security. However, as Alex North has recently discovered, when it's your own government's taxation office and it somehow believes that it's following best practice, a seething ball of rage slowly worked its way up from my spleen. The Australian Taxation Office (ATO) has been storing passwords in plain text. I don't need to tell you why that's a bad idea. We've already seen how disastrous it can be when companies only store unsalted hashes of passwords — the Australian Broadcasting Corporation (ABC) joined LinkedIn on that honour roll recently. North found out by requesting his password from the ATO's Publications Ordering Service, shortened, perhaps appropriately, to POS.

This is where I'd normally shake my head, but walk on by.

There are hundreds, if not thousands of companies that have little clue as to how bad this practice can be, so much to the point that a name-and-shame site called Plain Text Offenders exists. But the remarkable thing about North's finding is that he went one step farther, made a complaint, and received a reply from the ATO's "technical area". The ATO's response was that the process it follows is one of the most commonly adopted methods of password recovery, and is safe because the recovered password is only sent to the user's registered email address. I sure hope not.

There are plenty of sites that do the wrong thing, but the majority of responsible sites I've seen tend to do the right thing and require a time-sensitive confirmation link. It's not perfect, considering that email is typically not a secure medium, but done right, the confirmation link expires when used or after a period of time, unlike the password. Although North didn't go digging any further, I figured I would — and I found that the problems get even worse, although the ATO's "technical area" has some idea of basic security concepts. Take poor password generation, for example: It has a script that will check if your password is one in a blacklist of common passwords. However, that entire dictionary is checked client side in a script, and is hardly comprehensive. In fact, some of the other password complexity requirements mean that a lot of the words in the blacklist don't even qualify. Part of the POS password ban list. (Image: Screenshot by Michael Lee/ZDNet)My dodgy password of "Password1", for instance, made the cut. But given that all of this checking happens on the user/attacker's own computer, there's nothing to stop them from hijacking the JavaScript and skipping the checks. That's not the only place that client-side verification occurs. Attempt to log in with the wrong credentials enough times, and another JavaScript function will kick in, disabling the login form for 3 seconds. Someone at least knows that attackers can and do brute force systems, but hasn't figured out that it doesn't happen by entering usernames and passwords manually. This happens on the two other sites set up for businesses and tax agents, although the tax agent site redirects users to a page telling them that they'd been locked out of the site for 24 hours. That would be a crude but effective measure, only it doesn't actually lock anyone out. In fact, the tax agent site doesn't even prompt for a password, only a tax agent number (TAN).

And with a number of them freely Google-able, one could probably log in under someone else's account, passwords be damned. But, as North pointed out sarcastically, big deal. POS is a government service, so anyone can order free documents. In fact, anyone can sign up, order a bunch of documents and have them sent to various addresses if they really wanted to.

The whole system is flawed, not just the password requirement. We put our own query to the ATO, and it confirmed that its POS site stores passwords in plain text, but it also highlighted that the system is an external application hosted and managed by its "publication warehouse supplier". That means, at least, that it's separate to more sensitive information, as it is "unable to access taxpayer information or their details" and "there are no financial or bank account details stored on POS". It also acknowledged that as "with any online ordering system, if a person was so inclined, they could place orders to another address. In addition to our ongoing consideration of security developments, we monitor requests to identify out of the ordinary activity, which may include repeat or 'over the limit' requests". The difference between "any online ordering system" and POS, however, is that most people have to pay for the product.

There is (thankfully) no payment mechanism in place for POS, as the ATO funds the printing and delivery of the products. But who funds the ATO? Taxpayers, ultimately. As for entering TANs, the government is able to help attackers out there, too. Unlike Tax File Numbers (TFNs), which taxpayers are not meant to share, TANs are publicly available information that can be looked up on the Tax Practitioner's Board. The ATO told us that with this information, an attacker would be able to "view the requester's contact details and past and current orders of ATO material", which admittedly isn't ground-breaking information to have, but it leaves me wondering what the point of a login system was in the first place. Nevertheless, the ATO told us, "security is important to us; while we feel this represents a low risk overall and operates completely separate to ATO systems, we are working with our supplier to address best-practice security measures, including improvements that can be made to this system for the future." Hopefully, this will be sooner rather than later. But judging from the ATO's response, it may not be in a rush.

After all, it told us that "POS has not been compromised once in it[s] years of operation". The point is not about not being breached; it's about what you do when you have been.

In the ATO's case, it will lose all of its passwords, many of which are probably being used on other sites.

The only thing it will be able to do for its users is send an apologetic email, shoving the responsibility to them to clean up the mess. If you look at Evernote, which I am using as an example because it suffered a breach over the weekend, it has done (most of) the right things. Passwords were hashed and salted, which means that unlike just hashing, which simply obfuscates poor passwords, they are close to impossible to get the plain text from. Upon learning of a breach, it instituted a password reset on its users, just in case. While it arguably could have done a better job at informing its users that it had actually reset their passwords, it checked all the right boxes when it came to ensuring that passwords are being responsibly stored. The best part about it? Most don't even pay Evernote for this.