Kaspersky Lab detection technologies wp0607 - Tech Data Worldwide

Kaspersky Lab core detection technologies

Comprehensive protection from threats of today and

tomorrow

Whitepaper

2


CONTENTS 1 INTRODUCTION............................................................................................................................... 4 2 GOOD & BAD ANTI-VIRUS ENGINES ............................................................................................ 5 3 KEY FEATURES OF THE KASPERSKY® ANTI-VIRUS ENGINE .................................................. 6

3.1 SIGNATURE ANALYSIS.................................................................................................................... 6 3.2 CHECKSUMMING............................................................................................................................ 7 3.3 TECHNIQUES FOR DETECTING POLYMORPHIC VIRUSES.................................................................... 7

Reduced masks.................................................................................................................................... 8 Known plaintext cryptanalysis .............................................................................................................. 8 Statistical analysis ................................................................................................................................ 9 Emulation ............................................................................................................................................. 9 Polymorphic viruses: summary ........................................................................................................... 9

3.4 PROCESSING COMPLEX OBJECTS................................................................................................. 10 3.5 HEURISTIC ANALYSIS ................................................................................................................... 11

Static heuristic analysis ...................................................................................................................... 11 Dynamic heuristic analysis ................................................................................................................. 12

3.6 GENERIC DETECTION................................................................................................................... 12 3.7 DETECTION OF MALICIOUS CONTENT ............................................................................................ 13 3.8 DETECTION OF ROOTKITS ............................................................................................................ 13 3.9 DETECTION OF MOBILE THREATS.................................................................................................. 15 3.10 DETECTION OF SPYWARE ............................................................................................................ 16

Adware ............................................................................................................................................... 18 Pornware ............................................................................................................................................ 18 Riskware............................................................................................................................................. 18

3.11 UPDATING VIRUS SIGNATURES ..................................................................................................... 18

4 OTHER CORE DETECTION TECHNOLOGIES............................................................................. 19 4.1 PROACTIVE DEFENSE MODULE .................................................................................................... 19

Worm.Generic .................................................................................................................................... 20 Worm.P2P.Generic ............................................................................................................................ 20 Trojan.Generic.................................................................................................................................... 20 Buffer overrun..................................................................................................................................... 20 Data Execution ................................................................................................................................... 20 Root shell ........................................................................................................................................... 20 Internet Browser Launchers ............................................................................................................... 20 Invaders.............................................................................................................................................. 21 Hidden Objects (Rootkits) .................................................................................................................. 21 Suspicious values in registry .............................................................................................................. 21 Strange system behavior.................................................................................................................... 21 Hidden installers................................................................................................................................. 21 Keyloggers ......................................................................................................................................... 21 Trojan Cryptors................................................................................................................................... 21 Hidden data sending .......................................................................................................................... 21 Private data and password access..................................................................................................... 21 Application Integrity Control ............................................................................................................... 22 Registry Guard ................................................................................................................................... 22 Office Guard ....................................................................................................................................... 22

3


4.2 PERFORMANCE OPTIMIZATION ..................................................................................................... 22 iChecker™ and iSwift™ ..................................................................................................................... 22 Suspension of scanning when the system is under load.................................................................... 23 iCure™ ............................................................................................................................................... 23

4.3 COMBATING ACTIVE THREATS ...................................................................................................... 23 Active threat disinfection .................................................................................................................... 23 Rescue Disk ....................................................................................................................................... 24

5 CONCLUSION ................................................................................................................................ 24 6 APPENDIX 1. TODAY’S THREAT LANDSCAPE: FROM CYBER VANDALISM TO CYBER

CRIME...................................................................................................................................................... 25 7 APPENDIX 2. EVALUATING ANTI-VIRUS PRODUCTS............................................................... 28

Magazine reviews............................................................................................................................... 28 Tests and certifications based on the WildList ................................................................................... 29 Comprehensive anti-virus detection tests .......................................................................................... 29 Summary ............................................................................................................................................ 30

4


1 Introduction It’s clear that the nature of the threat to PC users has changed significantly over the years. Today’s threats are more complex than ever before. Much of today’s malware (short for malicious software), which includes Trojans, backdoors and spammers’ proxy servers as well as viruses and worms, is purpose-built to hijack users’ machines; and a single Trojan can easily be found on many thousands of infected PCs. Malicious code may be embedded in e-mail, injected into fake software packs, or placed on ‘grey-zone’ web pages for download by a Trojan installed on an infected machine. There has also been a growth in spyware, adware, dialers and other ‘unwanted’, but non-viral, programs. The scale of the problem, in terms of numbers alone, has also continued to increase.1 At the same time, the anti-virus market is saturated with products. This raises the question of how to choose the best product. Which ones will guarantee maximum protection? Which ones offer the most efficient combination of technologies capable of comprehensively protecting your computer and network from all types of malware and potentially unwanted programs? The core of any anti-virus product is the anti-virus engine, a software module purpose-built to find and remove malicious code. The engine is developed independently of any specific product implementation. So it plugs-in equally well into personal products, like personal scanners or real-time monitors, or solutions for servers, mail scanners, file servers, firewalls and proxy-servers. The reliability of malicious code detection, and hence, the security level provided by the engine, ultimately depends on the engine’s structure, its detection methods and the heuristic technologies implemented in the engine. This document outlines the key elements of the Kaspersky® anti-virus engine and other core technologies. This includes scanning features that are common to many anti-virus products, but also unique technologies that make the Kaspersky® anti-virus engine so effective at finding and removing malicious code.

1 Kaspersky Lab anti-virus databases now contain more than 250,000 records.

5


2 Good & bad anti-virus engines Anti-virus vendors tend to conceal the details of their engines from the public. And with good reason, of course, since they have no wish to publish information that hackers or virus writers might be able to use to circumvent particular techniques used in the engine. However, there are indirect ways you can determine whether a particular engine is good or bad, i.e. is it more or less effective at finding and removing malicious code? Below is a list of the main criteria for selecting an anti-virus engine.

• Quality of detection indicates the effectiveness with which the anti-virus program detects viruses, worms, Trojans and potentially undesirable programs (including spyware programs). The best way to assess an anti-virus vendor’s detection capability is to check out its track record in a range of independent tests.2

• Level of proactive detection indicates a program’s ability to find new,

unknown threats. Proactive detection has become increasingly important given the speed at which today’s threats spread. Unfortunately, it’s very difficult to assess a product’s capability in this area without access to a virus collection. However, a number of independent test organizations have begun to include this in their test methodologies. In addition, the number of false alarms is also indicative of the quality of an engine’s heuristic analyzer. Clearly, high proactive detection levels are only useful if they don’t come with a high false positive rate.

• Number of false alarms is an important measure of an engine’s quality. If

an anti-virus program reports an infection in a clean file, this is called a false alarm, or false-positive. Not only do frequent false alarms undermine a user’s confidence in a program’s heuristic analyzer. They can also prevent a user from recognizing a new virus (the program wrongly detects legitimate programs so often that the user stops trusting it.)

• Detection of malicious code inside compressed, archived and packed

formats is critical because virus writers frequently compress their code using different compression utilities, to produce several distinct executables. In fact, all these viruses are duplicates of the same virus. And if an anti-virus engine supports all (or almost all) popular compression utilities, it will easily detect all copies of the same virus and determine its name. Other anti-virus programs, by contrast, will require a virus definition update (and may also require additional time for analysis by one of their virus researchers).

2 See Appendix 2 Evaluating anti-virus tests for further information.

6


• Update size and frequency are also indicative of the quality of an anti-virus engine (as well as the quality of the vendor’s research team). While the engine itself is designed to be updated infrequently, frequent updates to the anti-virus databases guarantee that a user will be constantly protected from the latest threats. The size of each database update (as well as the number of detected threats) shows the quality of the anti-virus databases and, to some degree, the engine itself.

• Engine-only updating, without the need to update the entire anti-virus

program, indicates the efficiency of the engine technology. In some cases, in order to detect a virus, a user must update not only the anti-virus database but also the engine. If it’s not easy for the customer to update the engine, the user’s computer or network may become infected with a new virus. In addition, engine-only updating allows a vendor to quickly troubleshoot and improve the engine, or extend its functionality.

3 Key features of the Kaspersky® anti-virus engine The appearance of the first computer viruses forced programmers to react quickly. This led to the creation of the first anti-virus programs. Since then, anti-virus software has changed dramatically in response to the changing threat posed by each successive generation of malware. Today’s anti-virus programs differ as much from the old solutions as an up-to-date PC differs from, say, a calculator. The Kaspersky® anti-virus engine is integrated into all Kaspersky® anti-virus products and delivers a unique combination of technologies necessary for the successful detection of malicious code. The Kaspersky® anti-virus engine is designed on the basis of a powerful and flexible logical subsystem that employs all the latest methods to find and remove malware. The key features of the Kaspersky® anti-virus engine are outlined below.

3.1 Signature analysis A signature is a unique sequence of bytes that is specific to a piece of malicious code. Signature analysis, or a modification of it, was (and remains) one of the first methods used in anti-virus engines to detect viruses and other malware. Obvious advantages of this method are its high speed (especially with the use of special

7


algorithms) and the fact that several threats can be detected using just one signature. On the other hand, a serious disadvantage is that for reliable detection of malicious code, the signature must be large, at least 22-40 bytes (anti-virus producers usually use longer signatures, of up to 64 bytes, to ensure detection). So the size of the anti-virus database also increases. Another challenge to this method is that much contemporary malware is written in high level languages such as C++, Delphi or Visual Basic. These programs contain fragments of code that do not change (the so-called run time library). If an incorrect signature is used, this leads to false alarms, where a clean file is reported to be infected. The false alarm problem can be solved by using extremely large signatures, or by restricting detection to certain data areas like relocation tables or text strings, which is undesirable.

3.2 Checksumming Checksumming is a method based on calculating CRC (Cyclic Redundancy Check) checksums and is a modification of signature analysis. The method was developed to overcome the main disadvantage of the signature method, large databases and frequent false alarms. Checksumming accounts for not only the search string (or, to be more precise, a checksum for the string) but the location of the string in the body of a malicious program. The location is used to calculate the checksums for the entire file. Thus, instead of a 10-12 byte search string (the minimum size), the checksum takes four bytes and the location data also take four bytes. However, checksumming is more time consuming than signature analysis.

3.3 Techniques for detecting polymorphic viruses Self-encryption and polymorphism are used in most types of virus in order to make them more difficult to detect. Polymorphic viruses are extremely hard to detect because they do not have signatures, i.e. there’s no constant fragment of virus-specific code. In most cases, two samples of the same polymorphic virus will not have a single coinciding fragment. There are many kinds of polymorphic virus, from boot and DOS file viruses to Windows viruses, macro and script viruses. Polymorphic ‘envelopes’ are also used to hide Trojan programs.

8


Viruses are called polymorphic if their body is self-changing during replication to avoid the presence of any constant search strings. Polymorphic viruses can not be detected (or can be detected only with great difficulty) using so-called virus signatures or masks, sequences of unchanging virus-specific code. Polymorphism is achieved by encrypting the main code of the virus with non-constant keys containing random sets of decryption commands, or by changing the executable virus code. There are also other rather exotic examples of polymorphism. For example the DOS virus Bomber is not encrypted, but the sequence of instructions which passes control to the body of the virus is completely polymorphic. It is problematic to use signatures (sometimes called search strings), as outlined above, to detect polymorphic viruses. Since the code changes with each infection, it becomes impossible to select the correct signature. Even a very large signature can not be used to identify an encrypted virus uniquely without giving false alarms. It’s not difficult to see why. The polymorphic virus encrypts its body, converting the virus code into a variable. And variable code can not be selected for a signature. So for detection of polymorphic viruses, additional techniques must be used.

Reduced masks If the encryption algorithm used by the virus is not sufficiently sophisticated, it’s possible to use elements within the encrypted body of the virus to take the encryption key out of the equation and obtain static code. The signature, or mask, can then be taken from the resulting static code. Known plaintext cryptanalysis Known plaintext cryptanalysis is another method for dealing with polymorphic viruses. It uses the known original virus code and the known encrypted code (or suspicious code that looks like an encrypted virus body), the engine reconstructs the keys and the algorithm of the decrypting program. The engine then decodes the encrypted virus body by applying this algorithm to the encoded fragment. Using a system of equations to decode an encrypted virus body is similar to the classical cryptographic problem of decoding an encoded text without keys. However, there are two key differences. First, most of the data required for the solution is known. Second, the solution must be reached using available RAM and within a limited period of time. In general, this method is less time consuming and uses a smaller amount of memory than emulation of virus instructions (see below). However, this makes it necessary to construct a system of equations and it becomes rather complicated. The main problem is the mathematical analysis of the equation or the system of equations constructed.

9


Statistical analysis Statistical analysis is another method used to detect polymorphic viruses. The engine analyzes the frequency of the processor commands used and uses this information to make a decision on whether the file is infected or not. This method is quite effective for those polymorphic viruses that use a limited set of opcodes in their decryptors, compared to clean files that use other opcodes with a different frequency. For example, many complex polymorphic viruses rarely use the DOS interrupt 21h (CDh 21h opcode) in their decryptors, while most legitimate programs use it frequently. The main disadvantage of this method is that there is a family of complex polymorphic viruses that uses the opcodes of virtually all processors and the set of commands changes dramatically from infection to infection, thus making it impossible to detect such viruses using a frequency table. Emulation The increase in the number of polymorphic viruses in the early 1990s, and in particular the first appearance of polymorphic viruses in the field, led to the development of a method of emulating the program code (also known as sandboxing). Using this method, program execution (of both infected and clean programs) is emulated in a virtual environment, called a sandbox or virtual machine. After this emulation process, where the program is a polymorphic virus, the buffer contains a decoded virus body ready to be detected using standard methods (signature analysis or CRC checksumming). Current systems emulate not only processor opcodes, but also operating system calls. It is quite difficult to write a decent emulator. In addition, when an emulator is used, the actions of every command must be constantly controlled to prevent the program from occasionally executing the destructive virus instructions that are present in most known viruses. It’s also important to stress that program emulates the execution of virus instructions, rather than tracing them, because tracing virus activities increases the risk of executing destructive instructions or the codes responsible for activating the virus itself. Polymorphic viruses: Summary In practice, deciding on the use of the above methods for detecting polymorphic viruses (reduced masks, cryptanalysis, statistical analysis and emulation), comes down finding an optimal balance that offers maximum speed and minimum memory usage. The code of most self-encrypting viruses can easily be decoded using emulation. If emulation is not an optimal solution, the virus code can be decoded using a subprogram that applies cryptanalysis to this code. To detect viruses that are non-decodable, or that can not be emulated, the engine uses a method of reduced masks. In complex cases, the Kaspersky® anti-virus engine uses a combination of the above methods. A fragment of the decryptor code is emulated to distinguish commands that are responsible for the decrypting algorithm. Then, based on the

10


information obtained, the engine constructs and solves a system of equations to decrypt and detect the virus code. The above-described methods are combined in the case of multiple encoding, where a virus encrypts its body several times using various encryption algorithms. A combination of methods for decoding information or, in other words, ‘pure’ emulation of the decoder code, is often used in the engine because every new virus must be analyzed and integrated into the anti-virus database in the shortest time, which is sometimes not possible with mathematical analysis. As a result, more laborious detection methods are used, leaving behind the mathematical methods that can be applied to analyze the decryption algorithms.

3.4 Processing complex objects

In recent years anti-virus engines have changed dramatically. For the first anti-virus programs, it was enough to check system memory, executable files, and boot sectors. After several years, due to the increased popularity of special compression utilities, anti-virus developers encountered the problem of how to extract a compressed file before scanning it. Then, a new problem appeared when viruses started infecting archives (and users often sent each other infected archives). Anti-virus programs had to learn how to process archived files. There were other related problems too. The first macro virus to infect Microsoft® Word documents appeared in 1995. Word documents are stored in a closed, complex format and some anti-virus producers are still unable to process such files effectively. Contemporary anti-virus engines must also be able to scan e-mail databases and e-mail messages. It’s critical for anti-virus programs to be able to scan such complex objects because there could be a hidden threat lurking within any one of them. The Kaspersky® anti-virus engine currently supports over 300 distinct run-time packers, with more than 2,800 versions; and over 80 archiving utilities, with more than 500 versions. Thus the total number of formats supported is around 3300.3 The engine supports a wide range of utilities for compressing executable files, as well as encryption systems. These include the following: Diet, AVPACK, COMPACK, Epack, ExeLock, ExePack, Expert, HackStop, Jam, LzExe, LzCom, PaquetBuilder, PGMPAK, PkLite, PackWin, Pksmart, Protect, ProtEXE, RelPack, Rerp, Rjcrush, Rucc, Scramb, SCRNCH, Shrink, Six-2-Four, Syspack, Trap, UCEXE, Univac, UPD, UPX , WWPACK, ASPack, ASProtect, Astrum, BitArts, BJFnt, Cexe, Cheaters, Dialect, DXPack, Gleam, CodeSafe, ELFCrypt, JDPack, JDProtect, INFTool, Krypton, Neolite, ExeLock, NFO, NoodleCrypt, OptLink, PCPEC, PEBundle, PECompact , PCShrink, PE-Crypt, PE-

3 As of March 2007. The full list of supported formats is available from Kaspersky Lab.

11


Diminisher, PELock, PEncrypt, PE-Pack, PE-Protect, PE-Shield, Petite, Pex, PKLite32, SuperCede, TeLock, VBox, WWPack32, XLok and Yoda. The engine also supports a wide range of archivers and installers. This reduces the time taken to analyze new viruses, thus accelerating the response to new threats and providing the highest level of detection of known viruses. Archivers and installers supported include the following: CAB, ARJ, ZIP, GZIP, Tar, AIN, HA, LHA, RAR, ACE, BZIP2, WiseSFX, CreateInstall, Inno Installer, StarDust Installer, MS Expand, GKWare Setup, SetupFactory, SetupSpecialist, NSIS, Astrum, PCInstall, and Effect Office. Support for all these archivers, and modifications of them, is particularly important when scanning e-mail traffic, because a great number of viruses are sent via e-mail as archives. Objects are extracted regardless of the archive nesting depth. For example, if an infected file is compressed with the UPX utility and then archived in a ZIP file, which in turn is archived in a CAB file, the Kaspersky engine will still be able to extract the original file and detect the virus. The engine uses a smart algorithm that avoids extracting so-called archive bombs, highly compressed and therefore seemingly small archives that expand into huge files or several identical files. Such archives usually take quite a long time to scan, but the Kaspersky® anti-virus engine can instantly recognize such bombs among normal archives.

3.5 Heuristic analysis In the early 1990s, as the number of viruses grew to exceed several hundreds, anti-virus experts investigated the possibility of detecting viruses that were currently unknown and for which there was no signature. As a result, the so-called heuristic analyzers were created. A heuristic analyzer is a set of subprograms that analyze the code of executable files, macros and scripts, in memory, files or boot sectors, in order to detect various types of malware. The two main principles used in heuristic analyzers are static and dynamic analysis. Static heuristic analysis This involves a search for general short signatures specific to most viruses (so-called suspicious commands). For example, many viruses search for files using the *.EXE mask, open the file found and write their code into this file. The task of the heuristic analyzer is to find signatures that are indicative of these activities. Then the program analyzes the signatures and, if a number of suspicious commands are found, it decides that the file is infected. This method is easy to

12


implement and delivers high-speed scanner performance. However, the level of detection of new malicious programs is rather low. Dynamic heuristic analysis This was developed simultaneously with the introduction of code emulators into anti-virus programs (see above). The dynamic method emulates program performance and logs all suspicious actions. This log is then used to decide whether or not the program is infected or not. Unlike the static method, the dynamic heuristic analysis method requires more resources but provides a higher level of detection. The heuristic analyzer integrated into the Kaspersky® anti-virus uses both cryptanalysis and statistical analysis. It was designed from the outset as an extensible module, unlike many other first-generation heuristic analyzers that were designed to detect malicious code only in executable files. At present, the Kaspersky® heuristic analyzer successfully detects malicious code in executable files, disk sectors and computer memory. It also effectively reveals new script viruses and malware for Microsoft® Office (and other programs that use VBA), as well as code written in high level languages like Microsoft® Visual Basic. Due to its flexible architecture and combination of various methods, the Kaspersky® heuristic analyzer is able to detect new malware very efficiently. At the same time, the number of false alarms has been minimized.

3.6 Generic detection Generic detection refers to the detection and removal of multiple threats using a single virus signature. The starting-point for generic detection is that successful threats are often copied by others, or further refined by the original author(s). The result is a spate of viruses, worms or Trojans, each one distinct but belonging to the same family. In many cases, the number of variants can run into tens, or even hundreds. Generic detection involves creating a signature that is able to identify all threats belonging to the same family. So when NewVirus appears, the definition created to detect it will also successfully identify NewVirus.b, NewVirus.c, NewVirus.d, etc. if and when they’re created. Such techniques extend also to detection of exploit code that may be used by a virus or worm. Of course, generic detection is not guaranteed to find all variants in the family. However, it has proved effective in detecting many new threats without the need for an updated signature. Where it’s feasible, detection of multiple variants using a single definition is also more efficient.

13


3.7 Detection of malicious content

Malicious code today takes many forms. Traditional threats like classic viruses and worms are still circulating, but have declined in number in relative terms. Today’s ‘weapon of choice’ for malware authors is the Trojan. This class of malware includes a wide array of programs, each tailored to a specific purpose: Backdoor Trojans, PWS Trojans, Trojan Droppers, Trojan Downloaders and Trojan Proxies. There is also an increasing number of potentially undesirable non-viral programs. Historically, malware authors have focused on e-mail as their main attack vector; and, until a recently, the e-mail worm was the main threat facing enterprises. E-mail remains a key means of delivering malicious code: today it often takes the form of direct spamming to a target population of PCs, rather than mass-mailing using e-mail addresses harvested from infected machines. However, SMTP is not the only attack vector today. Web browsers provide employees with a doorway to the Internet and the browser is how they are exposed to content on the web, including malicious content. HTTP and FTP can also be used to deliver malicious code to a computer. The specific methods can vary. Malicious code may be embedded in HTML e-mail messages, in the form of VBS (Visual Basic Script) or JavaScript, or within web pages (using ActiveX). Or malicious code may be injected directly into fake software packs or placed on ‘grey-zone’ web pages for download by a Trojan already installed on a victim machine. The use of exploits to deliver malicious code has now become commonplace. The term exploit describes a program, piece of code or even some data written by a hacker or virus writer that is designed to take advantage of a bug or vulnerability in an application or operating system. Using the exploit, an attacker gains unauthorized access to, or use of, the application or operating system. The use of exploits by hackers and virus writers has increased during the last few years. Typically, exploit code is used to gain access to confidential data or to use the victim machine for further unauthorized use. The various means by which code may be delivered to a victim computer are sometimes referred to as ‘active content’ or ‘content’. Kaspersky Lab provides protection from malicious or potentially undesirable code, regardless of the means used to deliver it to the computer.

3.8 Detection of rootkits The term rootkit is borrowed from the Unix world, where it was used to describe tools used to maintain ‘root’ access while remaining invisible to the system administrator. Today it refers to stealth techniques employed by malware authors

14


to hide the changes they have made to a victim machine. Typically, the malware author obtains access to the system by cracking a password or exploiting a vulnerability and then uses this to gain other system information until he achieves administrator access to the machine. Rootkits are often used to hide the presence of a Trojan, by concealing registry edits, the Trojan’s process(es) and other system activity. This is done either by replacing legitimate system files or libraries, or by installing a kernel module on the system. The aim is to intercept system information and so prevent the user from seeing what’s really going on, namely a range of malicious activity. It could be the theft of banking data through the use of a keylogger, the hijacking of a victim machine for widespread distribution of spam e-mail, or the collective (mis)use of victim machines in a DDoS (Distributed Denial of Service) attack designed to extort money from a specific organization. However, rootkits are not only used to increase the life expectancy of out-and-out malicious code such as viruses, worms and Trojans. They are being used increasingly by adware programs, quasi-legal applications used to advertise goods or services, to prevent their removal from the system on which they’re installed. The first step in installing the rootkit is for a hacker to gain user-level access. This is then used to gain root, or administrator, access to the system. Of course, the fact that most users simply use the administrator's account, rather than creating a separate user account, makes it much easier for a hacker to install a rootkit on the victim machine: and this is a major factor that has contributed to the increased use of rootkits. Once the rootkit is installed and running, it is able to conceal network activity, registry data, processes running on the system and anything else that might alert the user to its activity. There are user-mode and kernel-mode rootkits. Kernel-mode rootkits, as the name suggests, operate at a low level within the operating system and are able to hide themselves more effectively than user-level rootkits. It’s clear that the threat landscape has changed markedly in recent years. The transition to cyber crime means that more is at stake and malware authors have more reason than ever to conceal their actions on victim machines. For this reason, rootkits are likely to remain a key weapon in the arsenal of malware authors. Of course, the low-level nature of rootkits, and the way they hook into the system, makes them difficult to detect and even more difficult to remove. Effective detection and removal of rootkits has become essential; and this requires an anti-virus engine that implements advanced detection and cleaning techniques.3

3 The Proactive Defense Module [PDM], integrated into Kaspersky® Anti-Virus 6.0, Kaspersky® Internet Security 6.0, Kaspersky® Anti-Virus 6.0 for Windows Workstations, is able to detect new, unknown rootkits, block them and roll-back any changes they have made to the system. For more details on the PDM, see the section below on Other core detection technologies.

15


3.9 Detection of mobile threats

The use of increasingly sophisticated mobile devices within the corporate world continues to grow and with it the use of wireless technologies of one sort of another. Today, there’s little you can do with a laptop that you can’t do with a handheld computer. Enterprises operate today in an ‘open space’, with employees connected, and therefore open to attack, wherever they work: in the work place, at home, or on the road. Mobile devices operate beyond the reach of traditional network security; and as they start to carry more and more valuable corporate data, they become a more attractive target for the writers of malicious code. The first worm for mobile phones, Cabir, appeared in June 2004. Since then Cabir has spread to more than 40 countries across the globe. Cabir spreads using Bluetooth. This is the most common method for wireless transmission of data, so it’s no surprise that it has become the chosen means of infection for many virus writers. Research4 carried out by Kaspersky Lab’s Alexander Gostev shows clearly that significant numbers of Bluetooth-enabled devices are left in discoverable mode: open to infection and open to hackers. In a very short period of time, we have seen viruses, worms and Trojans for mobile devices; that is, the array of threats that took twenty years to develop on PCs! Currently, we see around ten new mobile threats per week. Many are fairly basic, but it’s clear that malware authors are aware of the long-term potential for using mobile devices for making money illegally. In April 2006, we saw the first Trojan Spy for Symbian OS. Flexispy is a commercial Trojan that takes over control of smartphones and sends call information and SMS data to the author or ‘master’ of the Trojan. Evidence showed that its author was selling his creation for $50. And we’ve seen similar malware for Windows Mobile, currently the second most popular operating system for mobile devices. Since most mobile threats we’ve seen so far require user interaction (accept the file transfer then agree to run it), it might seem surprising how well they spread. That is, until you consider the success of PC-based worms that require similar user action. The key is social engineering, used by writers of viruses and worms as a way of beguiling unsuspecting users into running malicious code: often using the lure of free pornographic pictures, movie downloads, free services or make-money-fast schemes. It’s no different on mobile phones. For example, the Comwar worm uses MMS (Multimedia Messaging Service) to send itself to contacts found in a phone’s address book, at a cost of around €0.35 per message. Research5 conducted by Kaspersky Lab’s Konstantin Sapronov found that 25% of users with devices in

4 See http://www.viruslist.com/en/analysis?pubid=188833782 5 http://www.viruslist.com/en/analysis?pubid=181198286

16


discoverable mode accepted files transmitted to their devices using Bluetooth: this figure rose significantly where the filename contained the word ‘sex’. The payload of mobile threats varies. The phone may become unusable while the worm remains installed: the Skuller Trojan, distributed via download from a variety of mobile sites, replaces system icons with a skull icon: and the services related to the icons no longer work. The Mosquit Trojan sends SMS (Short Messaging Service) messages to premium rate numbers. Crimeware programs like Brador, Flexspy or one of the other mobile Trojans, allow the malware author or ‘master’ to steal confidential data stored on a mobile device. It’s worth noting in this context that users seldom encrypt the data they store on their device, and many don’t even use a power-on password. While virus writers are still experimenting with mobile technology, we’ve already seen some interesting developments. These include Lasco, a hybrid virus/worm combination; Cxover, that infects files on mobile devices and PCs; and RedBrowser, a Trojan that targets phones running Java (J2ME), i.e. non-smartphones. Although it’s clear that mobile devices are far from immune to attack, it’s hard to predict when the proof-of-concept trickle will turn into a flood. This will depend largely on usage. Once the number of smartphones, and their use for conducting online business, reaches critical mass, the criminal underground will target them, just as they target any commonly used system. Today criminals use the data stored on desktops and laptops to make money illegally. Tomorrow they will seek to harvest data from mobile devices for the same purpose. Detection for mobile threats is integrated into the Kaspersky® anti-virus engine. Kaspersky Lab adds detection for new mobile threats as they appear, to ensure that users are well-protected from this growing threat.

3.10 Detection of spyware 6 As outlined above, the Kaspersky® anti-virus engine delivers a unique combination of technologies necessary to successfully find and remove all kinds of malware. However, there are other ways for hackers, spammers and other cyber criminals to harm users. During the last few years there has been a growth in the number of non-viral, but potentially hostile, programs that can be used by criminals to attack users or hijack their machines for malicious purposes. This includes adware and the malware-related application classified by Kaspersky Lab as riskware and pornware. Such programs can not be defined as malware per se. In fact, they may be legitimate applications. But their potential for misuse by hackers

6 For more information on spyware programs, see the Kasperskly Lab white paper Detecting spyware and other potentially hostile non-viral programs.

17


and other cyber criminals means that users increasingly see them as undesirable applications and need the means to identify them. Kaspersky Lab has a long history in detecting and removing Trojan spyware programs. This goes back to 1996 when Kaspersky Lab included detection and removal for the first AOL password stealing Trojans. Today, Kaspersky Lab has a consistent track record in independent tests for detection of Trojans and other malware. Kaspersky Lab also delivers exceptional protection from potentially hostile programs, so-called spyware. Detection of potentially hostile programs is especially important for enterprises, since such applications can bring significant security and legal risks, including:

• Financial losses that result from theft of confidential corporate information. • Reduced computer performance and lower employee productivity. • Increased risk of legal liability. • Increased remote access costs.

Spyware is something of a grey area, so there’s no clear definition. However, as the name suggests, it’s often loosely defined as software designed to harvest data from a computer and forward it to a third party without the knowledge or consent of the computer’s owner. This includes monitoring key strokes, collecting confidential information (passwords, credit card numbers, PIN numbers, etc.), harvesting e-mail addresses or tracking browsing habits. There’s a further by-product, of course: such activities inevitably affect network performance, slowing down the system and consequently affecting the whole business process. The lack of a hard-and-fast definition stems from the fact that spyware is really just a catch-all term for a wide assortment of malware-related programs. To illustrate this point, consider the definition of spyware created by the Anti-Spyware Coalition (ASC) in August 2005. The ASC defines ‘spyware and other potentially unwanted technologies’ as those that ‘impair users' control over material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; or collection, use, and distribution of their personal or otherwise sensitive information.’ Clearly, this definition, like others,covers a whole range of malware and malware-related programs, including Backdoor Trojans, Trojan Proxies and PSW Trojans. Although such programs are not new, their use for malicious purposes has increased in recent years and they have received much greater attention, both from the media and from vendors who have developed (or bought) stand-alone anti-spyware products. Detection and removal of spyware applications is integrated into the Kaspersky® anti-virus engine and anti-virus databases.7 Other types of program often referred to as spyware are presented below.

7 KL placed FIRST in the Computer Bild spyware test, July 2005. KL placed FIRST in the Computer Bild spyware test, March 2006.

KL won SC Magazine ‘Best Anti-spyware’ award in 2006. KL holds West Coast Labs. Checkmark ‘Anti-Spyware’ certification.

18


Adware Adware programs are designed to launch advertisements, often pop-up banners, on infected machines and/or to re-direct search engine results to promotional web sites. They are often built into freeware or shareware programs: the price the user pays for the free program is the installation of an adware program. Sometimes adware programs are downloaded surreptitiously from a web site and installed on a user’s machine. Hacker tools, often referred to as Browser Hijackers (because they subvert the web browser to install a program without the user’s knowledge), download adware programs via a web browser vulnerability. Browser Hijackers may change browser settings, re-direct incorrect or incomplete URLs, or change the default homepage. They may also re-direct searches to ‘pay-to-view’ (often pornographic) web sites. Typically, adware programs do not show themselves in the system in any way: there is no listing under Start | Programs, no icons in the system tray and nothing in the task list. In addition, adware programs seldom come with a de-installation procedure and attempts to remove them manually may cause the original carrier program to malfunction.

Pornware Pornware is the generic term used by Kaspersky lab to describe malware-related programs that either use the computer’s modem to connect to pornographic pay-to-view services, or download pornographic content from the web, without the consent of the user. Riskware Riskware is the generic term used by Kaspersky Lab to describe programs that are legitimate in themselves, but that have the potential for misuse by cyber criminals: for example, remote administration utilities. Such programs have always had the potential to be misused, but they now have a higher profile. During the last few years, virus writing and hacker techniques have started to merge. In the changing climate, such riskware programs have come into their own as a means of controlling machines for malicious purposes.

3.11 Updating virus signatures The anti-virus databases are an inseparable part of an anti-virus engine. As already observed, a well-designed engine is not updated frequently, whereas the databases must be constantly updated because they store signatures, checksums and special modules for detecting new malware. It’s well-known that new threats appear every day.8 So it’s important to update the anti-virus database as frequently as possible. In the early days of PC viruses, quarterly updates were enough for most customers. Later, monthly updates became standard. Even five years ago, it was normal to update the anti-virus database weekly. 8 As of March 2007 more than 200 new records are added to the Kaspersky® anti-virus databases every day.

19


Now it’s better to update more frequently. Home users should update their databases every day. Enterprises, with thousands of PCs to protect, have a higher risk of infection because of the number of possible victims, so protection is more critical. It’s advisable for enterprises to update several times a day (at least every three to six hours). ISPs should check for new updates even more frequently: and this applies equally to corporate e-mail servers and other perimeter anti-virus defenses9. The elements included in the anti-virus databases are also significant, since the databases may contain not only virus signatures, but also other program procedures. Such procedures offer a way of updating the engine through the normal database update. The Kaspersky® anti-virus databases are updated hourly. Owing to the smart architecture of the Kaspersky® anti-virus engine, these updates are incremental, adding detection just for new threats rather than replacing the entire database each time the user does an update. The average size of an update is 20KB, although sometimes Kaspersky Lab releases updates containing specific enhancements (to scan within a new unpacker, for example), in which case an update may be up to 300KB. Approximately 70% of the anti-virus engine functionality is integrated into the databases. In this way, for example, support for a new archiver or compression utility can be added to the anti-virus databases at any time. Thus, regular daily updates provide not only enhanced detection for malware, but also updated engine functionality. This feature ensures a very quick response to any given situation and maximum protection against viruses.

4 Other core detection technologies Kaspersky Lab continually develops new technologies designed to ensure that the company remains in the vanguard for detection and removal of malicious code and potentially hostile programs and to ensure that Kaspersky Lab solutions deliver optimal performance.

4.1 Proactive Defense Module Proactive detection refers to an anti-virus solution’s ability to find new, unknown threats before they appear and without the need for a specific signature. Analyzing new varieties of malicious code, and releasing updates to deal with them, takes time, however efficient the processes employed by a virus analyst 9 One ISP that partners with Kaspersky Lab checks for new updates every 10 minutes.

20


team. Unless an anti-virus solution includes proactive detection methods, customers will remain unprotected from new threats until a signature update is available. In fact, anti-virus programs have never relied exclusively on signature analysis. However, today’s threats are more numerous, faster spreading and more dangerous than ever before and proactive detection is a vital element in any comprehensive defence strategy. The Kaspersky Lab Proactive Defense Module (PDM)10 blends a range of proactive technologies to give a high level of protection from new threats. The PDM provides real-time analysis of processes in the system. If a dangerous, suspicious or hidden process is launched, the PDM blocks the process, alerts the user and rolls-back any changes made to the file system and registry, undoing any changes made by the suspicious process. The PDM monitors application behavior for the following types of suspicious activity. Worm.Generic These programs try to re-distribute their code across networks, using local shared folders or e-mail.

Worm.P2P.Generic These programs try to use local folders to spread automatically across peer-to-peer networks, or use e-mail to spread across the Internet. Trojan.Generic These programs cause damage to a computer, impair its functioning or threaten the integrity of data stored on it. Buffer overrun A buffer overrun is a programming error that allows malicious code to ‘piggyback’ a legitimate process by writing its own code beyond the boundaries of a memory buffer. The PDM detects processes that try to exploit a buffer overrun in order to launch themselves as a separate process in memory. Data Execution These programs try to evade activity analyzers by allocating themselves non-executable memory and planting their code there. Root shell These programs are used by cyber criminals to gain remote shell access to a victim machine. Internet Browser Launchers These programs try to launch a user’s default browser with specific parameters, to transmit data to an executable program or script residing on a remote server.

10 The PDM is included in Kaspersky® Anti-Virus 6.0, Kaspersky Internet Security 6.0, Kaspersky® Anti-Virus 6.0 for Windows Workstations.

21


Invaders These programs inject their code into a user’s address space and then pass the execution flow to this code, giving them the same rights as the user. Hidden Objects (Rootkits) These programs conceal their presence on a system, hiding installed files, registry changes and running processes. As well as concealing themselves, they can not be terminated in Task Manager. Suspicious values in registry These programs create their own registry keys, accessible only to this program: they can not be opened using a registry editor. Strange system behavior This includes several types of suspicious activity.

• Programs that try to access physical memory directly. • Programs that try to make changes to the R0-R3 gateway handler (as part of

rootkit installation, for example], the subroutine responsible for allowing applications to call kernel functions.

• Programs that add suspicious values to the registry. Hidden installers These programs, including Trojan-Droppers and Trojan-Downloaders, surreptitiously install their components into the system. Keyloggers Keyloggers and keyboard spy programs record information about keys pressed by the user, usually without his/her knowledge or consent. The methods can vary, but include polling the keyboard and the use of keyboard filter drivers. Their purpose is to obtain confidential data, including passwords and PINs. Typically this data is copied to the hard disk and then secretly transferred to the author or ‘master’ of the keylogger using e-mail or some other method. Trojan Cryptors These programs, including ‘ransomware’ programs like GpCode and Krotten, encrypt document files. The PDM checks for such changes and is able to roll-back any changes (i.e. encryption) made by the Trojan Cryptor. Hidden data sending This includes programs that use a special Internet Explorer mechanism to send on behalf of the browser. This enables them to evade detection by a personal firewall, since they are normally configured to allow Internet Explorer to send data. Private data and password access These are Trojan-PSW programs that try to collect personal data such as ICQ and other passwords. The PDM includes three additional subsystems designed to block malicious code.

22


Application Integrity Control The PDM monitors the execution of applications and associated DLLs, to stop them being modified. This is of key importance. Many malicious programs try to secrete their code within legitimate applications instead of, or as well as, installing separate components on the computer. There are three types of suspicious activity that trigger the PDM Application Integrity Control.

• A program is blocked if it tries to launch another application as a child process. This prevents a malicious program from getting access to a system resource, or information, by masquerading as a legitimate application.

• A program is blocked if it has been replaced by another version. • A program is blocked if there is an attempt to replace one of its components.

Registry Guard The PDM monitors the system for any process that tries to create a value in the registry that lets it run automatically at startup. Office Guard The PDM monitors VBA macro execution for dangerous commands.

4.2 Performance optimization Kaspersky lab implements a range of technologies to accelerate the scanning of objects at a high detection level and enhance the detection and disinfection of archived malicious programs. These technologies include the following. iChecker™ and iSwift™ iChecker™ and iSwift™ are scanning technologies designed to provide an optimal balance between the level of anti-virus protection for workstations, and especially servers, and the system resources of protected computers. These technologies apply to both real-time scans and on-demand scans. They reduce the system startup time by between 30% and 40% and also reduce application launch time when real-time protection is active. In addition they significantly reduce the time taken to complete an on-demand scan. iChecker™ and iSwift work on the principle that most routine scans are redundant. More often than not, no malware is found when a scan is done. Using these technologies, the Kaspersky® anti-virus engine does not need to scan files that have not been changed since the last scan. The scanning process is conducted for files that have been changed and haven't been scanned before. iChecker™ works for the following types of files: EXE, COM, LNK, TTF, ELF, INF, SYS, CHM, ZIP, RAR, DOC, XLS and PPT. The technology is not applied to large files, where it’s quicker to scan the file than it is to re-calculate a checksum. iSwift™ works on the same principle as iChecker™. However, it is specially tailored for NTFS file systems (the native file system for Windows NT and Windows XP) and is implemented in a different way. It is more efficient than

23


iChecker and is not limited to certain file types or sizes. However, it works only on NTFS file systems. Suspension of scanning when the system is under load In addition to delivering real-time protection, Kaspersky® Anti-Virus and Kaspersky® Internet Security offer the ability to run on-demand scans: these scans may be either user initiated or scheduled. Unfortunately, user activity is not always predictable and there are certain times when user activity increases, placing an extra load on the system. However, our products may be configured to suspend an on-demand scan task if the user’s activity increases, until the load on the system falls to an acceptable level.11 This ensures that there’s never an undue performance impact on the user. iCure™ iCure™ is a technology for disinfecting archived files. Using this technology, infected objects inside archives are successfully disinfected or deleted, depending on user-defined settings, without using other archiving utilities. The Kaspersky® anti-virus engine is currently capable of removing viruses from the following types of archives: ARJ, CAB, RAR, and ZIP. iArc™ iArc™ is another technology for processing archives. This technology is designed to improve the processing of multi-volume archives implemented in previous versions of the Kaspersky® anti-virus engine. The iArc™ technology allows scanning of multi-volume archives. The Kaspersky® anti-virus engine can detect even a virus added to a multi-volume archive, which is in turn added to another multi-volume archive. Multi-threaded operation The Kaspersky® anti-virus engine is a multi-threaded module that can process several objects at the same time (files, sectors, scripts, etc.).

4.3 Combating active threats Kaspersky® Anti-Virus and Kaspersky® Internet Security include a number of technologies designed to combat memory resident threats. Active threat disinfection These Kaspersky Lab products make use of advanced disinfection techniques to remove malicious software that is already loaded in memory, to prevent them from re-loading themselves and to neutralize any harmful methods they may use to try and undermine the normal running of the anti-virus protection.

11 In MP1 of Kaspersky® Anti-Virus and Kaspersky® Internet Security, this technology can be controlled for individual scan tasks as well as globally.

24


Rescue Disk The Rescue Disk Creation Wizard uses Bart PE (Pre-installed Environment) Builder, together with the Microsoft® Windows® CD, to create a bootable CD that can be used to restore the system after a malicious code attack or following system failure.

5 Conclusion Initially, the ability of a virus to spread was limited by the user. Viruses could only travel as fast as users’ activity allowed them to. Boot sector viruses, for example, which accounted for around 75% of all infections until the mid-1990s, relied on the exchange of floppy disk in order to spread. This meant that they moved only slowly in global terms and infections tended to be localized. The macro viruses that dominated the field until 1999 still relied on unsuspecting users to exchange infected documents and spreadsheets. So they too were limited in the speed at which they could spread. In these circumstances, it was generally possible to deliver a cure before a virus had the chance to spread very far. The spread of today’s threats, by contrast, leaves very little time in which to respond. With malware that can reach epidemic proportions in hours or, in the worse cases, in minutes, anti-virus vendors must provide a fix within the same timeframe. An anti-virus engine that is built for speed is essential. On the one hand, it must be capable of scanning large volumes of data in a timely fashion. On the other hand, it must be constructed so that it can be easily modified to deal with the complexity of successive generations of malware. The Kaspersky® anti-virus engine, now in its fifth generation, is purpose-built to protect the enterprise and home user alike from the threats of today and tomorrow.

25


6 Appendix 1. Today’s threat landscape: from cyber vandalism to cyber crime

The decline in the number of global epidemics since 2003 reflects a shift in motivation on the part of malware authors. Until a few years ago, viruses and other malicious programs tended to be isolated acts of computer vandalism, anti-social self-expression using hi-tech means. Most viruses confined themselves to infecting other disks or programs. And ‘damage’ was largely defined in terms of loss of data as a virus erased or (less often) corrupted data stored on affected disks. Over the course of the last few years this has changed. Today we’re faced with crimeware, malicious code created for the purpose of making money illegally. The criminal underground has clearly realized the potential for making money from malicious code in a wired world and many of today’s threats are written to order. We’ve seen a clear shift in tactics from the writers of malicious code. The decline in the number of global epidemics signals a move away from the use of mass attacks on victims worldwide. From their peak in 2003, the number of global epidemics has fallen steadily. This isn’t to say that there aren’t any epidemics: it’s just that they aren’t global. Rather, attacks are becoming more targeted. This is partly because law enforcement agencies across the world have developed far more expertise than ever before in tracking down the perpetrators of cyber crime. It’s also partly because anti-virus researchers have now had many years practice in dealing with large-scale epidemics. Fast response to new threats, in the form of virus definitions, is just the visible tip of the iceberg here. Anti-virus research teams worldwide have developed ‘early warning antennae’ which provide timely information about malicious activity on the Internet. And when an attack occurs, the servers used to gather confidential data harvested from victim machines can be tracked and closed down, mitigating the effects of an attack. There is a third reason, however, intrinsic to the motives of the criminal underground. Since much crimeware is designed to steal confidential data from victim machines, later used to make money illegally, it follows that the harvested data has to be processed and used. Where millions of victim machines are involved, not only does this make detection more likely, it’s also a huge logistical operation. So for this reason too, it makes more sense for malicious code authors to focus their attacks. Typically, this means targeting machines one thousand at a time in small-scale, low-key operations. Or it may mean tailoring a piece of code for an attack on a single victim, or a small number of victims. Such attacks are often carried out using Trojans. Consequently, in the last few years, we have seen a massive rise in Trojan numbers. Of course, Trojans come

26


in many different flavours, each purpose-built to carry out a specific function on the victim machine. They include Backdoor Trojans (often with a keylogger built in), password stealing Trojans, Trojan Droppers, Trojan Downloaders and Trojan Proxies. They can be used to harvest confidential information (username, password, PIN, etc.), for computer fraud. Or they can be ‘conscripted’ into a ‘zombie army’ to launch a DDoS attack on a victim organization. These have been used to extort money from organizations: a ‘demonstration’ DDoS attack offers the victim a taste of what will happen if they don’t pay up. Alternatively, victim machines can become proxies for the distribution of spam e-mail. There has also been a growth in the number of ‘ransomware’ worms or Trojans, used to try and extort money from individual users. These programs encrypt the user’s data and create a ‘readme’ file that asks the user to transfer money to the author of the program using one of the many e-payment services. Often, victim machines are combined into networks, using IRC channels or web sites where the author has placed additional malicious code. The more complex Trojans combine infected machines into a single P2P (peer-to-peer) network. These so-called bot networks offer an effective way of controlling victim machines. The trend away from global epidemics and towards low-key, localized attacks has gone hand in hand with a further significant change: a relative decline in the use of mass-mailing to distribute malicious code. Until a few years ago, most epidemics involved worms that hijacked the mail system to distribute themselves proactively, harvesting additional contacts from infected machines as they spread. This was the method used by worms like LoveLetter, Klez, Tanatos (Bugbear), Sobig, Mimail, Sober and Mydoom to cause global outbreaks. Now, increasing numbers of malicious programs are being deliberately spammed to victim machines. This allows the author(s) to control the distribution of their code to a targeted PC population, rather than letting it spread at will. For the same reason, the malware ‘bundle’ dropped onto victim machines now often includes a Trojan Downloader. As the name suggests, these Trojans are designed to download malicious code from specified web sites. They are used not only to control the spread of malicious code, but also to automatically update it across the Internet. They are also used increasingly to install non-viral spyware or pornware programs without the knowledge or consent of the user. The use of malicious code is not the only method used by cyber criminals to gather personal data that can be used to make money illegally. Phishing (a deliberate misspelling of the word ‘fishing’) is a specific form of cyber crime. It involves tricking computer users into disclosing their personal details (username, password, PIN number or any other access information) and then using these details to obtain money under false pretences. It’s fraud: data theft, followed by theft of money. Phishers rely heavily on social engineering. They create an almost 100% perfect replica of a chosen financial institution’s web site. They then spam out an e-mail that imitates a genuine piece of correspondence from the real financial institution. Phishers typically use legitimate logos, good business style and even make reference to real names from the financial institution’s senior management. They also spoof the header of the e-mail to make it look as though

27


it comes from the legitimate bank. Usually, such emails inform customers that the bank has changed its IT structure and is asking all customers to re-confirm their user information. Occasionally, network failure, or even a hacker attack may be cited as the reason for requiring customers to re-confirm their personal data. The fake e-mail messages distributed by phishers have one thing in common: they’re the bait used to try and lure the customer into clicking on a link provided in the letter. If the bait is taken, the luckless ‘fish’ stands in serious danger of divulging confidential information that will give the criminal access to his or her bank account. The link takes the user directly to an imitation site that mimics the real bank’s web site very closely. This site contains a form that the user is told they must complete: and in doing so, they hand over all the information the criminal needs to access their online account and steal their money.12 Virus writers, hackers and cyber criminals are playing for high stakes. So much so that they are reluctant to give up the victim machines under their control. It has now become common for malware authors to sabotage security software, by terminating active processes, or deleting code or blocking anti-virus updates. Some also remove ‘competitor’ malware. One Trojan, Backdoor.Win32.Agent.uu (aka ‘SpamThru’) even used a pirated copy of one anti-virus program13 to find and remove other malware on victim machines. In addition, the use of rootkits to mask the presence of malicious code and adware programs has increased during the last 12 months or so.

12 The Kaspersky® Internet Security ‘Anti-Spy’ module blocks access to all web sites currently known to be used for phishing attacks. Kaspersky Lab specialists replenish this list with addresses obtained the Anti-Phishing Working Group: protection from new phishing sites is added through the normal threat signature updates. 13 The anti-virus program that was downloaded by the Trojan was Kaspersky® Anti-Virus.

28


7 Appendix 2. Evaluating anti-virus products The fundamental job of an anti-virus product is to find and remove malicious and unwanted code. The key measure of its effectiveness is how well it’s able to isolate any threat and prevent it from spreading. This sounds easy, but it's far from straightforward given the complexity of today’s threats. It’s not surprising, therefore, that detection capability is considered by users to be a key factor in their selection of an anti-virus solution. But how do you decide which product has the best detection? On face value, it seems like an easy task. You simply check out on of the many product reviews and see which one finds the most viruses. Sadly, it's not that simple. Comparative reviews are not all the same. Some are better than others at evaluating the detection capabilities of different anti-virus products. The complexity of today’s threats, and the environment they operate in, means that testing the detection capabilities of anti-virus products today is a difficult business. It's costly, it takes time and it requires a good deal of expertise. So what types of review exist and how do they measure up? Magazine reviews Most magazines simply do not have the resources necessary to conduct an effective anti-virus detection test. So unless the magazine is re-printing the results of a test carried out by an independent test organization14, the review is unlikely to offer a fair assessment of the detection capabilities of anti-virus products, for several reasons. In the first place, if the magazine decides to provide its own test bed, the results are likely to be badly skewed because of the limited number of samples used. In the past, many magazine reviews have been based on just a handful of samples. In addition, there may also be a problem related to where the samples come from. Unless the reviewer has access to a virus collection belonging to a bona fide anti-virus researcher (for obvious reasons, researchers are very careful about who they give samples to), there's no guarantee that all the files will be genuine viruses. It's common for virus collections, particularly those that have not come from legitimate sources (a web-site, for example) to contain garbage, non-viral samples. Why does this matter? Well, if one of the scanners in the review correctly fails to flag an infection in one of these garbage files, the reviewer (who considers all samples in the collection to be infected) will mark the product down. In contrast another scanner that generates a false alarm by identifying a virus where there isn't one will be rated a better product. 14 Even where a magazine makes use of results from an independent third party test, there’s no guarantee that the magazine review itself will be fair. This will depend on how the results are presented – specifically, whether the magazine re-publishes the full results or just a selection.

29


There are, of course, exceptions. Virus Bulletin (hosted by the UK anti-virus vendor Sophos) and SC Magazine (which conducts fee-based certification of anti-virus solutions) both carry out much more extensive anti-virus tests. However, both the Virus Bulletin ‘VB100%’ and the SC Magazine ‘Checkmark’ certifications are based on the detection of WildList samples. And this raises other problems. Tests and certifications based on the WildList The WildList, established in the early 1990's by anti-virus researcher Joe Wells and now published monthly by the WildList Organization, aims to keep track of which viruses are spreading in the real world.15 Users are clearly most concerned about these threats (as opposed to those found only in the virus laboratory) and over the years detection of so-called ‘in the wild’ viruses, as defined by the WildList, has become the de facto measure by which anti-virus products are judged. Fee-based anti-virus certification tests, most notably ICSA Labs (part of TrueSecure Corporation) and SC Magazine, are based on the detection of WildList samples. In addition, as noted above, the Virus Bulletin ‘VB100%’ is awarded on the basis of a product's ability to detect WildList viruses. However, using WildList viruses as a yardstick to measure the detection capability of anti-virus products is not as clear-cut as it may at first seem. To be included in the WildList, a virus must be reported by at least two separate WildList reporters (a group of professionals, many of whom work in the anti-virus industry]. However, there's no guarantee that what's reported provides an accurate picture of what's really out there. If a company's chosen anti-virus product finds and removes a virus without difficulty, will they bother to contact the vendor's support department to report the infection? It's much more likely that they will simply move on to the next job. So the WildList is more a measure of 'problem' viruses that required a support call than a reflection of all viruses found in the field. Also, the WildList is compiled monthly, but it's a retrospective list of viruses reported. In other words, there's a time lag between receiving the reports and publishing the data. The WildList is always a month out-of-date, at best! Today's threats spread faster than ever before and there’s now a greater risk than ever before of being hit by a new piece of malicious code. Between 20% and 35% of all new malicious programs are found in the field, on real machines, not just in so-called ‘zoo’ collections, so the term ‘in the wild’ is somewhat outmoded. Comprehensive anti-virus detection tests Testing the detection capabilities of anti-virus scanners is a complex business that requires time, money and expertise. To be truly effective, a detection test must be comprehensive in its approach. Several academic institutions have developed such expertise over many years and conduct serious anti-virus detection tests. These include AV-Test GmbH and AV-comparatives.

15 The WildList Organization International FAQ cites the WildList as ‘the world's authority on which viruses users should really be concerned with’.

30


So why are these tests a more effective measure of the detection capabilities of anti-virus products? There are several reasons. 1. They are truly independent, since the test bodies have no commercial interest in the outcome of the tests. 2. Their detection tests are comprehensive in nature.

• They include extensive collections, containing many types of threat, not just WildList samples.

• They test on multiple platforms. • Some of them test a product’s proactive detection capability, how effective it is at

finding new, unknown threats. • They publish regular results, using the same test criteria.

This is not to say that such tests don’t have any limitations. For example, while it’s increasingly important to measure a product’s ability to find new, unknown threats, these results should be balanced against a program’s false alarm record. Clearly, proactive detection is of limited benefit if it comes at the cost of frequent false alarms. Unfortunately, independent reviews don’t always include false alarms. And where they do, they use a sample set that is too small to yield meaningful results. In addition, independent reviews seldom test cleaning ability. It’s easy to understand why. Any serious review requires time, resources and considerable expertise. Cleaning tests are even more resource-intensive. For one thing, the tester can not simply assume that a file has been cleaned just because the product being tested says it has. The file must be verified to make sure that it still works normally. Of course, the malicious code in question may be a worm or Trojan. In this case, removal of malicious code means deleting the malware and undoing any changes it has made to the system. The problem is compounded still further for tests of a product’s ability to remove a threat that is still active in memory. Nevertheless, to be effective in the real world security solutions must be able to neutralize threats in memory.

Summary Testing the detection capabilities of anti-virus products is a complex business. It is beyond the scope of any non-specialist computer magazines, unless they are using samples provided by an anti-virus research organization or re-printing the results of a more in-depth study of anti-virus products. Moreover, even the more in-depth certification schemes like ICSA Labs and SC Magazine are based on the detection of just WildList samples. So using them to differentiate between anti-virus products is problematic. So how can you assess the detection capabilities of different anti-virus products? No product can claim to be ahead in every detection test. The key is to look for a consistent track record in multiple tests. And the more rigorous, independent tests carry greater weight because of their comprehensive nature.

Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Kaspersky Lab detection technologies wp0607 - Tech Data Worldwide

Documents