Panda Research Blog

Law enforcement = 0 / Bad guys = 1

Pedro Bustamante — Tue, 30 Jun 2009 09:42:00 GMT

It's a sad day for all of us when bad guys get caught, yet are allowed to walk freely.

As reported by TheReg, James Reno, involved in the creation, distribution and scams using Rogue Antivirus such as ErrorSafe, WinAntiviurs and XPAntivirus, was allowed to "walk" with just a small fine of $116K. The article suggest he scammed users out of $50 million by infecting their PCs with rogue crapware and scaring them into paying up.

http://www.theregister.co.uk/2009/06/29/scareware_settlement/

What kind of message is the FTC sending to the rest of the bad guys? "Go ahead, infect millions of users and don't worry about jail time. Just give us a small percentage and we'll let you go."

I already had small hopes that law enforcement and governments do anything useful to help protect users. But this goes beyond absurd and is sending the wrong message that cyber-crime is OK as long as they pay their dues to governments.

First Independent Test of Panda Internet Security 2010

Pedro Bustamante — Fri, 26 Jun 2009 18:12:00 GMT

As you may know we released our Panda 2010 products yesterday. In addition to the traditional Panda Antivirus Pro 2010, Panda Internet Security 2010 and Panda Global Protection 2010, this year we've also released a tailor-made product for netbooks and ultra portables called Panda Antivirus for Netbooks.

I just got word from Andreas Marx from AV-Test.org that they've put Panda Internet Security 2010 (PIS 2010) to the test today. Some conclusions from the test can be seen below, using Andreas' own words:

WildList Test. We started with a detection test against all samples from the most recent WildList 05/2009 and malware from older releases. Our test set includes 3,194 confirmed malicious and widespread samples. We tested the set with the on-demand scanner and on-access guard. In both cases, Panda was able to detect and remove these viruses, worms and bots easily.

Full Collection Test. We were able to test PIS 2010 against a larger set of about 680,000 malware samples, including ad- and spyware, trojan horses and other critters. It detected 99.6% of these files, without flagging any files in our false positive / clean file test set, which is a very good result.

TruPrevent Test. We have tested the dynamic (behaviour-based) detection with a few recently released malware samples which are not yet detected by heuristics, signatures or the "in the cloud" features and found that Panda warned in about 45% of the cases when we executed the malware sample. However, it only blocked and quarantined just a few of these tested samples. (More testing in this area needs to be performed to report statistically significant results.)

Disinfection Test. The detection and removal of an already infected PC was working properly, all active components were removed during the system repair process and just in some cases, registry keys belonging to the malware were left behind.

Rootkit Test. The detection and removal of actively running rootkits was quite impressive: all rootkits in our test were successfully identified and deleted.

As you may imagine we're very happy about the results of this test and hope other independent tests come along soon that also validate the highest level of quality provided by our most advanced ever anti-malware solutions.

For detailed testing methodology (for rootkit detection and removal, system disinfection, dynamic detection, etc.) I recommend you visit AV-Test.org Papers selection.

Other advanced testing methodologies worth reading up on can also be found at ATMSO's Document Library.

Panda USB Vaccine with NTFS Support

Pedro Bustamante — Thu, 18 Jun 2009 22:48:00 GMT

First off many thanks to the hundreds of thousands of users who have downloaded, used and given us feedback on Panda USB Vaccine. Not only is it allowing us to improve this free utility for the community, it also helps protect users a little better from spreading malware infections.

Finally Panda USB Vaccine is out of beta and version 1.0.0.50 is here. Some of the most notable improvements are the following:

Support for vaccinating NTFS drives. This uses a completely different technique than the vaccination of FAT/FAT32 drives.
Executing USBVaccine.exe launches an installer which allows you to configure whether you want USBVaccine to start automatically with Windows.
Configuration option during setup to hide the tray icon.
Configuration option during setup to automatically vaccinate any new USB drives inserted into the PC.
Fixed bug on PC shutdown when USBVaccine was running in the background (Vista).
Other bug fixes reported by users on certain types of USB drives.

Some screenshots of the new Panda USB Vaccine:

As always you can get it directly from download.com:

Feedback on Morro

Pedro Bustamante — Thu, 18 Jun 2009 00:29:00 GMT

Excellent comment via pcworld regarding Morro (kudos to avdude15):

Just what we need - a security mono-culture.
If Microsoft's free av product succeeds it will knock more than a few av developers out of the market and weaken the rest. This at a time when the more innovative players are investing heavily in the infrastructure and technology to deliver protection as a service. Cloud scanning, reputation systems, sand boxes are just a few of the new technologies being rolled out by many of the AV players. So Microsoft says, "let's give away a product and kill all that innovation". Whether or not Microsoft delivers a good product or not, all of our security will suffer.

To counter some press articles, Morro is not cloud-based. It simply sends detection statistics back to MS over the Internet (encrypted over SSL so you can't see what is being sent).

Also there's nothing innovative about Morro. It requires big signature updates and doesn't use cloud-scanning. Just the same old traditional and basic AV.

What's your take on MS Morro?

Online banking

Pedro Bustamante — Mon, 08 Jun 2009 14:39:00 GMT

Don't know where I got this from. I think it's from Vey.

When the going gets tough, AMTSO gets going

Pedro Bustamante — Tue, 02 Jun 2009 00:42:00 GMT

You've probably read about this in other blogs already. At the risk of sounding like a broken record I'll post it here as well as this is really important and I think we should all help spread the word as much as possible. As you may know AMTSO is a non-profit organization made up of a lot of companies from the industry, from independent tests (such as AV-Test, AV-Comparatives, CascadiaLabs, Dennis Technology Lab, ICSA, NSS, PC Security Labs, and West Coast Labs) to antivirus vendors and academia. Visit AMTSO website to view the full member list.

Last month we attended the 5th Anti-Malware Testing Standards Organization (AMTSO) meeting held in Budapest and hosted by VirusBuster. This follows a bunch of other meetings held in Bilbao (Panda), The Netherlands (Norman), Oxford (Sophos) and Cupertino (Symantec). You can read the AMTSO Press Release titled AMTSO to start analysis of Anti-Malware Reviews for the official details.

Most of the work went into validating in a face to face meeting the different documented methodologies and processes which we've all been working on over the last few months. In all, AMTSO has now published a respectable document library about different issues concerning Anti-Malware Testing, and the list keeps on growing.

AMTSO Fundamental Principles of Testing. A high level overview which covers the 9 principle guidelines to follow while testing anti-malware products.
AMTSO Best Practices for Dynamic Testing. Probably the first document AMTSO started working on the early days of its foundation. Covers the main issues while running dynamic tests (versus static tests which consist of on-demand scans of many samples).
AMTSO Best Practices for Validation of Samples. One of the most important and most often overlooked issues of anti-malware testing. How to select valid samples for testing.
AMTSO Best Practices for Testing In-the-Cloud Security Products. Specially important for products which incorporate this latest method of protection. We were specially interested in this document as you can imagine as some of our latest products such as Panda Cloud Antivirus and Panda 2010 products include cloud-scanning.
AMTSO Analysis of Reviews Process. Viewed as one of the most important tasks of AMTSO, this document provides insight into the process that AMTSO will follow to review, based on the principles and methodologies published, the different Anti-Malware Tests that are published out there. This process is completely transparent and open to the publlic, so anybody can request a "Review Analysis" of a published test.

One of the most interesting things during these AMTSO meetings is the of openness & sharing of information between what are normally fierce competitors. It's not a very common practice to link to "competitors" sites (and I'm sure I'll get in trouble for it when/if my boss sees this), but I do recommend that you read up some of our colleagues blog posts about AMTSO progress, such as the ones from Sophos, Norman, McAfee, Trend, Avira, PC Tools, Kaspersky, ESET, and last but not least VirusBuster who hosted the event (sorry if I left someone out).

Panda 2010 Beta Now Open

Pedro Bustamante — Mon, 18 May 2009 22:42:00 GMT

Today we've officially launched the beta program for our Panda 2010 products.

As functionality-wise Panda Global Protection 2010 is the most complete product of the bunch we're releasing it as the main beta product. It includes a complete Anti-Malware Engine, Identity Theft Protection, Safe Internet Browsing filters and PC Backup & Optimization tools. More information can be found in the full functionality list.

One of the most interesting improvements this year is a 40% improvement in memory consumption, which results in a lower performance impact and better overall user experience.

You can find all the details, download link, installation details, list of known bugs and a list of recommended test at http://www.pandasecurity.com/beta.

Before you ask, Windows 7 support is not yet included in this 2010 beta. It'll be announced later on. In the meantime you can check the Panda Antivirus Pro Beta for Windows 7.

New Technical Support Forum

Pedro Bustamante — Thu, 07 May 2009 22:06:00 GMT

Our folks from support have recently opened their new Panda Technical Support Forum which you can find at http://support.pandasecurity.com/forum/. You can subscribe to alerts for updates, news, releases, betas, as well as get community-based support for all Panda products. Also there's a section to download utilities and troubleshoot malware related issues. Great job guys !

Panda Cloud Antivirus - Free AV thin-client

Pedro Bustamante — Wed, 29 Apr 2009 00:44:00 GMT

I'm happy to announce that we've finally published our first release beta version of Panda Cloud Antivirus, the first free cloud-based antivirus thin-client (yes, it's a free AV and yes, it's really a thin-client). It is available at www.cloudantivirus.com.

Panda Cloud Antivirus consists of a lightweight antivirus agent that is connected in real-time to PandaLabs’ Collective Intelligence servers to protect faster against the newest malware variants while barely impacting PC performance.

With Panda Cloud Antivirus we introduce a new protection model based on a thin-client agent & server architecture which services malware protection as opposed to locally installed products. By combining local detection technologies with cloud-scanning capabilities and applying non-intrusive interception techniques on the client architecture, Panda Cloud Antivirus provides some of the best protection with a lightweight antivirus thin-client agent that barely consumes any PC resources.

Of course keep in mind that this is still beta code and as such we continue improving and tuning both the cloud architecture and detection techniques as well as the agent architecture, specially now during the initial phases. That's why we're calling out to betatesters out there to help us test this new protection model in different scenarios.

Feel free to download Panda Cloud Antivirus from http://www.cloudantivirus.com. For submitting reports please use beta@pandasecurity.com.

Panda USB and AutoRun Vaccine

Pedro Bustamante — Thu, 05 Mar 2009 21:01:00 GMT

UPDATE June 19, 2009: New version 1.0.0.50 released with NTFS support.

The Microsoft Windows Operating Systems use the AUTORUN.INF file from removable drives in order to know which actions to perform when a new external storage device, such as a USB drive or CD/DVD, is inserted into the PC. The AUTORUN.INF file is a configuration file that is normally located in the root directory of removable media and contains, among other things, a reference to the icon that will be shown associated to the removable drive or volume, a description of its content and also the possibility to define a program which should be executed automatically when the unit is mounted.

The problem is that this feature, widely critizised by the security community, is used by malware in order to spread by infecting as soon as a new drive is inserted in a computer. The malware achieves this by copying a malicious executable in the drive and modifying the AUTORUN.INF file so that Windows opens the malicious file silently as soon as the drive is mounted. The most recent examples of this are the W32/Sality, W32/Virutas and also the W32/Conficker worm which, in addition to spreading via a vulnerability and network shares, also spreads via USB drives.

Due to the large amount of malware-related problems associated with Microsoft AutoRun we have created a free utility for our user community called Panda USB Vaccine.

Computer Vaccination

The free Panda USB Vaccine allows users to vaccinate their PCs in order to disable AutoRun completely so that no program from any USB/CD/DVD drive (regardless of whether they have been previously vaccinated or not) can auto-execute. This is a really helpful feature as there is no user friendly and easy way of completely disabling AutoRun on a Windows PC.

USB Vaccination

The free Panda USB Vaccine can be used on individual USB drives to disable its AUTORUN.INF file in order to prevent malware infections from spreading automatically. When applied on a USB drive, the vaccine permanently blocks an innocuous AUTORUN.INF file, preventing it from being read, created, deleted or modified. Once applied it effectivelly disables Windows from automatically executing any malicious file that might be stored in that particular USB drive. The drive can otherwise be used normally and files (even malware) copied to/from it, but they will be prevented from opening automatically. Panda USB Vaccine currently only works on FAT & FAT32 USB drives. Also keep in mind that USB drives that have been vaccinated cannot be reversed except with a format.

Download

Panda USB Vaccine is a 100% free utility. We've tested it under Windows 2000 SP4, Windows XP SP1-SP3, and Windows Vista SP0 and SP1. Feedback is always welcomed. Click on the download button below to start downloading.

Command line Operation

For advanced users who wish to run Panda USB Vaccine automatically at boot to notify every time a new USB device is mounted on the system or to perform network-wide computer vaccinations via login scripts or other distribution methods, Panda USB Vaccine can be operated via command-line. Its input parameters are the following:

USBVaccine.exe [ A|B|C…|Z ] [ +system|-system ] [ /resident [/hidetray] ]

[drive unit]:   Vaccinate drive unit
+system :    Computer vaccination
-system :     Remove computer vaccination
/resident:     Start program hidden and prompt for vaccinating every new drive
/hidetray:     Hides tray icon when used with the /resident command

Examples:
To vaccinate USB drives F:\ and G:\, use
USBVaccine.exe F G

To vaccinate the computer, use
USBVaccine.exe +system

To vaccinate computer and prompt for vaccinating every new drive without showing a tray icon, use
USBVaccine.exe /resident /hidetray +system

It could be very useful to create a Shortcut in the Startup folder to USBVaccine.exe with this last command line (or without the /hidetray) to make sure that every time you boot the computer USBVaccine gets loaded by the system and it vaccinates the computer and prompts the user for vaccinating any new non-vaccinated USB drive. However if you do this under Vista, UAC will block it from running at Startup as it requires admin priviledges. We'll fix this in future versions.

Compatibility with Windows 7

Pedro Bustamante — Thu, 26 Feb 2009 18:46:00 GMT

As some of you may know Microsoft is currently working on its next Operating System called Windows 7. It introduces quite some improvements in usability, efficiency and information management. It's definately worth a try.

To help you evaluate Windows 7 we've just released a beta of Panda Antivirus Pro 2009 for Windows 7. It includes the latest Panda anti-malware engine, heuristics and Collective Intelligence scanning-from-the-cloud.

You can download the beta of Panda Antivirus Pro 2009 for Windows 7 directly from here.

More information about Panda for Windows 7 at http://www.pandasecurity.com/windows7.

Panda Collective Intelligence and VirusTotal

Pedro Bustamante — Thu, 12 Feb 2009 11:40:00 GMT

As you know we've been using Panda Collective Intelligence from-the-cloud-scanning technologies since about two years ago, initially in our online scanners ActiveScan and also in our Panda 2009 consumer products. Thanks to Collective Intelligence we are able to use complete automation (community-driven information, threat analysis, multiple technology checks, malware/goodware determination and signature creation) to protect against the newest and most dangerous variants faster than using the traditional signature approach.

I'm happy to report that we've now integrated the Panda Collective Intelligence cloud-scanning technology into the VirusTotal service. You'll notice it by the 10.x version numbering next to the Panda engine.

To see Panda Collective Intelligence in action let's look at a new malware that started spreading a few hours ago (MD5: a0713a3639c9d4901daf774022f4bfd2). It is an Adware/Antivirus2009 rogue antivirus. Let's run it through VirusTotal and see the results as of 02.12.2009 12:35:51 (CET):

Check the updated VirusTotal scan result here (search for a0713a3639c9d4901daf774022f4bfd2) to see how other engines add detection progressively.

Progress on Anti-Malware Testing Standards Organization (AMTSO)

Pedro Bustamante — Mon, 09 Feb 2009 15:16:00 GMT

Last week the 4th AMTSO meeting took place in Cupertino, hosted by Symantec. As you may remember Panda Security hosted the first AMTSO meeting in Bilbao early last year.

This has been by far the most productive AMTSO meeting so far. We really advanced a lot in specifying different testing guidelines, principles, education documents and methodologies. Please watch the AMTSO website at www.amtso.org for these official documents. Some of the most important documents that are either already published or which we worked on during last week are the following:

AMTSO Fundamental Principles of Testing
AMTSO Best Practices for Dynamic Testing
AMTSO Best Practices for In-The-Cloud Testing
AMTSO Review of Reviews
AMTSO Whole Product Testing
Educational Documents such as Obtaining Samples, Creating Samples and Verificating Samples

It was truly a great experience to work alongside such a great group of professionals including testing organizations such AV-Test, ICSA, NSS, CheckMark, AV-Comparatives, PC Magazine and competing AV vendors. As always I have some pics for you:

Of course there was also a fun part to the trip. We had a few days to relax and went to San Francisco with Philipp from Avira and Nick from SonicWall to have a good time. As you can see from the pics below the locals were really friendly :)

Panda participates in new AV comparative

Pedro Bustamante — Thu, 15 Jan 2009 14:52:00 GMT

Since a few months ago we've started participating in a new AV comparative test from PC Security Labs called Total Protection Testing. It's a pretty kewl test since, as opposed to other AV comparatives out there, PC Security Labs has a very interesting testing methodology that takes into consideration:

Freshness of malware samples. Only the newest samples from the previous month are tested, not year old samples.
Static detection using traditional signature files, very similar to what other AV comparative testers are doing.
Dynamic (behavioral) detection of malicious running processes. Only a handful of professional AV testers are doing this.
Cloud-based detection such as Panda's Collective Intelligence. As far as I know PCSL is the first AV tester with a methodology that takes this type of technology into account.
False positive testing. Global scores are lowered on each false positive.

All-in-all a very complete testing methodology that gives a broad view of the global performance of different anti-malware solutions. It's no surprise that PC SecurityLabs has recently joined the AntiMalware Testing Standards Organization (AMTSO).

I'm glad to report that Panda has achieved an "Excellent" score in each of the three tests we've participated in so far.

Total Protection Testing reports from PCSL can be downloaded directly from the following locations:

The tests are performed on a monthly basis, so make sure to visit PC Security Labs every now and then to get the latest results!

Warning: Conficker worm infections gaining traction

Pedro Bustamante — Mon, 12 Jan 2009 10:49:00 GMT

We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.

As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.

Checking again the SANS activity by port it's obvious this is something you need to worry about:

As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.

As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:

The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:

If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
Make sure your antivirus and security solution is up-to-date on the latest version and signature database.