Sunday, January 4, 2009

Anatomy of a malware scam: How infects people and evades the good guys

Hundreds of thousands at risk daily

In my previous posts, I have talked about malware downloaded from and how they keep the anti-malware vendors guessing. The downloaded malware is not detected by a majority of the anti-virus software. Also of interest is how the site operates, since it gives us knowledge as to how malware distribution actually works.

How is the attack carried out: Search engine results are infiltrated by pages which purportedly show sex videos. These sites themselves do not have any malware, but the pictures link to another different webpage, the pictures of which then link towards a subdomain of which downloads a trojan disguised as an active X video player. The execution (running) of this file causes download of other files, which may, among other things, lead to disclosure of financial information and computer takeover by a remote person.

So, there are two “buffer sites” which lead on to the main exploit site. This is to guard against link scanners getting wise. The main site, full of explicit pictures, then gives the option of a codec, which then installs the malware.All the time, the main site, is never active, and never appears in any search results. This helps in keeping the site anonymous.

A search by whois showed the ip number to be, with the ip hosted in china.and two more domains associated and What is frightening is that the ip address was registered just on the 29th of December, and within a space of 1 week, it has moved up to a daily Alexa traffic ranking of 2797. That means a traffic of a few hundred thousand per day. A few hundred thousand potentially infected computers per day. It is high time this site was put to an end.



Pictures: How to get infected: Click on the link

First link: Not infected, pictures link to a second non infected site

Picture: As you can see, the link scanner in the search engine did not pick up the site because it really did not have any exploits, nor was linked to one



Second link: Still no exploits, but the pictures link to a third site



The main exploit site: Note how precisely the picture simulating the pop up window is placed.

Clicking on the "window" leads to the appearance of a download dialog for the actual malware (setup.exe).



Finally, the frightening aspect: Notice how rapidly the Alexa traffic rank is going up. The number of people reaching the site now is estimated to be hundreds of thousands daily

Malware Authors Present AntiMalware Vendors a Moving Target

One Site, Four Days, Four Different Trojans

Analysis of the site provides a grim reminder of the challenges and limitations of anti-malware software. . (Warning:Please do not visit the site, it is potentially very very risky, downloading a variant of the Zlob trojan). I had first hit upon the site on the first of January, looking for an “additional media codec” to improve upon my malware collection. It was looking like a run of the mill spoof of PornTube, but it was linked to by plenty of other infected sites. (BTW, I have to thank Microsoft Live Search for getting the site, I was getting bored not getting plenty of infected links on Google, interesting for me perhaps, but it is extremely risky for the general public). I downloaded the “active X control” in my Opera browser and scanned it for viruses on Virus total. Only fourteen engines could detect it. Of course, I thought that it was a new variant, but was curious how the vendors would respond to this threat.

I followed up on the site again on the third of January, and was surprised. A new variant of the trojan was being downloaded, which was again detected by only fourteen new anti-viruses.The same story was repeated on the fourth and on the fifth. The malware distributor was moving before the anti-virus vendors could respond. Inspite of updated signatures showing slightly improved detection rates by anti-viruses, the risk to the end user visiting the site remained the same. Therefore, the updated signatures seem to be a giant waste of manpower and time for the anti-viruses. Making custom malware has become very common, with DIY kits being found in the underground.


1st January, 2009

3rd January 2009

4th January 2009

5th January 2009

MD5 Hash









Detected by how many viruses initially





Detected by how many viruses now (on 5th January)





What is the moral of the story?

  1. Do not depend on signature based detection. It is useful in some cases, but in the face of todays web based threats, it has lost its sheen

  2. Additional protective measures must be used. In my case, even though Avast! Could not detect any of the viruses first time, it provided protection by recognizing and blocking the malicious url (pic given below). A similar functionality should be found in AVG Link Scanner. Look to prevent going to the sites. However, it has to be recognized that these mechanisms will also fail, as a result of which the following two points are extremely important.

  3. Protection by means of limited accounts and a policy of distrust towards web downloads goes a long way.

  4. Do not go searching for trouble. You, ultimately are responsible for your own security. And look out for potential signals of trouble. In this case, it was quite clear, a third party site spoofing as PornTube, and then asking for aan “Active X control “ in Opera.

    Picture: Looking at the address bar shows that the website is fake. The "video Active X display" should make one even more suspicious. Finally, using a limited account with parental controls will go a long way in protecting you.

Friday, January 2, 2009

You do not have to pay extra for the best antivirus

How to block any malware from entering Vista, for free

The best antivirus on Windows Vista comes free, along with the operating system. Yes, I repeat, its true: the best solution for all spyware and viruses comes along with the operating system; you just have to unlock it.


Just go to the control panel, click on user accounts, make a new standard account and enable strict parental controls in allowing only a selected set of programs to run. Then, choose a strong password for your administrator account, and your newly formed standard user account. After that, just log in to your system and start using your computer. Of course, this does not mean you should not use an anti-virus. An antivirus is still needed in case you make a big mistake, but the simple steps above will mean that you will have control over your own security instead of blindly relying on some third party vendor.

You do not believe me? You have heard all about the Swiss cheese security of Windows, right? How come anyone dare say that one can actually surf the Internet freely without being dependent on an antivirus? Ok, believe what you see. I am providing some screenshots how the simple steps taken above have helped me to avoid viruses. Also, kindly note that I still use an antivirus, although a free one. However, to show you the effectiveness of the standard account with parental controls, I had switched off the antivirus while taking the screenshots below.



This is the first screenshot as to what happens when I try to execute a virus form my malware collection.


Similarly, when surfing, a drive by download, or a download which you have mistakenly run cannot execute itself:



Of course, it will not help you if you still choose to override the parental controls and install rogue software. A proper antidote to unsafe driving and internet surfing has not yet been discovered. However, even then, it is better to use a limited standard account because:

  • You have time to see the publisher and site the program is being downloaded from and if possible get the program analyzed by comprehensive black list based programs like that found in before installing it
  • In cases of droppers and downloaders, you get another warning that a further exploit is to be installed
  • it is easy to clean up the mess, and other accounts do not get compromised.


Other things to take care of:

Just using a standard account with parental controls will not help fully. For optimum security, you have to take the additional steps:

  1. Keep all the software up to date with security patches. In case you find it difficult to do this, use Secunia personal security inspector.
  2. See that your firewall is turned on. The Windows firewall is adequate for most purposes, and the Vista firewall can be configured to act as a two-way firewall. Advanced users may use a good third party firewall.
  3. Back up your files regularly.
  4. Encrypt your sensitive data. If you are paranoid about online financial security, use a separate password protected user account just for sensitive internet transactions
  5. Use a safe surfing policy. This means setting up site specific settings on a browser, with plugins (and if paranoid, javascript and iFrames) disabled for all but a handful of sites.
  6. Choose a good anti-virus and keep it up to date, so that even if you make a mistake, it may catch it. The present security scenario, with emphasis on fooling the user to install a program, needs a very good blacklist based system in addition to the system I have mentioned above.However, be warned, antiviruses do not detect the vast majority of rogue software out there.
  7. If you have to run a downloaded program, please do an internet search on the site the program has been downloaded from as well as the program itself. It is always advisable to get any downloaded executable (.exe) or archive (.zip, .rar etc)  thoroughly analyzed by a source such a I would recommend doing a MD5 hash search before submitting the sample because it prevents the servers from getting clogged up and saving bandwith charges for a useful free service. The malware writers make use of such a service to see that their programs do not get detected by the majority of the anti-viruses, so why should you not make use of such a service?





Which is the best Free Anti-Virus for Windows

Home users have quite a few options for free anti-viruses. Which is the best anti-virus among them? To answer this question, we first have to ask: What makes a good antivirus?

A good anti-virus must have :

  1. A very good detection rate for viruses and trojans.

  2. Additional antispyware/ anti-rootkit capability

  3. Lesser number of false-positives

  4. Use less system resources so that there is no performance downgrading of the computer

  5. Scan the computer fast

  6. Have additional features like network and download protection, with rapid scans of any downloaded files

What are the anti-viruses that will be compared?

There are quite a few excellent and not-so excellent products free anti-viruses for non-commercial home use, so much so that it is a wonder why anyone buys paid anti-viruses at all for the same purpose. Do not get me wrong: Paid anti-virus is essential for business purposes, if for nothing but the fact that there are no standard free options in that space. However, we are focussing on the home users for now.

The main free anti-viruses are AVG Free 8.x, Avast! Home Edition, and Avira Antivir Personal.

Besides this, there are some other anti-viruses like Comodo and PCTools, but independent tests show that they have too low a detection rate to be really seriously considered.

How can the anti-viruses be compared?

The only way to see whether a particular anti-virus has a good detection rate is to read about the detection rates found by multiple independent sources having a large sample size. The source must be expert and independent. It is never trustworthy to read about home-made tests (reported by some magazines) because even though the source may be honest, the sample size is not large enough. The sources I have used for this analysis are AV Test, AV Comparatives and results were again compared and confirmed with the statistics by However, the statistics of the latter was not used because there is no column for AVG 8, and it tests on the linux platform. However, a comparison of the results would show that the results are roughly equivalent across all the tests. I cannot publish the raw data from these sites beacuse it will be an infringement of the copyright, but you can double-check on my stats by going directly to the source. Thus, the majority of this article is not a new analysis, but a review of various tests carried out by trustworthy sources. You may ask, how does this make it useful? Well, for the simple reason that a good review of all the independent tests is not readily found in the internet. However, I have analyzed the sources, and added information about the additional features, therefore the conclusion drawn may be different from the original sources.


Detection rate:

Total samples: Perhaps the most striking thing was how close all the antiviruses were as far as their detection rates were concerned. The maximum difference between the best and the worst free anti-virus in a single test was 4.9%. Another striking feature was how close the detection rates were compared to the commercial versions. Avira had the best detection rate among all anti-viruses (commercial and free) in 2 tests, and its worst rank when compared with all antiviruses tested was 7. Avast also had a good performance, while that of AVG, even though the detection rates were good, was an average performer. Only the latest tests were considered from all the sources.




Average detection rate for the different tests




Go to the main sources: AV-test, AV Comparatives,,

Go to secondary source: Shadowserver

New Samples: Tests for new virus samples however, the results are more mixed. Studies from AV Comparatives suggests that Avira is undoubtedly the best in this category, but also that AVG is better than Avast! In this regard. All three are good performers, however, with Avira being consistently excellent. These tests, to some extent reflect the proactive protection delivered by the antivirus. However, this result should carry less weightage than the detection of all virus samples with fully updated signature because it reflects a more real-world situation.

Go to source: AV Comparatives,

Anti-spyware and anti-rootkit protection: The Avira personal edition Classic does not come with anti-soyware capabilities, a definite minus when compared with the other two products. The antispyware built in Avast! gave better results than AVG. However, AVG does not come with a built in Anti-rootkit, and have also discontinued their free dedicated anti-rootkit product. Avast! Is the only product with both these in its free edition.

Go to source: AV test 1(Anti-spyware, and anti-rootkit), AV test 2 (anti-spyware, this was also used for measuring detection rate),

False Positives: In the test conducted by , the number of false positives were comparable for all the three products. However, in the analysis by AV comparatives(pdf), even though the numbers were comparable, Avast! Gave a higher number of false positives (around twice that of the other two).

Usage of System Resources: Avira was lightest on resources, according to a study carried out by passmark, followed closely by Avast!. These findings were also confirmed in a study by AV Comparatives. AVG was the heaviest on resources.

Go to source (pdf): Passmark, AV Comparatives performance test

Additional features: Avast! Has plenty of additional features just not found in the other anti-viruses. It actively detects web downloads, networks, IM and P2P applications, giving an additional layer of security found in the paid versions of the other anti-viruses. In fact, Avast! is equivalent to the paid commercial versions of many antiviruses. These are not just feature bloat but are extremely useful in these conditions:

  1. An undetected virus aims to disable the anti-virus on many occasions. In such cases, a self protecting mechanism, like that in Avast! May be necessary

  2. The network shield may prevent malicious web sites from loading. Such a mechanism protects against new, possibly non-detectable viruses.

  3. Active web, IM and P2P protection detects the viruses at the earliest stage possible, and lessens the risk of the virus spreading to other machines. It is to be noted in this regard that the users machine will be protected with all three antiviruses anyway, because the resident protection will set in whenever the malicious program is run.

Picture: Avast! Stopping a malicious site from loading


AVG Free

Avast! Home

Avira Personal

Detection Rate



Very Good

Zero Day detection rate



Very Good



Moderate to good

Not available


Not available



False Positives




Usage of system resources




Additional features (e.g web browsing and download protection, network protection, dedicated e-mail protectionetc)




Final Score

A good choice, but Avast! has better features, Avira has the better engine.

The best single choice overall

The best scanner, both fast and accurate, but loses out due to lack of additional protective features. Excellent choice if combined with a good third party anti-spyware

Avast! Home Edition is possibly the best single choice for a free Windows anti-virus. Even though Avira has a slightly better engine, both of them are comparable for anti-malware. However, Avast! has an excellent in built anti-spyware and additional features which makes it preferable to the other free anti-viruses. Avira may be preferable for those who think about very good protection against “zero day” viruses and are willing to install an additional real time anti-spyware scan.