About Us

The Immunet Blog is maintained by the Immunet team as a forum for discussing news and issues related to AntiVirus, security and cloud technology.

Search

Entries in Immunet (18)

Friday
May202011

MacDefender OSX Malware

Last week Joel Esler from the Sourcefire VRT published a blog post concerning the MacDefender OSX Malware over on the VRT blog. Similar to common PC scams, this "scamware" scares users into thinking that their machines have been infected and then captures credit card data. Joel provides great background on how this scamware works, what it does, and how users can protect against it.

Please check out the post on MacDefender and its variants for more information.

Friday
Mar112011

How to create custom signatures for Immunet 3.0, powered by ClamAV

Immunet 3.0 is Sourcefire’s new cloud-based desktop anti-malware solution for Microsoft Windows. For best performance, an Internet connection is recommended. Additionally, Immunet 3.0 is powered by ClamAV, which allows users to stay protected even when not connected to the Immunet cloud. ClamAV built its reputation over the years on the UNIX platform as being a robust and capable enterprise-level anti-malware solution, which allows the advanced user to create their own signatures to complement the ones supplied and updated several times a day by Sourcefire. Why is being able to use your custom signatures a great feature? Well, it’s because you can make your anti-malware program look for threats that you are the first to see or that you will be the only one to see (e.g. Advanced Persistent Threats, or APT). Or, you could have found that an older version of a proprietary program that's running on your network is vulnerable and you want to make sure that users only run the latest version. Writing a custom signature that targets the older program, can help you enforce that policy. Here's how to get started on writing your own custom ClamAV signatures for Immunet 3.0. Download the ClamAV command-line Signature Tool, sigtool (MD5:838f6b4ea87199b86f04e9efb96241c3). Now let’s say that test.exe is the file you want to create a signature for. To create a signature that will match only that file, use the --md5 option of sigtool (in this example, I am redirecting the output from sigtool into a file with a .hdb extension):

sigtool --md5
Pic.1: Signature using full MD5 hash of file.

Now, in this case the signature will match on only one file. You may want to write something that matches on multitple files. For example, in the case of executable files you may want to write a signature that will match a particular PE-section, and all files that have the same PE-section. To do so, break up your executable into its different PE-sections either manually or by using tools, identify the one you want to write a signature for (typically the sections are labelled .text, .rdata, .data, .idata, etc..) and use the --mdb option of sigtool (in this example I am redirecting the output from sigtool into a file with a .mdb extension):

sigtool --mdb
Pic.2: Signature using the hash of the PE-section of an executable.

Another way to have ClamAV detect a file is to base your signature on a hexadecimal fragment contained within the body of the file. Let's say you have a text file that contains the text I look like a benign file but actually I am a bad script and I will pwn your machine, if you don't pay attention. We decide that our detection will be based on detecting the phrase I am a bad script in any text files. To write a signature, we can start by echoing I am a bad script into sigtool --hex-dump (this time I'm not redirecting output into a file just yet):


Pic.3: Signature using the a hex fragment of a file.

Then I'm going to create a signature that has the format Name:TargetType:Offset:HexSignature and redirect it to a file with a .ndb extension, like I did at the end of the example above. You'll notice that I did not include the line break 0d0a in the hex signature. For more in-depth information on how to create signatures, check out the documentation on Creating Signatures for ClamAV. There is also a webcast on the topic as well as a blog entry on how to create logical signatures for ClamAV. Well, all that is good and I've created signatures, how do I load them into Immunet 3.0? You may very well ask. First things first: Make sure that the ClamAV detection engine is turned on. Open Immunet 3.0, select “Settings” and switch the ClamAV “on”. Click on “Apply”.


Pic.4: Making sure that the ClamAV engine is turned on.

Optional (but highly recommended): Back in the main pane, click on “Update Now” to download the latest official ClamAV signatures.


Pic.5: "Update Now" to get the latest official ClamAV signatures.

Next, launch SigUI from Start->All Programs->Immunet 3.0->Custom Signature Tool.


Pic.6: SigUI's interface.

SigUI is a graphical user interface used to configure a back-end tool called Freshclam, which is used to download ClamAV signatures. Under the "Updater configuration”tab, you can enter proxy settings if you access the Internet using a proxy. To ensure that the settings have been entered properly, click on "Run freshclam to test configuration". Upon successfully accessing the Internet, Freshclam will exit without error (“Freshclam exited with code: 0”) (see Pic. 7):


Pic.7: Freshclam running.

Next, from the pull-down menu "Download Official Signatures from mirror", select where you want to download official ClamAV signatures from. By default, official signatures will be fetched from db.local.clamav.net. Although this works well most of the time, you may get better performance by using a server closer to your location. Mirrors are in the form db.XY.clamav.net, where XY is a two-letter country code. Alternatively, you can manually enter a hostname, such as your own server if that is where you are hosting the official ClamAV signatures. This completes the configuration for the automatic retrieval of official signatures. To deploy your own signatures (or signatures provided by third-parties), you can either: - specify their full URI (URL or UNC path) under Custom signatures URLs (see Pic. 6). The signatures can be in any format that ClamAV understands - add the signatures file(s) under the "Local signature management tab" (see Pic. 8). At that point the signature aren’t yet installed. You must click on Verify and Install signatures to test the new signatures (see Pic. 9). The ones that pass verification will be installed and ClamAV will load them at the next database update


Pic.8: SigUI's "Local signature management" tab



Pic.9: Signatures installed after verification

Your custom signatures will be copied to the ClamAV signatures folder and loaded the next time the system is idle. Voila! You now know how to write and deploy your own ClamAV signatures. You can also load third-party signatures written in the a format that ClamAV understands the same way you would your custom signatures. Again, you don't have to write your own signatures, but you can if you want and that is a powerful feature at your disposal. Feel free to contribute your signatures to our online forum. Feel free to post your questions to our mailing list. Additionally, you will find someone to answer your questions in the IRC chat room #clamav on irc.freenode.net.
Tuesday
Jul132010

New Threats Call for Layered Security Approach 

Cyber attacks are reaching pandemic levels, according to a recent report by the Wharton School of Business at the University of Pennsylvania. As the threat mushrooms, protecting against it has become ever more complex. According to the report: 

"Security is always a cat-and-mouse game between hackers and security vendors," says Kartik Hosanagar, a professor of operations and information management at Wharton. "What has changed is that both companies and hackers have grown sophisticated. So the good news is that most security software will protect us from the most basic threats, which was not the case in the past. But the bad news is that malware and viruses have become more sophisticated, so even advanced users can fall prey to them."

Worms associated with interactive media and malware affecting social networking sites are         particularly dangerous, he notes, because "for example, you are less likely to be suspicious of a message from a friend on Facebook asking you to click on a video link. And yet, this kind of attack is on the rise" even as Facebook, Twitter, and other such sites are increasingly being used by businesses.

This is why Immunet Protect advocates taking a layered approach to antivirus security. Today’s threat landscape is far more sophisticated than the security industry has ever seen and using just one antivirus product isn’t enough. Running two antivirus programs at once was previously frowned upon, but as the threat landscape – and antivirus solutions evolved – the layered strategy has become the advised approach.

Immunet Protect is 100% compatible with most major antivirus products. View our complete list of compatible products. No matter how protected you are, there is no absolute guarantee that your PC will be free from viruses. But you can ensure that you have real-time protection against malware (like Immunet Protect) and share Immunet Protect for free with your network.



Thursday
Jul012010

Don't Get Infected by Twilight Malware - Make Sure You're Protected

It’s no surprise that hackers have piggybacked on the pop culture hoopla surrounding yesterday’s release of the new Twilight installment, “Eclipse.” Fans are eagerly scouring the web for information on the movie, but more than half of the links they’re getting are tainted with malware, according to news reports.

Consider what this means for malware infiltration. If hackers can contaminate more than 50% of links on a particularly hot topic, our vulnerability to viruses is higher than we think. We take for granted that our Internet searches are safe -- after all this is information we’re seeking. It’s not as though we’re clicking on fishy links sent to us via spam. Well, that’s the old way of thinking. In the new world of malware, gaming search engines is a clever way to get savvy web surfers to stumble upon malware. And even if you’re not searching the web for Twilight content, there’s probably someone in your life who is. Are you protected?



Thursday
Jun102010

Oliver Friedrichs on Keeping Families Safe 

Yesterday, Immunet CEO Oliver Friedrichs was invited to be a guest on Cyberhood Watch Radio to talk about the importance of keeping families safe online. Hosts Dave & Bill tapped into Oliver’s expertise to inform audience about keeping teens safe this summer as they spend more time online connecting with their friends. They also asked for Oliver’s take on the urgency of malware lurking on social networks and how Immunet Protect’s unique social network can help you – and your children -- make good decisions online. Take the time to listen and learn about the looming threats online and why traditional antivirus products aren’t working. Click on the show titled “What Consumers Need to Know About Antivirus Software & How to Stay Protected.”
Listen to internet radio with Dave and Bill on Blog Talk Radio
Wednesday
Jun092010

‘Gaming’ Malware 

You are exploring the Wild West – at every turn there are grisly town hangings, gunfire ambushes, and reckless gambling sprees. All of this is just part of a day’s work. What actually stops you in your tracks is, when you’re suddenly warned that you have a dangerous virus – a computer virus, that is.

Hackers recently exploited the popular Wild West-themed computer game Red Dead Redemption with scareware. While scareware seems strangely appropriately for a game that thrives on danger, this malware was not part of the amusement. In fact, this is the latest in a string of video games to become prey for malicious software.  

While games being infected with malware is nothing new, the problem is gamers are sometimes reluctant to install antivirus software on their PCs for fear of slowing down their machines and hampering their gaming experience. But as gaming grows from a niche activity to an all-out national pastime, gaming malware could proliferate rapidly unless we step up and protect ourselves. Already we’ve seen popular social games, like Zynga, have become targets of malware and phishing scams.

And here’s the good news. Being protected doesn’t mean turning your computer into a brick anymore. That’s the outmoded desktop-approach to antivirus. Immunet Protect’s cloud-based protection installs less than 10 megs on your PC --- the lightest in the industry. All detection will happen virtually in the cloud, not on your desktop -- so your gaming experience won’t be weighed down. For those who are already protected, Immunet will give you an added layer of essential protection , still without slowing down your PC.

As we’ve mentioned here before, we’re launching a stellar new product next week that takes cloud AV protection to the next level. Stay tuned for more details. And in the meantime, be a friend to Immunet, and promote our new website (also coming next week) with a free Immunet Badge.



Wednesday
Jun022010

Keeping Safe on Twitter 

While Facebook’s security measures have been garnering top media attention, Mark Zuckerberg’s hugely popular network isn’t the only site hackers are targeting. Twitter’s mushrooming community has also become a favorite for hackers. 

They’re of course, drawn to Twitter’s user base that reaches well into the millions and according to some forecasts will hit 1 billion users by 2013. Case in point, earlier this month the Sunbelt Blog demonstrated how a DIY Twitter Botnet Creator is making botting shockingly simple for hackers. The good news is, the attack method exposes the hackers. And Sunbelt has already notified Twitter about the risk. While Twitter is doing everything it can to keep its users safe, it’s wise to ensure that you’re taking some extra precautions as well. 

Scares, like the DIY botnet, serve as a necessary wake-up call to remind us that undiscovered risks continue to lurk in the digital world. We deserve to enjoy our online communities, but the truth is, we have to be smart about how we do it. 

This is where Immunet Protect comes in. As with Facebook, Immunet Protect is designed to explicitly combat threats on sites like Twitter.

It’s free to download Immunet Protect, it’s lightweight and won’t slow down your computer, and it provides essential security for your PC. Why not do your part to keep you – and your community -- safe? 



Thursday
Apr292010

Google Adsense Phishing Scam 


This morning while reading my mail I came across an email purportedly from Google notifying me that my AdSense account had been disabled. On closer inspection the email was a clear a phishing attack designed to steal my AdSense username and password. The mail looked like this:

 

You can see from the URL which I have outlined in red that clearly this is not going to take you to a real Google website but rather a (likely) hacked page at orientcasinos.com. If I go to the site it looks like a fair passing imitation of the actual AdSense page:

The URL though is still quite obviously not AdSense so thankfully this particular scam is not likely to go far. These sorts of scams are not new per se but it's important to understand that not only are your direct financial assets (bank account, credit card etc.) a target but so are your indirect financial assets like your AdSense account which controls potential revenues for your business. Like we posted earlier about Facebook accounts being targeted  your online presence is something you need to consciously guard as well as your PC. You can start by being sceptical about any email asking you to log in and change your credentials for an online service you use. If you do feel you need to follow up on an email which requests something like this, always open your browser separately and navigate to the site on your own, do not copy and paste from the email and do not click on the link in the email.

 

 

 

Wednesday
Mar172010

Do Consumers think about AntiVirus?

Why is it that 50% of all Internet users either don’t have AntiVirus protection or have protection that’s expired or out of date? Between 30-40,000 (thousand!) new viruses are created each DAY, and yet a large percentage of the consumer population remains vulnerable to these threats. So what’s going on here? Perhaps people are too trusting that website security professionals such as Twitter’s Trust and Safety team, or those involved in the Facebook Security Wall will just take care of malware for them.

Consumer Reports has a good phishing test for consumers (and Donna even wrote a post about the dangers to social media, a topic near and dear to all of us at Immunet). eHow has a few good steps to follow. MSNBC offers some good advice from the AP. CNET even tried to help people avoid malware from trusted site the Drudge Report.

We think more people don’t have AntiVirus due to combination of price, effectiveness (or lack thereof), resource and system drain and software conflicts that afflict traditional AntiVirus software. To be fair, without the collective benefit of a cloud-based community that can help to detect, update and defend each other against thousands of new threats daily, it takes copious resources in terms of human and technology costs (which are passed along to the consumer) for a traditional AntiVirus provider to do all the work themselves.

With Immunet Protect’s Collective Immunity, we’ve solved this problem and torn down the barriers standing in the way of increasing consumer AntiVirus penetration from 50% to closer to 100%.  The closer we are as an industry to 100% antivirus penetration, the safer the Internet becomes for everyone online.

Monday
Mar082010

What to do When Advice Falls Short? 

We put a focus on educating people on how to avoid getting a virus, from the basics to black SEO to social media aggregators to Facebook-specific worms to how to’s.

It seems attackers have the means to overcome today’s ‘AntiVirus common sense’ we’ve all grown to embrace, namely, only click on links from trusted sources. Now these sources can no longer be trusted.

Case in point is the new spear phishing threat targeted at social networking. Core Security Labs demonstrated this at the RSA Conference last week and lots of people have followed up on the problem. What to do?

While common sense is still very important, getting a real-time AntiVirus that recognizes a threat instantly is just as vital. Viruses take time to spread and the longer one goes undetected, the more dangerous it gets. Immunet Protect’s Collective Immunity solves this problem by detecting a virus from the community and instantly protecting all users against that virus.