Comments on: Kneber for sale or rent (rooms to let 50 cents)* http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/ Trend Micro’s Rik Ferguson blogs about current security issues. Thu, 02 Feb 2012 11:11:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Kneber for sale or rent (rooms to let 50 cents)* | Business Computing World http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/comment-page-1/#comment-4268 Kneber for sale or rent (rooms to let 50 cents)* | Business Computing World Wed, 07 Apr 2010 15:16:11 +0000 http://countermeasures.trendmicro.eu/?p=1790#comment-4268 [...] Link to the original site [...] [...] Link to the original site [...]

]]> By: Kneber disponível para venda ou aluguer no mercado negro | WebSegura.Net http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/comment-page-1/#comment-4146 Kneber disponível para venda ou aluguer no mercado negro | WebSegura.Net Sat, 20 Feb 2010 23:13:15 +0000 http://countermeasures.trendmicro.eu/?p=1790#comment-4146 [...] o artigo da TrendMicro, milhares desses computadores infectados são em redes corporativas. Ler [aqui]. [...] [...] o artigo da TrendMicro, milhares desses computadores infectados são em redes corporativas. Ler [aqui]. [...]

]]> By: Rik Ferguson http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/comment-page-1/#comment-4144 Rik Ferguson Fri, 19 Feb 2010 21:22:27 +0000 http://countermeasures.trendmicro.eu/?p=1790#comment-4144 Hi Tim, Thanks for the comment, that's exactly the point I am making, it is relatively trivial for a criminal to test their malicious binaries until they are no longer detected, by any vendor, before release. In fact there are criminal services that do this on an automated basis. Obviously once infected most "good" malware will blackhole security vendor sites. That is why it is important that serious anti-malware products do not simply focus on the file content but look at other vectors as well such as download sources, email sources and phone home activity. Pattern-based detection offers baseline protection, at best. This rolls over into a bigger discussion around testing methodologies for security products. If you take a big pool of sample files and run each product against them, this no longer (with advanced solutions like OfficeScan) gives you any idea at all about whether or not you would have been protected by that vendor. Would you have received the malicious email that contained the malicous link or file or would it have been blocked? If you had clicked the malicious link would you have been allowed to access the site or would it have been blocked? If you did get infected, would the bot have been able to phone home to process updates or send all the stolen data out? These are challenges that need be addressed in the exposure layer, NOT just in the infection layer. Cheers, Rik Hi Tim,

Thanks for the comment, that’s exactly the point I am making, it is relatively trivial for a criminal to test their malicious binaries until they are no longer detected, by any vendor, before release. In fact there are criminal services that do this on an automated basis. Obviously once infected most “good” malware will blackhole security vendor sites. That is why it is important that serious anti-malware products do not simply focus on the file content but look at other vectors as well such as download sources, email sources and phone home activity. Pattern-based detection offers baseline protection, at best.

This rolls over into a bigger discussion around testing methodologies for security products. If you take a big pool of sample files and run each product against them, this no longer (with advanced solutions like OfficeScan) gives you any idea at all about whether or not you would have been protected by that vendor. Would you have received the malicious email that contained the malicous link or file or would it have been blocked? If you had clicked the malicious link would you have been allowed to access the site or would it have been blocked? If you did get infected, would the bot have been able to phone home to process updates or send all the stolen data out? These are challenges that need be addressed in the exposure layer, NOT just in the infection layer.

Cheers,
Rik

]]> By: Tim http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/comment-page-1/#comment-4143 Tim Fri, 19 Feb 2010 19:14:20 +0000 http://countermeasures.trendmicro.eu/?p=1790#comment-4143 As part of routine analysis for this project, we submitted the malware to various sites for detection. Trend Micro was not able to detect it. This particular variant is detected by Trend Micro today, however many of the most popular AV vendors update sites were blackholed in the period between infection and signature availability. http://www.networkforensics.com/2010/02/19/kneber-update/ As part of routine analysis for this project, we submitted the malware to various sites for detection. Trend Micro was not able to detect it. This particular variant is detected by Trend Micro today, however many of the most popular AV vendors update sites were blackholed in the period between infection and signature availability.

http://www.networkforensics.com/2010/02/19/kneber-update/

]]>