Security Information and other random rants!
Posted by: Jacques Erasmus
- SpyDawn.com
- SpyLocked.com
- SpyCrush.com
- VirusProtectPro.com
(Orange Dots Indicate Tail off Points)
Let’s look at the above Alexa graph – many might argue, that these numbers are not accurate, and I’d agree to a certain extent, but when you look at it in general terms, it can be very useful. What I’d like to point out here is that Security Information can be of great use, to both security professionals and malware writers. Let’s break it down...
1. SpyDawn
Starting off in early February this year, within days it had massive reach utilizing the Zlob Codec Downloads seeded on thousands of highly trafficked porn sites. This growth continued for about a month infecting around 20000 users (estimated) a day. Once there was decent Antivirus detection for this infection it tailed off, and at this point it could be assumed that the authors have accurate metrics about their user base and new user acquisitions. As the proverbial steam was running out, it was quickly replaced with a new site.
2. SpyLocked
Starting off with a bang, SpyLocked quickly gained a lot of momentum and infected at its peak nearly twice as many PCs as SpyDawn did. This seems to say that the authors increased the number of affiliates and the rate of codec production. And again, we can see that just after the start of June, the numbers started to tail off, and it was time for a replacement.
3. SpyCrush
Enter SpyCrush, it seems this one wasn’t too popular, maybe because of the colour scheme of the GUI? Who knows, as it didn’t last for too long before being replaced, as of two days ago, by VirusProtectPro.
4. VirusProtectPro
On Saturday (30 June 2007) morning we discovered the latest in the Zlob Family – a new reincarnation called VirusProtectPro. Not much data yet on this one, but we can see there is already an impressive rise in adoption. From the Prevx Community Database we can tell that 223 new agents have seen this file so far in various areas around the globe.
The real interesting thing here is that most users that are getting infected currently have antivirus products installed
The question of course is – how do these threats manage to keep infecting so many people? Well the answer is simple really, Porn - oh yes! - the financial cornerstone of the internet. The main spreading mechanism of these threats is via rogue codecs as you will see in the video below. Seeded throughout the internet on affiliated porn sites these threats target a very wide audience. However, the really interesting thing here is that most users that are getting infected currently have antivirus products installed. How do we know this? Simple really... Security Information. Most products are capable of blocking things – that’s relatively simple – but where these products fail is in the auditing capability, and knowing exactly where something came from, how many nodes it infected, and at what times these actions took place.
As a security vendor, if you have real Security Information, you will be able to protect better against such threats in future, as well as being able to tune your heuristics to develop a stronger set of rules to identify threats like these automatically.
Below is a video of VirusProtectPro infecting a fully up-to-date machine with Symantec’s Norton 360 fully updated on it. Symantec’s product was chosen at random, but the results of the video would have been just the same with a host of products from different AV vendors. I think the key message here, and one that is starting to flow through to many consumers, is that traditional Antivirus isn’t working as well as it should. More than likely, if you have come to this website, you are running another security product, which has let you down – let us know about your experiences and you never know, if they are interesting, obscure or downright crazy, we may post them up on the blog!
** UPDATE **
Since this entry was posted to the blog, Symantec has notified us that VirusProtectPro is now detected by Norton360.
Click play to begin the video:
This video is also available on our YouTube Channel.
