Recently we seen one of our clients business computers become unstable and sluggish. A top rated antivirus program was installed but we found a lot of bugs, some embedded into system areas of Windows 7. We see plenty of malware on systems protected with antivirus from all the big vendors, but what makes this case interesting is this computer does not go on the internet other than intranet and LOB applications into a corporate system.
Our research pointed to a recent download of a free zip archiving program called jzip. The download was packed with potentially unwanted programs, a trojan, and programs identified as spyware.
We sought to identify the source of the packaged-up download and started at google with the search term “download jzip”. Various websites offered free download of the tool, including the popular download.com. Firstly, we setup a sandbox inside Windows 7 to contain any threat and stop it from interacting with the system, program data and files outside of the sandbox. Running the same antivirus as our client we downloaded the jzip program from various sources. Some direct links to jzip were malware free, others were not. The download from download.com was one of the worst.
Inside the sandbox we setup earlier we could see a range of installations going on, it wasn’t just jzip trying trying to install but a string of risky programs and bugs. Because we were in the safety of the sandbox we were able to terminate the processes easily. We took the jzip.exe file we downloaded from download.com over to www.virustotal.com to run a multi-engine analysis of the file. Here is a snippet of what was found packed into that small file.
Most antivirus programs did not detect any of the threats embedded in the jzip file, or partially detected the threats. The Bitdefender program rated by avcompatives.org with the highest detection rates in 2013 failed to prevent any of the risks in the jzip download.com file on our test machine. The standard method of detection is based around signatures or known and categorized badware, and this method is failing. The old technology is failing. As Dave Dewalt, the prior CEO of McAfee before McAfee was bought by Intel, was quoted in a New York Times article, “Antivirus products are not working right now. Companies are spending tens of billions of dollars of their money on a model that doesn’t work.”
People steal our money online and get away with it, law enforcement is failing. Malware hijacks our browsers with incredible ease. Millions of computers are infected with botnets, trojans, rogue malware, zero day malware, spyware, and the end user is often not aware of the infection other than warning signs of degraded performance. Even the downloaders of smiley faces from firms like funwebproducts (and it’s many other aliases) are unknowingly installing virus-like self replicating bugs which in this case tend to break network connections and have done for over a decade.
People put too much trust in their antivirus programs.
Because people generally associate big brand names like McAfee, Trend Micro, Symantec (Norton), with paying for something that works, these expensive programs are getting away with not doing what they are being paid to do every time a scan result returns a no threats detected message. Malicious and dangerous programs like botnets, backdoor trojans, keyloggers and spyware, are often happily coexisting alongside top brand name functional virus protection programs which are oblivious to the threats. Business and consumers will continue to buy antivirus that doesn’t work, it’s like the suspension of disbelief we see in movies, we sort of know our AV isn’t working but we continue to renew (read Michele Chubirka’s article Security Snake oil for sale at Network Computing).
Computing resources are being targeted at programs that consistently fail to detect even rudimentary rogueware programs like rogue antivirus or the Australian federal police rogue app (variations of the infamous vundoo malware) with a lock screen from installing and locking users out of their computers – but the reality is that it is user ignorance that is exploited. How many people downloaded the rogue AV after searching google for a free antivirus, a registry cleaner, a speed-up-my-internet program, and so on, or didn’t think updating java or the flash player was a good idea.
In the future next generation malware will be forwarded to your computer in non-sequential IP packets and reassemble itself like an army of ants. Next generation intrusion detection technology is going to replace legacy security programs, but users need to be educated about using the web.
Next Generation Technology
Some developers in next generation technology are looking at intrusion detection or blocking by default, and not on signature based or heuristic analysis. A computer virus or malware must be known to computer security before it can be recognized. This is known as zero day exploit.
I have been testing a product called Appguard from the Blue Ridge Networks startup in Virginia. There are others developing programs, firewalls, and cloud based security for internet browsers in the enterprise space, but so far there’s not that much around for end users, professionals, standalone computers in small business. These groups are considered soft targets by malware vendors.
Appguard is the security guard who doesn’t trust anyone. It will block any new app or program from launching unless Appguard is in install mode. This is where we are going to have a problem with users unknowingly installing bugs. When AppGuard is in install mode you are temporarily unprotected.
There is a degree of user overhead with this type of approach. It will block something from installing but it will not stop you from installing something you shouldn’t in the AppGuard install mode, and it will not scan your PC for malware, you need a good malware scanner to do that.
I’m not going to recommend AppGuard for everyday users at this point for the above reasons, and will wait to see what else is coming along in 2014. Keep your eyes on the blog! But I recommend stop wasting money on antivirus programs, download Microsoft’s MSE software, it’s as good as paid software and it’s free.
AppGuard is intrusion detection but is not a malware scanner.