|
|
Kaspersky Targets Mobile Malware |
PDAStreet.com
By James Miller
June 29, 2005
The advent of smartphone viruses and Trojans mean your smartphones and PDAs, the data on them, and enterprises they are connected to are no longer as safe as they once were.
With that in mind, security vendor Kaspersky Lab has updated its handheld protection suite to version 5.5, adding a new user interface among other improvements to the cross platform application.
Kaspersky Security for PDA ($15.95) supports Windows Mobile handhelds and smartphones plus Palm platform devices.
The company says the upgrade delivers better virus detection and disinfection than before, with an antivirus database that you can set to automatically download onto your handheld as its updated. A new antivirus monitor tracks application activity in real time—in internal memory and on expansion cards—to prevent malicious code from executing. Encryption is leveraged as an added layer of protection.
Antivirus vendors discovered the first malware in the 'wild' last June. Since then, a lot more—mostly targeted at Symbian smartphones—has been set loose on the wireless community.
As Kaspersky Lab Senior Technology Consultant Shane Coursen pointed out to PDAStreet, “Since the discovery of Cabir one year ago, there are now close to 100 malicious programs targeting PDAs and smartphones. Today’s mobile operating systems are very insecure and users must protect themselves as mobile devices gain wider acceptance and become targeted by the hacker community in the same way that PCs are today.”
The Cabir virus finally found its way to the U.S. back in February. The original virus, Cabir.A, spread in the wild throughout Europe and Asia since its writer posted variants on a Web page last June.
It was capable of spreading from smartphone to smartphone, but only with each reboot, which effectively limited the possibility of causing a widespread outbreak. Subsequent variants haven't been subject to reboot restrictions, however, and may spread to as many phones that are within range.
Mobile Malware Highlights
June 2005: Skulls.L worm is capable of disabling smartphone features by deactivating messaging, net access and other applications. Once this occurs the application icons on the phone are replaced with pictures of skulls.
March 2005: The first virus to spread itself through Multimedia Message Service(MMS) messages is discovered. CommWarrior.a sends itself to any Symbian Series 60 phone world by piggybacking on an MMS message.
January 2005: Gavno.a hit handsets hard. This malware severely disrupts the functioning of a Symbian phone to the point where the handset can no longer make calls. Earlier threats (e.g. Skulls, Cabir, and Gear) only affected higher-level systems. It uses a similar technique to the previous month's SEXXXY malware, which disabled just one button on a phone.
A second version of Gavno, Gavno.b, features a slightly larger install file to bundle a copy of the Cabir and Camtimer Trojans. As a result, Cabir attempts to send a copy of Gavno and Camtimer to other nearby Symbian phones via Bluetooth.
December 2004: New variants of the Cabir virus (one of the first mobile viruses), Cabir.H and Cabir.I, fix a flaw that slowed the previous Cabir malware from spreading rapidly. The original Cabir, dubbed Cabir.A, moved only to one a new phone with each reboot. But the newer versions do not have the same restrictions, and appear capable of spreading to an unlimited number of phones per reboot.
METAL Gear.a encourages smartphone users to install itself by masquerading as the Symbian version of the popular Metal Gear Solid game. The trojan is the first malware to target Symbian security software to disable specific anti-virus and file browsing applications.
November 2004: Skulls, at the time a relatively low-impact but threatening virus, pops up on some Symbian OS smartphones. The malware, which overwrites application information and icon files (AIF) on the device's C: drive with an icon of a skull-and-bones image, was found at some Symbian shareware download sites under the filename "Extended Theme Manager" and "Tee-222" with a Symbian OS Installer file (.sis).
August 2004: The first Trojan aimed at Symbian smartphones turns up embedded in a cracked (illegal) edition of Ojom’s game Mosquito. So the only way to become infected with Mosquito was to knowingly or unwittingly download illegal software.
Mosquito becomes activated when you launch the pirated game. Upon which, it copies itself to the system/apps/Mosquitos/ folder on the smartphone and then sends SMS messages out in the background at premium rates while the game was being played.
A few days later...
The saga of the first Trojan Horse for Symbian smartphones takes a twist worthy of Homer's epic poem the Iliad, as it becomes apparent that the perpetrator is the developer of the infected game itself. Ojum placed the Trojan in the game Mosquito as a form of copy protection.
So if a "cracked" or illegal version of the game was developed or Mosquito was played on an unregistered smartphone, the Trojan dialed a specific number silently in the background—sending an SMS message notifying the company. Although it worked as planned, it backfired too, as a number of legitimate users were affected.
A trojan aimed at Pocket PCs called Backdoor.Bardor.A or WinCE.Brador appears, and is received by victims as a disguised e-mail attachment. When launched, the malware lets its creator control the infected Pocket PC and all the data on it the next time a user connects to the Web. Specifically, the worm identified the machine's IP (Internet Protocol) address and sends the information to the virus developer.
June/July 2004: The first two known cases of malware for mobile devices—one for Symbian smartphones and the other for Pocket PC PDAs and phones—appear a little over a month apart. Members of 29a, an international group of programmers that specialize in “proof-of-concept” viruses develops both.
So EPOC.Cabir (Symbian) and WinCE.Dust (Pocket PC) were developed not to create havoc but to prove that malicious code for handhelds could be generated.
First comes Cabir in June, which is disguised as the Caribe Security Manager utility—part of a Symbian smartphone's security software. When launched, the worm made the smartphone's screen display the inscription Caribe.
The worm then penetrates the system and is activated each time you started your phone. It also scans for other phones using Bluetooth to send out copies of itself. The intial malware trojan's appeared to be based on this initial "proof-of-concept" creation.
Next comes WinCE4.Dust for Pocket PC handhelds and phones. The malware writer only sends the virus to anti-virus vendors, claiming that it, like EPOC.Cabir, was created to show that a Pocket PC virus could be developed and spread. Also, unlike malicious worms, WinCE4.Dust asked the handheld owner if it could spread itself. |
| Cell Phone Viruses: Real Risk or Heavy on Hype? |
eWEEK.com
By Ryan Naraine
March 24, 2005 Last June, when anti-virus researchers reported the discovery of the first proof-of-concept cell phone virus, analysts and experts immediately predicted a coming wave of malware targeting high-end mobile devices.
Since then, the warnings have been coming fast and furious. According to the experts, the original proof-of-concept code quickly evolved into Cabir, a worm capable of bluejacking nearby cell phones running the Bluetooth-enabled Symbian Series 60 operating system.
Then came reports of mutants and Trojans and weekly warnings that the worm had spread to 17 countries around the globe. New reports that an underground virus-writing group called 29A had released the Cabir source code pushed the story onto the pages of the mainstream press, prompting anti-virus vendors to roll out plans to combat the threat.
But not everyone is convinced that the risk is high enough to justify the investments. On security discussion forums, there have even been suggestions that research firms are overblowing the threat to create an artificial market for cell phone anti-virus software.
"A lot of this is hyped to create a market that doesn't exist," said Neil MacDonald, group vice president and research director at Gartner Inc. "The market will exist eventually because the devices are becoming more powerful, but the threat today is minimal and overblown."
Gregg Mastoras, senior security analyst at Mass.-based Sophos Inc., echoed MacDonald's thinking. "We're not trying to be prognosticators and say mobile viruses will never be a big threat. But right now, it isn't and shouldn't be something an enterprise administrator should worry about. The level of the threat does not warrant all the headlines," Mastoras said in an interview with eWEEK.com.
Sophos has no immediate plans to create—or market—anti-virus software for cell phones, but rival companies insist that there is a legitimate market to be served.
One such company is Kaspersky Lab, the well-known Russian anti-virus company that recently opened shop in the United States. "Malware for smart phones is now evolving, and seems likely to become a growing threat as smart phones gain popularity," the company said in a statement announcing the launch of a beta anti-virus product for Symbian-powered cell phones.
Kaspersky's beta is likely to evolve into a paid product, much like F-Secure Corp.'s Mobile Anti-Virus software that promises "real-time on-device protection with automatic, over-the-air antivirus updates."
Symantec Corp., Trend Micro Inc. and McAfee Inc. also have invested in mobile anti-virus products. Steve Orenberg, a former Sophos executive who now runs Kaspersky's U.S. unit, defended the company's push into the mobile anti-virus market. "Our philosophy is to be prepared. There is evidence that this will become a big problem, and we are positioning ourselves to be ready with a product," Orenberg said.
He dismissed suggestions that Kaspersky was a party to overblowing the risk. "We're not telling people that they're currently at severe risk. Compared to other problems with malware, the cell phone issue is not a high-priority issue right now. But if this problem were to accelerate like we think it will, we will be ready with a solution.
"The threat is there. It's up and coming and it's in the wild. There's no sense in waiting for something bad to happen to be able to react."
Gartner's MacDonald was blunt in his assessment of the immediate risk. "I haven't had any clients call up asking for advice on dealing with a cell phone virus problem. And I don't know anyone in the real world who has been affected," he told eWEEK.com.
If and when cell phone malware becomes a legitimate threat, MacDonald said he thinks the anti-virus vendors should focus their investments in a different direction.
"They are trying to replicate the desktop anti-virus model to the handset devices, and I don't think that's an efficient way to address the problem," he said.
"The place where this threat should be addressed is at the network level. With handsets, the only way malware can get to the device is to go through the network. It would be more efficient and effective to have the wireless service providers do the scanning within the network," MacDonald said.
Sophos' Mastoras downplayed the threat entirely. "When you read the alerts and the news stories, you get the impression that virus infections are happening every day. That's just not true. We don't think it's the threat it's been made out to be," he said.
"We just don't see the market demand or need for it at this moment," Mastoras added. "There are more pressing security issues that folks should be concerned about." |
| Does the US Need Another Anti-Virus Company? |
BusinessWeek Online
By Steve Hamm
July 8, 2005
Between them, Symantec, McAfee, and Trend Micro just about have the US market for anti-virus software sewed up. But here comes Russia's Kaspersky Lab trying to gain a foothold. The Moscow-based company opened a sales office outside of Boston in February and has signed up about 40 resellers. Its target: small and medium-size businesses. So, why does the US need another anti-virus company? The answer: speed. Kaspersky reacts quicker than the giants to new viruses and other forms of malware, and gets fixes out fast.
The numbers are impressive. According to research done by AV-Test.org Research Group, a German outfit, Kaspersky is the only significant AV player that gets out fixes in an average of less then four hours after virus are spotted in the wild. Trend Micro does it in seven hours and it takes Symantec and McAfee an average of more than 12 hours. Kaspersky wins for two reasons: Its researchers use a lot of automation to detect and diagnose outbreaks, and it issues fixes with amazing frequency--an average of more than 600 per month. For comparison, Symantec puts out updates about once a day, and Trend Micro and McAfee do it even less often, according to AV-Test.org.
Speed matters. Hackers have become so expert at mass-distributing malware, and at quickly sending out new variants, that their missives can quickly overwhelm the ability of individuals and companies to defend themselves. The shift from amateur to criminal in the hacker community makes speed of response essential. "A virus used to be a pain in the neck, but you weren't going to be robbed. Now, if you're vulnerable for even a few hours, you can lose a lot of money," says Stephen Orenberg, president of Kaspersky's US subsidiary.
I'm fascinated with the idea of Russian computer brainiacs working away in our defense while we're sleeping, and Orenberg didn't disappoint me. He described the Moscow office, whereKaspersky's "woodpeckers"--the T-shirted young men who spot viruses and come up with antidotes--crouch over their computers in the wee hours of the morning. "The energy they give off would give you a sunburn," he says.
If Kaspersky starts gaining momentum in the US, Symantec, McAfee, and Trend are the ones who will get burned. |
| Triple-Barreled Trojan Attack |
eWEEK
By Ryan Naraine
June 4, 2005
Kaspersky Labs--- Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.
The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.
"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."
According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.
Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.
On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.
The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.
With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.
Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.
Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.
A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.
According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.
"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.
He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."
"There's a black market for infected computers. The bigger your botnet, the more money you can make," Thompson said. He said researchers tracking underground hacker activity had seen a price tag of about 5 cents per infected machine. |
| Assured Destruction |
Red Herring
April 18, 2005
When a new strand of malicious code strikes the world’s computers, no antivirus vendor launches a fix faster than Kaspersky Lab. Perhaps that’s because the company is housed in a Cold War temple consecrated to rapid response: an ex-Soviet missile complex in Moscow.
Eugene Kaspersky, the company’s head virus researcher, founded the company in 1997 with his then-wife Natalya, who became CEO. The two started Kaspersky Lab at just the right time. The market for digital protection has grown to $11.6 billion per year, according to the Yankee Group.
Vendors all over the world have tackled the problem, and at least 37 antivirus products have hit the market. In this crowded pack, Kaspersky Lab has a reputation for delivering a strong product backed by cutting-edge antivirus innovation. The company has held its own against McAfee and Symantec, but will face its biggest challenge at the end of the year, when Microsoft enters the market.
In its Personal Security Suite, Kaspersky Labs offers firewall protection, antivirus, anti-spyware, and anti-spam. The company also sells corporate and small business versions. Although this package is an industry standard, Kaspersky has taken the service aspects to their logical conclusion, getting its security patches out in an average of four hours, compared to the industry standard of about 10, say testers. And that speed can make a big difference, as virus writers increasingly design their malicious code to spread quickly and infect computers before antivirus programs receive pre-emptive updates.
The company has been way out in front of emerging threats in devices as diverse as mobile phones, PDAs, and even luxury cars. It was the first to investigate a vulnerability in the Bluetooth-enabled Lexus that opened the car to virus attacks. Kaspersky Lab has released antivirus software for both PDAs and Symbian smart phones to combat the proliferation of Bluetooth viruses like Cabir and Skulls.
But the best technology isn’t enough to stay competitive in digital security. On the business side, Ms. Kaspersky has pushed the company to expand globally. The firm now has more than 380 employees and offices in Moscow, the United Kingdom, Germany, France, the United States, and Japan. Ms. Kaspersky says the company is working to increase sales in China.
The company’s strong footing may not be enough to steel the company against Microsoft’s promised entry into the antivirus market. In February, the software giant bought Sybari Software, one of Kaspersky Lab’s partners, to prepare for an antivirus offering by the end of the year.
The Kasperskys' don’t seem particularly concerned. “Microsoft wants to understand what to do, so they’re trying things,” says Mr. Kaspersky. “I don't know what they’ll do. They probably don’t either…. We can expect Microsoft to make a system more secure than the one in use. But how easy will it be to use? It’s a difficult balance.”
Even if Microsoft’s future in the antivirus space is uncertain, there’s no doubt that the threat of hackers is here to stay. Kaspersky Lab has shown its ability to master the discovery of new threats and deliver speedy updates. It has moved to meet new, emerging threats in smart phones and expand into promising new markets like China.
The antivirus market will see more consolidation in the future, narrowing down the 37 products it supports today. Kaspersky Lab may yet follow the former tenants of its missile complex into oblivion, but expect the company to make at least the first round of cuts. |
|
© 2003-2005 @MOTION, Inc. Spyware
Free Spyware Removal
Web Links
|
|
|
