Posts Tagged "variant"

There are 5 results found

SigFree Cerberus security software yields outstanding benefits

SigFree Cerberus v1.0 test results, including zero day malware testing, have just been released. Testing shows that Cerberus can detect malware and provides benefits to the user where other security software solutions cannot.

Tests using real life, zero day malware will tell whether security software provides benefits or not. DayZero Systems has just released testing performed during the final stages of development of SigFree Cerberus v1.0.

The conclusion is very clear. SigFree Cerberus found malware when other security software solutions could not. Cerberus delivers on its benefits.

SigFree Cerberus provides zero day protection against worms and other similar self-propagating and self-mutating malware, including many viruses. Cerberus does not require known signatures so detection can occur before malware spreads and causes costly damage. Before the malware steals personal information or uses system resources as part of a bot network.

A range of results were blogged recently. See a short summary at http://blog.dayzerosystems.com/2014/11/05/benefits/. This included two real life zero day events and one designed attack. There are links to more detailed reports. The designed attack was made with the popular test program, Metasploit, using the “sneaky attack” option.

The two real life malware examples are named fwkums and 5minut1. They are both infections that can install themselves simply by clicking on the wrong URL, image or email attachment.

The fwkums malware tested is a mutation of a prior infection. It’s very dangerous and can steal personal information as well as take over the computer. At the time of this test, only 9 of 53 other security software solutions could detect this new mutation, https://threatcenter.crdf.fr/?More&ID=418800&D=CRDF.Trojan.Spy-Generic.2557074387. SigFree Cerberus security software found the infection quickly.

The 5minut1 malware is an adaptive virus that behaves somewhat like a worm. It launches a full screen advertising window and can carry other payloads. By adaptive, it senses when an attempt is made to detect it and changes its behavior to try to evade detection. Since SigFree Cerberus does not require known signatures or behavior to detect the malware it targets, it found 5minut1 quickly. At the time, only 1 in 51 other malware detection software solutions could detect 5minut1, https://www.virustotal.com/en/file/12144360ede7a5fb8074e93e83d9e6cccad05148c2733ce5a7df46ee540952cb/analysis/1397402126/#additional-info.

The two above tests were successful. But testing of a security software solution like SigFree Cerberus is not complete without putting it up against “sneaky speed”.

Sneaky speed is often used to test networks. It challenges testers because it is designed to evade detection. It will change its behavior to avoid being found. But again, SigFree Cerberus found it quickly with its signature-free technology. Attempts at evasion are quickly thwarted by Cerberus.

The time has come for new thinking in internet security software and DayZero Systems is stepping up to the challenge. SigFree Cerberus v1.0 is the first in an arsenal of future signature-free applications to be released by DayZero Systems, the new leader in zero day threat protection. Cerberus does not protect systems from every type of malware. DayZero still recommends continued regular scans using Windows Security Essentials or, on Windows 8, use of Windows Defender.

SigFree Cerberus v1.0 comes with a free two week trial, just click: http://cerberus.dayzerosystems.com/download/. DayZero promotes safe computer use. After downloading, right click on the file name in its folder, click properties, and click the digital signature tab. This ensures that the software comes from a trusted, certified source. The version 1.0 license is US$14.00 per computer on which it is installed, comes with all v1.0 upgrades, and is not time-limited. The license may be bought through Digital River by clicking http://cerberus.dayzerosystems.com/buynow-v1/.

security softwaresecurity software

Benefits accrue to anyone who installs Cerberus

Benefits! That is what everyone wants from any type of software. With Cerberus, some benefits are dramatically clear. Other benefits may be “behind the scenes”. But there is no question that everyone obtains benefits from SigFree Cerberus’s unique signature-free protection.

Benefits of Cerberus were confirmed in testing during its final development stages. We already reported on testing of the malware 5minut1. Cerberus found this malware at a time when Virus Total reported that only 1 out of 51 virus engines were able to detect 5minut1. The figure below contains the link to Virus Total for 5minut1:
benefits

You can also read more about this test on our blog at “5minut1.exe – zero day testing of Cerberus”.

We also reported on tests for fwkums. Fwkums is a very dangerous malware that can steal your personal information. It can also take control of your computer. At the time of our testing, only 9 out of 53 other detection engines could detect fwkums. You can also see that report on our blog at “fwkums – zero day testing of Cerberus”.

These tests demonstrated the benefits of Cerberus very well. Without needing signatures as the other detection engines do, Cerberus found both quickly. Cerberus found these dangerous programs. Picture this. Those bugs could have been on computers for months or years. The other detection engines could not find them until they caused damage. Someone finally saw the problem and found the source. Then the other detection engines could define signatures. Or, they could model the specific behavior of these infections.

But Cerberus needed none of that. Cerberus found these dangerous infections without knowing anything about them. Cerberus could have found them when they first gained entry to a computer! Those are the benefits of Cerberus!

Both of the examples mentioned above were designed to be evasive. This particular fwkums infection was a mutation. The 5minut1 infection was adaptive. It changed its behavior as it ran to try to evade detection. Both were quickly detected and neutralized by Cerberus. No damage was done by either infection. And Cerberus did this without known signatures or behavior patterns of these particular infections.

Another blog had three manufactured scenarios using the popular Metasploit tools. These also made Cerberus’ benefits clear. All three were reported in our blog “Metasploit port scanning target for Cerberus”. But one of the most thrilling was blogged in detail in “Sneaky speed – why you need SigFree Cerberus”

“Sneaky Speed” is a challenge. This scenario is adaptive to evade detection. Being adaptive, Sneaky Speed tests its boundaries. This way, it determines a threshold. It then scans below that threshold to avoid being detected. However, Cerberus detected and contained sneaky speed in only 125 milliseconds (0.125 seconds) after start of test. Nothing sneaky speed could do would convince Cerberus to let it go.

This demonstrates the validity and benefits of Cerberus’ signature-free approach! We suggest you give the free two week trial a go. Links are below.

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. Or you can find download links on our Landing Page. License sales are exclusively through Digital River and you can go to their MyCommerce site to buy a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

fwkums – zero day testing of Cerberus

fwkums – This is a zero day test for Cerberus. This test demonstrates that Cerberus can find new zero day threats where others could not.

fwkums is a good example of Cerberus’ unique protection. Remember, when new threats are found, they may have been installed on many, many computers for a very long time. Sometimes, this period is only months. Sometimes, it has been years until the active threat has been identified.

This type of testing shows that Cerberus can find these very destructive threats long before other types of threat protection software. This is because Cerberus is signature-free.

We’re going to tell you the download site for fwkums. Why? It’s important in verifying that this was a new variant. This new variant carried and planted slightly different, but known, variants of a trojan and a virus. We’re going to replace some letters of the url with xxx in three places so it cannot be accidentally triggered, or copied and pasted in a browser: hohidukxxx.mizubasxxx.xxx/fwkums.

WARNING: fwkums and its payloads are very dangerous malware. They can steal your personal information, alter settings on your computer, and take control of your computer.

The fwkums testing was run on May 16, 2014. Original Virus Total data is not available directly but the French threat center CRDF listed fwkums as first added to the database on May 15, 2014 (click the figure below to go to the CRDF page).
fwkums
The CRDF Threat Center also retained a snapshot of Virus Total on May 15, 2014 showing that only 9 out of 53 security programs had definitions for this variant.

The download of fwkums.exe was not flagged by Microsoft Security Essentials. Immediately, the process ovtoso.exe is installed and starts to scan and attempts to contact outside URLs. Microsoft Security Essentials also did not flag this install and did not detect this process’ activity. However, on a reboot, early April 2014 variants of Trojan:WinNT/Necurs.A and PWS:Win32/Zbot.gen!GO are found and are also active. A Microsoft Security Essentials scan does later find these two files. Note that we only mentioned Microsoft as that is the only threat protection we checked. Remember again that it was not only Microsoft that did not find this particular variant upon installation. Only 9 of 53 solutions were able to detect this variant at the time of this testing.

Keep in mind that if this variant was actually first installed on systems three months before this date, Cerberus would have still found it. No others would have been able to identify fwkums.

Cerberus contains fwkums activity through three contain and relax cycles. Fwkums significantly decreases its activity and the processes are not quarantined. If fwkums should restart its activity, Cerberus would contain it again. Even if fwkums changes its identity, we would still expect Cerberus to find it.

Cerberus detected the fwkums process when most other solutions could not!

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. License sales are exclusively through Digital River and you can go to their MyCommerce site to purchase a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

Rongvhin.C – Development stage test results

The Rongvhin family of malware is a trojan, sometimes referred to as a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version tested, Rongvhin.C, was discovered in October 2013. We performed this testing on March 18 2014. We knew mostly what to expect and this was not a test to determine how Cerberus performed with zero day malware. Rongvhin.C is most correctly described as a trojan but also often discussed as a virus.

Rongvhin’s main purpose seems to be to generate reputation and google rankings for certain ads, websites or software downloads for its authors or their Customers. Rongvhin Rongvhin.C may also change the blocked and allowed sites set on your computer. This can be rectified by returning to the default values. You can read more about the Rongvhin family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanClicker%3aWin32%2fRongvhin.C#tab=1.

We installed TrojanClicker: Win32/Rongvhin.C from file H_LOADER.exe. This installed files miniads.exe miniads2.exe, miniads3.exe & adsminirun.exe. This is where the name confusion enters as while the Rongvhin.C is a trojan, the executables installed behave as viruses.

During our testing miniads.exe and miniads3.exe were the only ones to become active. Miniads.exe did not display malicious activity but tried to send several messages. Miniads3.exe would try to send out messages about every 8 minutes and SigFree Cerberus would contain it. If it is not contained, it will send messages for about 2 minutes and then go dormant for 8 more minutes, and then repeat the cycle. However, Cerberus contained it meaning that Cerberus stopped its messages from being launched into the web.

Rongvhin.C

Cerberus did not quarantine. Cerberus can control the Rongvhin.C programs by simply containing them when they attempt to send messages. Through Cerberus’ actions, you may determine you want to remove the infection from your computer. But, even if you choose not to do so, Cerberus will still be protecting you. Cerberus will continue protecting even if Rongvhin.C mutates or is changed into a new variant that other programs cannot protect. Cerberus does not need known signatures!

As with Sirefef discussed in a prior blog entry, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success! SigFree Cerberus protected the computer from the effects of the Rongvhin.C trojan and rendered its objects useless to complete their tasks!

Home Depot – Prevention versus Detection

We’re all awaiting the forensics reports with bated breath.

It’s a tragedy for the 56 million affected individuals in this, the largest retail breach yet. And, we don’t yet know the facts from forensics analysis. Despite the blame being laid on antiquated systems and protection at Home Depot, it still begs the question: do we put too much attention on prevention and not enough on detection of what is already embedded in company systems?

The New York Times reported prior employees attesting to “the risks were clear to computer experts inside Home Depot. The home improvement chain, they warned for years, might be easy prey for hackers.” But how did they reach this conclusion? Through vulnerability analysis? By running regular scans? Did they have state-of-the-art detection tools, not signature-based tools, to really assess threats already present?

But, the initial reports seem to indicate these are valid points being made but again, we must await the forensic reports before making judgments.

That same NYT’s article stated that “Company officials said the malware used against Home Depot had not been seen before and would have been difficult to detect”. But the difficulty of detection is dependent on whether you’re using the right tools, isn’t it?

Both of those points seem to be drawing some corroboration. Brian Krebs called the malware that hit Home Depot a new “variant of the malware that was used against Target”. And, in a Times article, Krebs was quoted as saying, “Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?”. That same article brings up the point, “There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet.” In other words, those who do not know they have been breached yet are not using the right detection tools for the job.

We bring up all these points because we have a similar view. Too much is spent on prevention at the expense of detection. It’s possible that this malware at Home Depot was on their system for years. Time and time again, we see that breaches are the result of malware that has evaded detection for many months, if not years. And we’re facing zero day malware plus new variants of older software every day. Signature based detection is just not the solution anymore.

DayZero’s SigFree Cerberus, our soon to be released Client app, is directed specifically at this type of malware. It is signature-free and designed for detection of variants including self-mutation as well as self-propagation. It is designed for the type of malware that may possibly already be resident in 1000’s of other retailers’ systems right now! Think about it!