The Spamtraps used by Avira to collect spam, phishing and malware from Internet, recorded some interesting data which show us a change in the trends for the end of this year.

As can be seen in the graphics below, there is a big increase in the levels of Phishing and a decrease in the level of Malware in the last 3 months. The system which records these statistics was started and filled with data at the end of September and this is why we can see such a big increase in the malware URLs.

Phishing on the rise, malware down

But, from that point on, the number of phishing URLs increased constantly until reaching 45226 unique URLs (38.3%) at the end of November, tendency is to grow even further.

The Malware URLs sum to a 72833 unique URLs, representing a 61.7% of the total entries.

The amount of phishing URLs is taking up a much bigger part in the meantime.

The exact distribution of Phishing and Malware can be seen in the graphic below, from September 2008 until the end of November 2008 (date of writing this article). The level of Phishing is still growing constantly from October to November.

Development of the amount of phishing URLs in the past three months

Sorin Mustaca
Manager International Software Development

In January 2008 representatives of Avira and more than 40 other security software technologists, testers, academics and reviewers came together to found the Anti-Malware Testing Standards Organization (AMTSO) in Bilbao, Spain.

The motivation for the foundation of AMTSO was helping improve the quality and relevance of anti-malware testing. Since then, the members of AMTSO have had several meetings and a lot of things to discuss. The latest meeting took place in Oxford, UK on October 30/31 2008.

Picture from the AMTSO meeting in Oxford end of October.

Members agreed on guidelines and set recognized standards for testing security software for the first time. Therefore there are now two documents available for the general public, “Fundamental Principles of Testing”, which reflects the basic principles for testing anti-malware products and “Best Practice for Dynamic Testing”, which defines a standard for the dynamic testing of anti-malware products, a testing methodology that becomes more important every day.

The complete documents can be found at the homepage of AMTSO, http://www.amtso.org/.

Philipp Wolf
Viruslab

Since yesterday we’re monitoring a weird development. Usually, the top phishing targets are eBay and Paypal. But now, phishing-sites for the Chase bank are spreading very fast.

Weird incident: New no. 1 in phishing targets is the Chase bank.

There were spam runs with emails which are claiming that the Chase bank is doing a survey concerning the financial crisis – additionally those emails promise money for taking the survey.

Phishing-mails promise money for taking a survey - which is nothing less than a scam trying to phish the user data.

That survey is of course a fake, trying to phish the user data. Don’t follow the link in these emails, but delete such mails!

Dirk Knop
Technical Editor

The developers from the Mozilla project just released an update for Firefox 3, bumping the version number to 3.0.4. The patch remedies 11 vulnerabilities of which 4 are considered crititcal by the Mozilla developers. They may lead to execution of injected code (like a trojan) so please update ASAP.

Microsoft published 3 patches for critical weaknesses in it’s operating systems and the office solutions on November Black Tuesday which also may allow attackers to remotely take over users’ machines. Two patches close holes in Microsofts XML-parser (XMLcore). Another update is available which helps with a security problem which is known for roundabout 7 yeras now, a so called SMB reflector attack: An attacker on a network sends back credentials which he sniffed earlier and gets access to the SMB client. Users and companies are well advised to install the patches soon.

Another story is making rounds in the media concerning an ISP from San Jose in the U.S., McColo. That ISP provided “bullet proof hosting” which is often used for Command&Control-servers for botnets. The two major internet carriers which were connecting McColo to the internet pulled the plug yesterday. Since then the spam rate on the net dropped down to half of the usual amount, sometimes even to 10%. Unfortunately, this won’t hold long as the criminals are loosing profit and for sure look for alternatives.

Dirk Knop
Technical Editor

Phishing, spam and malware have a couple of things in common: they have become a major problem for the users, for the banks and for online businesses. They are delivered either as attachments or via URLs contained in the emails. The AV industry is trying to protect its customers as good as it can by gathering and analysing the emails with dangerous attachments and by blocking the URLs to phishing and malware websites.

Because the emails are so well crafted, sometimes it is not possible to mark them as SPAM, thus reaching users’ inboxes. Some of these spam emails are spreading malware. Not only malware is nowadays a threat for the users but also phishing emails and websites which sell faked products which can be potentially dangerous as well (pharmaceutilcals).

The only solution to block access to the malware is to block the target URL in a generic way, without knowing for sure from the beginning the reason for which it is blocked. Such a powerful and dynamic system needs a very good control and monitoring center in order to be maintainable.

Avira developed a system in order to manage from a single point the malware and phishing URLs gathered from multiple sources, track the URLs in order to see that they are taken down, generate statics for detecting outbreaks and generate information to prevent companies when they are targeted by some phishing attacks.

Fig. 1: Architecture

The system is created having in mind that we can add at any time a new source of URLs.(represented by the gray source with a „?“)

Fig. 2: Categories of URLs

As we can see, most of the URLs we block are pointing to malware and only about a quarter are pointing to phishing websites. These URLs are used to create updates for several web filtering products of Avira like Webguard, a module of the „Avira Premium Security Suite“ product.

Features

One of the most important features of the system is the ability to find the registrar which is hosting the phishing or the malware page. Once we find the registrar, we can find its location and create a world map of the sites which host malware and phishing.

Fig. 3: World distribution of malware and phishing

As we can see in the Figure, most of the threats are hosted in U.S.A., followed by Europe. Another interesting statistic generated by the system is the top of the most attacked brands and the top of the providers which host most of the files.

Fig. 4: Attacked brands (from September 2008)

On the first place in the top of the most attacked brands is eBay with 3277 unique phishing websites. On the second place is PayPal with 2606 websites and on the third place, very close to American Express with 2464 websites.

Fig. 5: Number of threats

Challenges

Since end of September 2008 when the system was started, we encountered many challenges while creating this system. The challenges were caused by the differences between the sources we used: the URLs detected by our own Antiphishing product, Phishtank, LCheck (an internal system dealing only with Malware URLs) and Clean-MX ( a system that deals with both phishing and malware URLs). The only thing these sources have in common is the fact that they have an URL which should be blocked. Other challenges we faced are the errors and special situations these services produced: invalid data, lack of availability and false positives.

The system started to record about 100 new URLs at the beginning, which was not a great challenge for our hardware. The situation completely changed when we had to deal with almost 1000 unique URLs per day. These unique URLs are gathered from more than 20000 URLs which have to be verified and sorted. The server has to deal with these special situations and must also check the validity of the URLs by downloading each file in order to analyse and scan it.

A real challenge was removing non relevant URLs like those pointing to no longer existing websites and malware files. Usually, when a web resource is no longer available, a webserver is returning a special error (404). In order to become more user friendly, many websites are no longer returning this error but redirect to a special webpage informing the visitor that the requested resource is no longer there. Since the websites are very often hosted in non English speaking countries, it is not really a solution to parse the webpage and look for some known content.

Fig. 6: Answers provided by various websites

Fortunately, by analysing some of these websites, we figured out that they use some common “keywords” and “key sentences” explaining what is happening. Many of these are international words. We filter about 60% of the pages with this empiric technique.

More details about various techniques for reaching the real content of a page are explained in the article „Delivering reliable phishing protection“, published in Virus Bulletin Magazine, May 2008.

Sorin Mustaca
Manager International Software Development

You thought encrypting wireless traffic with WEP is insecure? Right, that can be cracked within 60 seconds in the meantime; I verified that myself – depending on the network it took me 5 to 10 minutes though. WPA ought to be safe, as the keys are changing rapidly and are of no use for attackers; choosing a long and good password would safe you from a brute force attack.

Now security researchers Martin Beck and Erik Tews released information about their hack of WPA. It seems that they need 10 to 15 minutes to create enough data to crack the temporal key. That allows them to inject 6 to 7 pakets. That doesn’t sound too bad, but remember for example SQLslammer – one paket sufficed to breach the network.

I already ordered a new dsl router as my old one doesn’t support WPA2, so I can switch to the (still to be considered safe) newer protection mechanism – which essentially is WPA with AES encryption instead of the TKIP “cipher”. If your hardware doesn’t support WPA2 like mine you should consider upgrading to products supporting that standard. You can take that as an excuse to switch to 80211.n, which gives you the additional benefit of higher throughput and a better WLAN range.

Dirk Knop
Technical Editor

As mentioned in a previous blog entry, we at Avira are not only trying to offer you outstanding detection rates, we are also putting effort into providing that protection in a way that does not slow your system down more than absolutely necessary. This blog entry will give some numbers to a few of the improvements we recently implemented.

The first scenario is scanning a usual Windows XP install directory, containing around 55.000 typical windows files. The second is a dedicated testbed we use for benchmarking parts of our scanner which contains executables, archives, websites, office files, PDFs, pictures and many other different file types.

Note that most of the optimizations we’ve done are absolutely not specific to these scenarios, although of course the choice of a testbed can seriously skew the results into different directions.

So, let us compare three different versions of the Avira AntiVir Engine:

• 7.6.0.84 : one of the last versions of the old AV7 Engine architecture, released in early April 2008
• 8.1.0.35 : one of the first releases of the new AV8 Engine architecture, released in late April
• 8.2.0.7 : at the time of this writing, the most up-to-date engine

Scantime in an On-Demand Scan

Our first illustration shows the scantime of two on-demand scans performed on both of the mentioned testbeds. Each was scanned multiple times to avoid random influences to skew the result. Also note that the files did reside in the file system cache, so the numbers may seem low to you. The scans were performed on a Intel Core2Duo with 2,66GHz and 4GB of RAM.

File IO Requests when scanning the Windows XP directory (reads and writes, measured with Microsofts Filemon tool)

The second illustration shows the effect our optimizations had on general file IO requests. If you look at the numbers, the load for the Windows IO subsystem has changed considerably between the three versions. This also means less work for your physical harddisk. Of course this is not due to the removal of features or detection but instead by improving our own engine IO management, caching and file access approach. In fact, the later versions have added detection and processing of several formats which were not covered by AV7.

So, as you can see, we are not resting on the laurels of our good detection results. Staying ahead of the pack in terms of speed and system impact is also important.

Marcus Matten
Engine Core R&D