Tag Archives: technology

The abracadabra of anonymous sources.

Who killed JFK?

Who’s controlling the Bermuda Triangle?

What’s the Freemasons’ objective?

Easy! For it turns out that answers to these questions couldn’t be more straightforward. All you have to do is add: ‘according to information from anonymous sources‘, and voila! — there’s your answer — to any question, about anything, or anyone. And the answers are all the more credible – not because of their… credibility – but because of the level of prestige commonly ascribed to the particular media outlet that broke the story.

Just recently, Reuters got a ‘world exclusive’ of jaw-dropping proportions in the antivirus world. The article, filled with sensational – false – allegations, claims Kaspersky Lab (KL), creates very specific, targeted malware, and distributes it anonymously to other anti-malware competitors, with the sole purpose of causing serious trouble for them and harming their market share. Oh yes. But they forgot to add that we conjure all this up during steamy banya sessions, after parking the bears we ride outside.

The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and simple.

Disgruntled ex-employees often say nasty things about their former employers, but in this case, the lies are just ludicrous. Maybe these sources managed to impress the journalist, but in my view publishing such an ‘exclusive’ – WITHOUT A SHRED OF EVIDENCE – is not what I understand to be good journalism. I’m just curious to see what these ‘ex-employees’ tell the media next time about us, and who might believe their BS.

The reality is that the Reuters story is a conflation of a number of facts with a generous amount of pure fiction.

In 2012-2013, the anti-malware industry suffered badly because of serious problems with false positives. And unfortunately, we were among the companies badly affected. It turned out to be a coordinated attack on the industry: someone was spreading legitimate software laced with malicious code targeting specifically the antivirus engines of many companies, including KL. It remains a mystery who staged the attack, but now I’m being told it was me! I sure didn’t see that one coming, and am totally surprised by this baseless accusation!

Here’s how it happened: in November 2012 our products produced false positives on several files that were in fact legitimate. These were the Steam client, Mail.ru game center, and QQ client. An internal investigation showed that these incidents occurred as the result of a coordinated attack by an unknown third party.

For several months prior to the incidents, through intra-industry information-exchange channels such as the VirusTotal website, our anti-malware research lab repeatedly received numerous slightly modified legitimate files of Steam, Mail.ru and QQ. The creator(s) of these files added pieces of malicious code to them.

Later we came to the conclusion that the attackers might have had prior knowledge of how different companies’ detection algorithms work and injected the malicious code precisely in a place where auto systems would search for it.

These newly received modified files were evaluated as malicious and stored in our databases. In total, we received several dozen legitimate files containing malicious code.

False positives started to appear once the legitimate owners of the files released updated versions of their software. The system compared the files to the malware database – which contained very similar files – and deemed the legitimate files malicious. After that, we upgraded our detection algorithms to avoid such detections.

Meanwhile the attacks continued through 2013 and we continued to receive modified legitimate files. We also became aware that our company was not the only one targeted by this attack: other industry players received these files as well and mistakenly detected them.

In 2013 there was a closed-door meeting among leading cybersecurity and other software industry players that also suffered from the attack – as well as vendors that were not affected by the problem but were aware of it. During that meeting the participants exchanged information about the incidents, tried to figure out the reasons behind them, and worked on an action plan. Unfortunately no breakthrough occurred, though some interesting theories regarding attribution were expressed. In particular, the participants of the meeting considered that some other AV vendor could be behind the attack, or that the attack was an attempt by an unknown but powerful malicious actor to adjust its malware in order to avoid detection by key AV products.

Accusations such as these are nothing new. As far back as the late nineties I’d take with me to press conferences a placard with the word ‘No!’ on it. It saved me so much time. I’d just point to it when every third question was: “Do you write viruses yourselves, for your product to then ‘cure’ the infections?” Oh yeah. Sure. And still today I get asked the same all the time. Do they really think an 18+ year-old business built 100% on trust would be doing such things?

It seems some folks just prefer to presume guilt until innocence is proven. I guess there’ll always be folks like that. C’est la vie. But I really do hope that people will see through these anonymous, silly and groundless accusations… What I can say for sure is that we’ll continue working very closely with the industry to make the digital world safer, and that our commitment and resolve to expose cyberthreats regardless of their source or origin won’t waiver.

.@kaspersky rubbishes claims they poisoned competitors with false positivesTweet

Independent AV testing in 2014: interesting results!

At KL we’re always at it. Improving ourselves, that is. Our research, our development, our products, our partnerships, our… yes – all that. But for us all to keep improving – and in the right direction – we all need to work toward one overarching goal, or mission. Enter the mission statement…

Ours is saving the world from cyber-menaces of all types. But how well do we do this? After all, a lot, if not all AV vendors have similar mission statements. So what we and – more importantly – the user needs to know is precisely how well we perform in fulfilling our mission – compared to all the rest…

To do this, various metrics are used. And one of the most important is the expert testing of the quality of products and technologies by different independent testing labs. It’s simple really: the better the result on this or that – or all – criteria, the better our tech is at combatting cyber-disease – to objectively better save the world :).

Thing is, out of all the hundreds of tests by the many independent testing centers around the world, which should be used? I mean, how can all the data be sorted and refined to leave hard, meaningful – and easy to understand and compare – results? There’s also the problem of there being not only hundreds of testing labs but also hundreds of AV vendors so, again, how can it all be sieved – to remove the chaff from the wheat and to then compare just the best wheat? There’s one more problem (it’s actually not that complex, I promise – you’ll see:) – that of biased or selective test results, which don’t give the full picture – the stuff of advertising and marketing since year dot.

Well guess what. Some years back we devised the following simple formula for accessible, accurate, honest AV evaluation: the Top-3 Rating Matrix!.

So how’s it work?

First, we need to make sure we include the results of all well-known and respected, fully independent test labs in their comparative anti-malware protection investigations over the given period of time.

Second, we need to include all the different types of tests of the chosen key testers – and on all participating vendors.

Third, we need to take into account (i) the total number of tests in which each vendor took part; (ii) the % of ‘gold medals’; and (iii) the % of top-3 places.

What we get is simplicity, transparency, meaningful sifting, and no skewed ‘test marketing’ (alas, there is such a thing). Of course it would be possible to add into the matrix another, say, 25,000 parameters – just for that extra 0.025% of objectivity, but that would only be for the satisfaction of technological narcissists and other geek-nerds, and we’d definitely lose the average user… and maybe the not-so-average one too.

To summarize: we take a specific period, take into account all the tests of all the best test labs (on all the main vendors), and don’t miss a thing (like poor results in this or that test) – and that goes for KL of course too.

All righty. Theory over. Now let’s apply that methodology to the real world; specifically – the real world in 2014.

First, a few tech details and disclaimers for those of the geeky-nerdy persuasion:

  • Considered in 2014 were the comparative studies of eight independent testing labs (with: years of experience, the requisite technological set-up (I saw some for myself), outstanding industry coverage – both of the vendors and of the different protective technologies, and full membership of AMTSO) : AV-Comparatives, AV-Test, Anti-malware, Dennis Technology Labs, MRG EFFITAS, NSS Labs, PC Security Labs and Virus Bulletin. A detailed explanation of the methodology – in this video and in this document.
  • Only vendors taking part in 35% or more of the labs’ tests were taken into account. Otherwise it would be possible to get a ‘winner’ that did well in just a few tests, but which wouldn’t have done well consistently over many tests – if it had taken part in them (so here’s where we filter out the faux-test marketing).

Soooo… analyzing the results of the tests in 2014, we get……..

….Drums roll….

….mouths are cupped….

….breath is bated….

……..we get this!:

Independent testing 2014:  the results

Read on: Are all washing powder brands the same?…

Geography lesson.

Every day we release up to 2000 updates for our products.

Every week our users around the globe download those updates over a billion times.

Every month we distribute around four petabytes of updates.

These updates (together with our other technologies) protect you against new cyberthreats. In recent years we’ve been seeing new malware popping up not just every day or every hour, but every minute and even every second! Each year we analyze more than a billion samples of malicious code.

For the average user, receiving antivirus updates is a simple, automatic process. They run silently in the background without disturbing you (and quite right too). However, there’s a lot more to an update than first meets the eye. Updates are merely the tip of a sophisticated iceberg that connects our products to a huge distributed IT system that we built up ourselves using a whole bunch of original ideas and know-how.

That’s the overall scheme. The details get more interesting…

Kaspersky Internet Security Update

Read on: So what actually happens when you update your antivirus?…

The evolution of OS X malware.

Is there any (Mac) OS X-specific malware around?

Oh yes. But for some odd reason I haven’t said anything interesting on this topic for quite a while…

The last time was two and a half years ago. Yes, that’s how long it’s been since the global Flashback worm outbreak that infected 700 thousand Macs worldwide. The security industry made quite a bit of noise about it (and quickly disabled the Flashback botnet), but since then – mostly silence… It might seem to some that ever since there’s been a complete lull on the Mac-malware front and not one bit of iMalware has disturbed Apple Bay’s calm waters…

But they’d be wrong…

Mac malware is not amyth, they do exist

Sure, if you compare the threat levels of picking up some malware on different platforms, at the top of the table, by a long way, as ever, is the most widely used platform – Microsoft Windows. Quite a way behind it is Android – a relatively new kid on the block. Yep, over the past three years the cyber-vermin has been seriously bombarding the poor little green robot with exponentially increasing levels of malicious activity. Meanwhile, in the world of iPhones and iPads, except for very rare cyber-espionage attacks, there have been hardly any successful attacks thereon (despite using various exotic methods). It’s a similar story with Macs too – things are relatively peaceful compared to other platforms; but of late there have been… stirrings – about which I’ll be talking in this post.

Briefly, a few numbers – kinda like an executive summary:

  • The numbers of new for-Mac malware instances detected in the last few years are already in the thousands;
  • In the first eight months of 2014, 25 different ‘families’ of Mac malware were detected;
  • The likelihood of an unprotected Mac becoming infected by some Mac-specific-unpleasantness has increased to about three percent.
In 2013 alone @kaspersky detected ~1700 malware samples for OS XTweet

Read on: let’s dig deeper and look at the situation from a malware expert PoV…

Under the hood – 2015.

We’ve a tradition here at KL (besides the summer birthday bashesNew Year shindigs and the rest, that is). Every summer we launch new versions of our home products. Er, and it’s already the end of summer! (Eh? Where did that go?) So let me give you the highlights of the juiciest new features of our 2015 versions, or, to put it another way – about the latest sly tricks of the cyber-villains that we’ve successfully been busting with our new tech that’s winding its way into KL-2015s :).

All righty, off we go…

Kaspersky Internet Security 2015 - Main Window

What’s new in Kaspersky Internet Security 2015? @e_kaspersky reportsTweet

Read on: The all-seeing eye of Sauron. No more…

AVZ: Heuristics without false positives to combat future threats.

How can you locate and destroy ALL the maliciousness hiding in the sleeping jungles of your computer?

In particular, the extra nasty maliciousness that’s never ever been seen before, which also happens to have a mega-high malevolent-IQ (and is often state sponsored)?

Easy. The answer’s simple: you can’t.

Well, you can at least have a good go at it; but to find the proverbial black malware cat in a pitch black room you need a handful of top-notch pros to do the task manually: expensive. But to do it automatically with a boxed antivirus product – that’s a whole different matter altogether: you normally just get as far as getting on to the scent of super sophisticated infections, but that’s about it. That is, at least, using the old-school AV approach that uses classic antivirus signatures and file scanners.

So what’s the solution?

Again, simple: put some mega brains to hard work – to automate sophisticated-infection seek-and-destroy functions in an AV product.

Read on: So how we do that?…

Holy Java, not holey Java.

Woo-hoo! One more torpedo released by the cyber-delinquents against Microsoft Office has been thwarted by our cunningly tenacious cyber-protection.

Recently a new but fairly common-or-garden attack was discovered: When opening Word documents malicious code was unnoticeably injected into the computer. This wouldn’t have made it into the headlines but for one circumstance: this was a zero-day attack, i.e., one that used a previously unknown vulnerability in MS Office for which there weren’t any remedying patches, and which most antiviruses let slip through their nets. You guessed it – our AV grabbed it with its tightly thatched net in one fell swoop!

What happened was our Automatic Exploit Prevention (AEP) technology detected anomalous behavior and proactively blocked the corresponding attacks. No updates, no waiting, no messing. Zapped immediately.

Zero-days represent a real serious threat these days.

They need to be tackled head on with full force. However, many AVs are fairly useless against the future risk zero-days pose, as they work based mostly on signatures, with ‘protection from future threats’ only ‘provided’ on paper/the box (albeit very pretty paper/a very glossy box:). But of course! After all, genuine – effective! – protection from future threats requires whopping doses of both brain power and development resources. Not every vendor has the former, while even if a vendor has the latter – that doesn’t always clinch it. And this is sooooo not copyable tech we’re talking here…

Unlike what Buddha and new-agers say is a good idea for individuals, we’ve always believed that in IT security you can’t live for today – in the moment. IT Security needs to constantly look to the future and foresee what will be going on in the minds of the cyber-felons – before events occur. A bit like in Minority Report. That’s why ‘proactive’ was on our agenda as far back as the early 90s – back then we cut a dash from the rest of the IT Sec crowd by, among other things, developing heuristics and our emulator. Forward thinking runs in KL blood!

Since then the tech was reinvented, fine-tuned and souped-up, and then around two and a half years ago all the features for protection from exploitation of known and unknown vulnerabilities were all brought together under the umbrella of AEP. And just in time too. For with its help we’ve been able to proactively uncover a whole hodge-podge of targeted attacks, including Red October, MiniDuke and Icefog.

Then came a sudden surge of unhealthy interest in Oracle’s Java, but AEP was ready once again: it did its stuff in combatting all the unhealthiness. Leading AEP into battle was its Java2SW module – specially designed for detecting attacks via Java.

And it’s this module I’ll be telling you about here in the rest of this post.

The software landscape inside a typical computer is a bit like a very old patchwork quilt: loads of patches and as many holes! Vulnerabilities are regularly found in software (and the more popular the product, the more are found and more frequently) and the companies that make the software need to secure them by releasing patches…

…But No. 1: Software developers don’t release patches straight away; some sit on their hands for months!

But No. 2: Most users forget, or simply don’t care, about installing patches, and continue to work with holey software.

However No. 1: The vast majority of computers in the world have antivirus software installed!

So what’s to be done? Simple: Get Java2SW onto the stage. Why? Because it kills two birds with one stone in the Java domain.

Overall, from the standpoint of security Java architecture is rather advanced. Each program is executed in an isolated environment (JVM – Java Virtual Machine), under the supervision of a Security Manager. However, alas, Java became the victim of its own popularity – no matter how well protected the system was, soon enough (in direct proportion to its popularity) vulnerabilities were found. Vulnerabilities are always found sooner or later, and every software vendor needs to be prepared for that, in particular (i) by timely developing protective technologies, (ii) by being real quick in terms of reaction times, and (iii) by informing users how important updating with patches is.

Thing is, with regard to Java, Oracle didn’t make a great job of the just-mentioned prep. In fact they did such shoddy job of it that users en masse started to delete Java from their browsers – no matter how more cumbersome it made opening certain websites.

Judge for yourself: The number of vulnerabilities found in Java in 2010 – 52; in 2011 – 59; in 2012 – 60; in 2013 – 180 (and the year isn’t over yet)! While the number of attacks via vulnerabilities in Java grew in a similarly worrisome way:

Java attacks growing fast

Read on: So what’s so great about Java2SW?…

K-LOVE & KISSES 2014: REASONS TO BE CHEERFUL, PART 3.

“The person needs to be brought round to the idea that he has to part with his money. He needs to be morally disarmed, and his proprietary instincts need to be stifled.”

No, not Don Draper; this is a quote of Ostap Bender, a classic fictional hero from 1930s Russian literature. And no, there’s no relation to the other famous Bender!

Thus, it would appear that, curiously, Mr. Bender knew a thing or two about capitalism, despite being from a Communist country. Hmmm…

Anyway, what he knew is that it’s sometimes possible to make folks part with their hard-earned shekels if they are manipulated the right way – the folks, that is.

Fast-forward to today… and we find this kind of manipulation alive and well – in a modern, hi-tech, cyber kinda way: Today, folks gladly hand over their Benjamins to the crims behind blockers, aka ransomware, an especially sneaky form of computer malevolence. But have no fear, KL users: in the new version of KIS, we’ve got a nice surprise waiting for the blocking blockheads and their blockers.

Ransomware criminal market turnover made up more than $15 million, while the number of victims reached the tens of millions

The principle and tech behind blockers/ransomware are rather simple.

Using one of the various means available (for example, via a software vulnerability), a malicious program is sneaked into computer, which then displays an amusing (not) photo with scary (not – with KIS:) – text, and blocks the desktop and all other programs’ windows.

Unblocking is only possible (well, was possible – see below) by entering a unique code, which of course you can only get from the cyber-tricksters who infected the comp in the first place, and of course – for a fee, through premium SMS numbers or online payment systems. Until you pay the ransom, the comp remains kidnapped – no matter what you do (including Ctrl+Alt+Del), and no matter what programs you try to run (including antivirus); all you see is something like this:

ransomware1

The rise, the decline & the return of ransomware…

K-LOVE & KISSES 2014 – PART 2: ALPHA, BETA, ZETA.

Welcome back folks!

What else new and interesting is to be found under the hood of KIS 2014, missioned to save your data from the cyber-swine? Today’s guest star is ZETA Shield technology.

ZETA Shield I think might be best described as a high-tech antivirus microscope for the detection and elimination of the most cunning of malware, which hides deep in the bowels of the inner recesses of complicated files. In short, this is our unique defense technology against future threats, one which can track down unknown cyber-contagion in the most unexpected places.

To understand the concept better, let’s take a set of traditional Russian dolls.

Antivirus should unpack the nested essence of malware like a Russian doll. But it’s not quite as simple as just that.

Open one and you find another inside, and nested inside that one – another, and so on and so on. And in terms of where troublesome programs hide, this is a pretty good analogy. Malware tries its hardest to embed itself into the very essence of its surroundings, and even uses digital ‘plastic surgery’ to change its appearance and hide from antivirus programs. It puts itself into archives, crypto-containers, multimedia files, office documents, scripts etc., etc. – the possibilities are endless. The task of the antivirus program is to delve into the actual essence of all these different objects, probe the interior, and extract the malware.

So that’s it? Well… no, it’s not quite as simple as just that.

Antivirus programs have long been able to take apart complicated files. For example, ever since the early 90s other companies have been licensing our antivirus engine in particular because of its ability to unpack archived and packed files. But unpacking is only half the job. You need an instrument that’s clever enough to not only take apart complicated files but that can also analyze these ‘Russian dolls’, understand what’s doing what in there, build connections between different events, and finally diagnose; importantly, to do that proactively – without classic signatures and updates. It’s a bit like the detective work that goes into locating potential binary weapons. Such weapons are made up of individual components which on their own are harmless, but when mixed create a deadly weapon.

And this is where ZETA Shield comes in.

And just in time too, as the number and perversity of both targeted and zero-day attacks are on the up and up. These are the very things ZETA is designed to deal with (ZETA = Zero-day Exploits & Targeted Attacks).

zeta_shield_logo

More: KIS 2014 can withstand serious assaults from tomorrow’s malware. Now you too…

K-LOVE & KISSES 2014 – PART 1.

Hip, hip, hurray! Yee ha! Woo hoo! The latest incarnation of KIS has landed – everywhere (almost)!

As per our long held tradition of launching new kit during the summer months – we’ve now managed to get KIS 2014 officially released in all the main regions of the world and in all the most widely spoken languages. For those interested in KIS itself, go here to download the new version. Upgrade guidelines are here.

And as is also becoming a bit of a tradition early fall, the time has come for me to tell you all what’s in this here new version…

There’s plenty of new stuff in KIS 2014 – with a special emphasis on protection against future threats.

First thing I can say: new stuff – there’s plenty of it. So much so that there’ll be several posts covering the key new features separately, as the low-down on all of them won’t fit into one bite-sized blogpost that won’t send you to sleep…

So, here we go… with post No. 1:

Basically, KIS 2014 packs yet more punch than its already punchy predecessor – KIS 2013 – which even without all this year’s additions was unlucky for no one. The protection provided is harder, better, faster, stronger. KIS has gone under the knife for a nip and tuck complete face-lift of its interface, and the logic of its main operations has been overhauled too.

There are new features to ensure secure online money operations (we’ve beefed up Safe Money); there are new features in Parental Control; there’s integrated protection against malicious blockers; and there are various new performance accelerators and optimizers to make the protection even more invisible and unobtrusive.

kis-2014-main-screenshot-eng-1

But the best feature of all in this version is what we put most effort into: providing protection from future threats, having added to the product – much to the chagrin of cyberswine – several specialized avant-garde technologies (none of which appears to be included in competitors’ products). No, we haven’t used a time machine; nor did we track down cyberpigs and do a Jack Bauer interrogation on them to get to know about their planned mischief. We shamanized, looked into the future, came up with rough calculations of the logic of the development of cyber-maliciousness, and transferred that logic into practice in our new technologies of preventative protection.

Among the preventative measures against future threats I’d like to emphasize the souped-up Automatic Exploit Prevention – two special technologies from our corporate solutions that have been adapted for our home products – ZETA Shield and Trusted Applications mode, plus a built-in proactive anti-blocker.

So how do all these fancy sounding features actually help in daily computer hygiene? Let me start by telling you first about Trusted Applications mode – the world’s first for such technology being featured in a home product providing complex security.

More: Fighting the parcel in ‘pass the parcel’ syndrome…