A story recently surfaced saying malware could plant child porn on innocent people's computers without their knowledge. Just how real is this threat? And how can you keep it from happening to you?
Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, and deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.
That is why, at least in part, a recent case outlined by the Associated Press raised concerns over computer viruses being used to plant child pornography on people's computers. But the innocent have little to fear, according to experts.
The AP story reported about the case of Michael Fiola, a former Massachusetts state employee whose state-owned work computer was found to contain illegal child pornography images. He was fired and charged with possession of child pornography which, had he been convicted, could have landed him in prison for up to five years, according to the AP.
Sexually explicit images of children--who are often being exploited--are not protected by the First Amendment because they may memorialize, celebrate, or encourage sexual crimes against children deemed defenseless victims. Although Fiola avoided a child porn conviction, he reportedly has suffered related indignities, including death threats and friend abandonment. The AP said he and his wife liquidated their savings and spent $250,000 on legal fees.
Ultimately, charges were dropped after Fiola's defense showed that his computer was infected by a virus that was "programmed to visit as many as 40 child porn sites per minute," something that a human couldn't do, even if he or she tried. Other reports about this case indicate that the antivirus software on Fiola's computer was out of date and therefore was not protecting him against malware.
Could it happen to you?
How likely is a case like Fiola's? If viruses are capable of putting illegal content on people's computers, aren't we all at risk of being arrested for serious crimes we never meant to commit? And if it is possible for this to happen, isn't "the virus did it" claim likely to become the mantra of every defense attorney who represents people accused of possessing child pornography?
To help answer these questions, I spoke with security experts, legal scholars, former prosecutors, and Justice Department officials. The consensus? It is indeed possible for malicious software to plant child pornography--or any other type of file, for that matter--on an innocent person's computer, but being possible doesn't mean it's likely. And forensics experts can detect intention.
"It's quite possible for a malware creator to include child pornography as part of the payload on an infected computer," according to Symantec spokeswoman Marian Merritt, but "such payloads are not typical."
Most malware authors, Merritt said, "are motivated by money, and there's no clear indication as to how planting child porn on an unsuspecting person's computer would help generate money for criminals."
One possible motive for remotely using someone else's computer to store child porn is to make it possible to access the contraband without running the risk of it showing up if your PC is seized or searched. Merritt worries that "this could become a possible use for malware, going forward," but Michael Geraghty, executive director of the National Center for Missing & Exploited Children Technology Services Division, said that, while possible, it's not an effective way to store child porn and remain undetected.
"If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. He pointed out that the zombie machine storing the data would have to be turned on and connected for the malware sender to access it. If it weren't online, or the files had been deleted, the files wouldn't be there to retrieve.
Another deterrent, of course, is a potential digital trail between your computer and the one you're using to store it. Although there are ways to evade detection, forensic investigators do have ways to trace Internet Protocol addresses to catch people in the act of uploading and downloading material.
"I've never seen it where child porn was intentionally placed on someone's computer because of a virus," Geraghty said. He has, however, seen cases where "someone was redirected to a site where it could have entered the cache." If someone were to go to a legal adult porn site, it's possible that the browser would "open 100 different windows," including some that could contain child porn. "As a result of that, any images on any of these sites would be cached, and there would be a record that you had been there."
But Geraghty said investigators can tell the difference between someone who deliberately downloaded such images and someone who may have inadvertently downloaded perhaps thousands of images because of a virus or misdirected Web site.
Totality of evidence
"A good forensics expert would try to determine how (the images) got on the computer and who was responsible for putting them there," he said. "That would be determined by looking at the totality of the evidence, not just the fact that there were images there."
Things a good investigator would look into include whether the suspect was sitting at the computer at the time the images were downloaded. Was he using the computer to send e-mail or visit other Web sites at the time? "There is always some type of trail we can follow to determine if the person were likely actively involved in the process of downloading the material," Geraghty said.
Another indicator is the time lapse between image downloads. A virus or Trojan horse is likely to download multiple images at a time, sometimes faster than might be humanly possible to do manually. A person who collects child pornography typically acquires it over a period of time, and a forensic investigation of the computer should reveal that.
Phil Malone, a clinical professor at Harvard Law School and director of its Berkman Center Cyberlaw Clinic, agrees that a good forensic investigator should be able to tell the difference between files placed by a virus and ones deliberately downloaded.
"It's the excuse of the moment for defendants," he said. "Lots of child porn defendants try to blame (images found on their computers) on viruses, but it's almost never true. You can actually figure this out. In the handful of cases that have been problematic, it looks as if everyone moved too quickly. The agency discovered material and immediately jumped to conclusions." Malone added that "good, solid forensics would be able to tell in virtually every case."
Malone agreed with Geraghty, of the National Center for Missing & Exploited Children, that it's fairly common for someone, when viewing adult pornography on a Web site, to inadvertently receive pop-ups that may include images of child porn.
"It's possible to tell if something was opened or saved to a file from the cache," Malone said. Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time, he said, adding that it's incumbent on both prosecutors and defense attorneys to launch a thorough investigation that includes analyzing a copy of the hard drive to determine not just which images are stored within, but also how they got there.
Geraghty said it's important to look at other factors. "The computer holds a lot of information about the searches that someone runs. If there were none of those searches and nothing else but some images in the cache, you would question how they got there. You would look for collaborating evidence such as intent to visit the site (and capability) of visiting the site. Did he have knowledge?"
A good investigation will look for exculpatory evidence to see if there are other explanations for the images. That investigation, Geraghty said, should start with making one or more exact copies of the suspect's hard drive and examining those copies to look for evidence of malicious software that could be responsible for the images. Defense attorneys can also gain access to a copy of the drive, but because it may contain illegal child porn images, their experts will probably have to examine the drive at the police station or prosecutor's office; possession of those images--regardless of the reason--is illegal for anyone other than personnel granted immunity.
Burden of proof
"In each case, the prosecution will need to prove (that) the defendant knowingly and intentionally possessed, received, or distributed child pornography," according to Drew Oosterbaan, chief of the Child Exploitation and Obscenity section of the Justice Department. "The proof starts with establishing that the images involved are child pornography and ends with establishing that the person charged is criminally responsible for it. We prove the latter in myriad ways."
Oosterbaan said that when someone is charged with possessing child pornography on his computer, "the computer is, in many ways, a crime scene, and the forensic examination of that computer is critical to meeting the elements of proof in the prosecution." He added that "it's important to remember that in every case, the government carries the burden of proof."
Oosterbaan said he is not aware of any cases in which botnets were used to plant child porn on other people's computers.
A former federal prosecutor now working for a technology company, who requested anonymity, said this may become a bigger issue as we enter the era of cloud computing, in which more and more data is stored on Internet servers instead of hard drives.
"There is no question that perpetrators are going to look for places to hide their criminal activity, including child porn, because they're increasingly aware that if law enforcement comes to their house, they will see the material," the former prosecutor said, adding that companies in the cloud storage business need to be aware that their systems could be used for illegal purposes. "They should reach out to the National Center for Missing & Exploited Children to implement a system to compare uploaded files against hash marks (digital fingerprints) of known child porn images."
As with any other security issue, the best defense is to protect your machine against intrusions. This includes:
- Making sure that your operating system and regularly used software are up-to-date.
- Using good software addressing malware, phishing attacks, and/or spam, and keeping it up to date. Subscriptions to paid programs should be renewed.
- Being cautious about spam and about providing information to sites you navigate to from links within even the most legitimate-appearing e-mails.
Disclosure: I serve without compensation as a board member at the National Center for Missing & Exploited Children, which deals with child porn cases. Still, I don't necessarily agree with all NCMEC policies, nor do I speak on behalf of the organization.
Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.
The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.
The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts.
About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren't considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.
Twitter has its own filtering system, but some malicious links still manage to get through, Raiu said.
While Kaspersky's regular antivirus software may detect and block 95 percent of the malware Twitter users are threatened with, malware code changes frequently to evade filters and it could take between two and 12 hours for new stuff to be classified as malicious and detected, he said.
While antivirus companies have traditionally focused on protecting e-mail-borne viruses, they are increasingly turning their attention to social-media sites as attackers do.
Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links, said Morton Swimmer, a senior threat researcher at Trend Micro.
Meanwhile, Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Gmail, Blogger, MSN, MySpace, Google search, Yahoo, and other sites.
Social-media sites are popular for attackers not only because people are flocking to them, but also because users seem to trust messages that appear to come from friends on those sites more than they trust e-mails, Raiu said.
"People are worried about unsolicited e-mail, so they are careful not to run the programs they get by e-mail, but they aren't prepared to deal with these kinds of new attacks," he said.
The most common piece of malware associated with Twitter links is Trojan-Clicker.HTMLIFrame, a malicious JavaScript that can get downloaded to a computer when it visits a compromised Web site.
(Credit: Kaspersky)
More midsize companies are being attacked by cybercriminals at the same time they're spending less on security, says a McAfee report released Wednesday.
Across the world, more than half of the 900 midsize businesses (51 to 1,000 employees) surveyed by McAfee for its report, The Security Paradox, said they've seen an increase in security breaches over the past year. Despite the threat, the recession has caused most of these companies to freeze their IT security budgets.
(Credit:
McAfee)
McAfee found that the costs of dealing with a security attack can be high. Over the last year, one of five midsize companies surveyed lost $41,000 in sales on average as a result of a breach. In China alone, 38 percent of the businesses questioned lost an average of $85,000 due to an attack. And more than 70 percent believe a serious data breach could put them out of business, noted the report.
(Credit:
McAfee)
But as the recession has grown, IT budgets have dropped. Almost 40 percent of the companies trimming their IT security budget plan to limit the purchase of new security products. And more than a third are switching to cheaper security software to cut expenses, even though they realize that may put them at greater risk.
"An organization's level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources," said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee, in a statement. "But this creates a vicious cycle of breach and repair that costs far more than prevention."
Midsize companies also may underestimate their risk, according to McAfee. Among companies with fewer than 500 employees, more than 90 percent believe they're protected from cybercriminals and feel they don't face the same threats that larger firms do.
But McAfee discovered that businesses with 101 to 500 people had on average 24 security breaches over the past three years, compared to 15 breaches for those with 501 to 1,000 employees.
In the long run, dealing with the aftermath of a security attack eats up a company's time and expenses. The study found that 65 percent of firms spend less than four hours a week on IT security, but around the same percentage have spent more than a day recovering from security breaches.
"Our research shows that organizations that put more effort on preventing attacks can end up spending less than a third as much as those that allow themselves to be at risk," said Rodenbaugh.
The study was conducted by research firm MSI International, which surveyed 100 midsize businesses in each of the following countries: U.S., U.K., Australia, Canada, China, France, Germany, India, and Spain. The results were compared with prior studies done in North America and Europe.
The number of Web sites hosting malicious software, either intentionally or unwittingly, is rising rapidly, according to statistics to be released on Tuesday from Dasient.
More than 640,000 Web sites and about 5.8 million pages are infected with malware, according to Dasient, which was founded by former Googlers to offer services to help Web sites stay malware-free and off blacklists.
That figure for infected pages is nearly double what Microsoft estimated in a report in April.
Meanwhile, the Google blacklist of malware infected sites has more than doubled in the last year, registering as many as 40,000 new sites in one week.
Dasient identified more than 52,000 Web-based malware infections, bringing the total to more than 72,000 unique infections logged by the company since it launched its malware analysis platform early this year.
Infections on newly compromised sites that have 10 pages or more spread to nearly one quarter of the pages on the site, on average. Nearly 40 percent of the infected sites were later reinfected.
Most of the malware infections are accomplished by JavaScript and iFrames being injected into legitimate sites, accounting for nearly 55 percent and 37 percent respectively, said Dasient co-founder Neil Daswani.
The statistics illustrate the growing trend of attackers targeting browsers and Web applications with SQL injections, cross-site scripting and other attacks that can lead to drive-by downloads. Infections can come from anywhere on a site, including widgets and ads.
Dasient will be providing a top 10 list of Web-based malware attacks for each week and other trend information, as well as publishing information about new infections via a Twitter feed.
Dasient is sharing information on the top Web-based malware infections with Web site owners.
(Credit: Dasient)Updated 1:45am PST Tuesday with pricing information.
McAfee has released a new security suite designed to help businesses better handle security for their growing segment of Macintosh computers.
Targeting small to large companies, McAfee Endpoint Protection for Mac provides antivirus and antispyware features, and both an inbound and outbound firewall, McAfee said Tuesday.
The company is positioning the tool as a plus for IT administrators and for users. Administrators can use the same console to manage McAfee security on both Mac and Windows machines, said the company. The software lets administrators deny or control which applications can run on supported Macs. The suite's ePolicy Orchestrator tool can also generate reports of malicious activity for review.
Some have debated whether the Mac needs security software since it has traditionally been a less visible target than Windows for attack. But with Internet threats continually on the rise, few computer environments are completely immune. Even Apple has advised Mac users to protect themselves with security software.
Antivirus software for the Mac has been sold for a long time by companies such as Symantec and McAfee. But most products have been geared to the individual user.
McAfee sees its Endpoint Protection suite as filling a growing need at schools, companies, and government agencies that have adopted more Macs in recent years.
"The demand for Macintosh in the enterprise is steadily growing, yet organizations are either not using any security technology for these endpoints, or they are using a standalone, non-manageable anti-virus protection solution," Peter Lincoln, IT director at Aquent, said in a statement provided by McAfee. "The use of McAfee Endpoint Protection for Mac enables us to have complete protection on all our endpoints. Using the same integrated management console also allows us to lower our operational cost and ensure security and compliance."
A survey conducted last year by ITIC showed that a greater number of companies were planning to allow Macs into their workforce.
McAfee Endpoint Protection for Mac is compatible with the latest release of Apple's Snow Leopard as well as existing Leopard and Tiger environments. A McAfee spokesperson said the product's retail price would be $55.08 per computer for a network of 500 - 1000 computers. The pricing includes one year of Gold technical support.
Lavasoft has updated its popular malware and spyware detection and removal tool Ad-Aware. Rather than a dramatic redo, version 8.1 builds on the improvements made in the previous version. The new version is faster, has better removal abilities, and introduces a behavioral detection engine.
Called Genotype, Ad-Aware's heuristic-based behavioral detection engine isn't explicitly called out in the interface. However, I noticed that files that had been flagged falsely as threats in earlier versions were no longer called out as such, and the Quick Scan was able to complete in about three minutes, as opposed to 10 minutes in the previous version. These are empirical observations, of course, but this version's improvements should be easy to see for longtime users of Ad-Aware.
Removal techniques have also been improved. Lavasoft is calling the new system Neutralizer, although it's not called out as such in the program interface. What users will see is a "family" of grouped similar threats, such as cookies, the category of the threat, and the action taken. The program defaults to the Recommended action, which means you need to click on the drop-down menu to the right of the listing to see what action will be taken on a per-threat basis. The big action buttons introduced in version 8 still reside at the bottom of the window, which feels further than necessary--it'd be better to have the action button closer to where the mouse already is, at the top of the window.
There is one big change to the interface in v8.1. At the bottom left corner of the window, there's a toggle to switch between Simple mode and Advanced mode. Simple mode is for users who are set-it-and-forget-it types, with fewer options displayed. Advanced mode allows for deeper settings customization. There's also a gaming mode, so that full protection continues to run while you play games or watch videos, but detected threats won't interrupt your entertainment until you're done.
Ad-Aware's new Advanced mode, presenting more options by default.
(Credit: Screenshot by Seth Rosenblatt/CNET)Fans of personalization get more skin action in this version, too. In addition to the included skins, the community support offered at MyLavaSoft now includes community-sourced translations and skins.
However, fans of the free version do not get all the features available in the paid upgrades. Antivirus is only for paying customers, and while rootkit detection is present, behavior-based heuristics and real-time registry protection are not. Ad-Aware Free cannot scan networked drives, and even a basic feature like the scheduler remains off-limits in the free version. The Ad-Aware toolbox for system tweaks is only available in the Pro version. I encountered a pop-up for the upgrade, although Lavasoft told me that this was an infrequent occurrence. Ad-Aware Plus is available for $26.95, and Ad-Aware Pro is $39.95, and both have a 30-day trial.
Microsoft 's new Security Essentials software has passed at least one exam so far--a review by security testing firm AV-Test.org.
Using the latest version and definition updates of Microsoft Security Essentials (MSSE) downloaded from the Web, AV-Test ran the product through a series of tests on Sept. 29 and 30 to judge its effectiveness at fighting malware.
(Credit:
AV-Test.org)
To check static known malware, AV-Test pitted Security Essentials against the most recent WildList, a sampling of 3,732 viruses and other threats compiled by the WildList Organization. Microsoft's product successfully detected and blocked all of the samples in both manual and active scanning.
AV-Test also threw its current set of 545,034 viruses, worms, Trojans, and other threats at Security Essentials. MSSE successfully caught 536,535 samples for an overall good detection score of 98.44 percent.
In AV-Test's battle against adware and spyware, Security Essentials stopped 12,935 out of 14,222 samples, earning a detection grade of 90.95 percent. No false positives came up in a scan of over 600,000 clean files from Windows, MS Office, and other commonly used programs.
To check dynamic malware, which is based on its behavior rather than static lists, AV-Test found that MSSE had no "dynamic detection" in place as the software failed to find any of the recently released malware used in the test. AV-Test noted that other standalone antivirus products don't include behavior-based detection either, although that feature is typically found in full security suites.
MSSE also found and eliminated all 25 rootkits that AV-Test threw at it.
Security Essentials did only a fair job of cleaning up infections. Facing 25 different malware samples, the product removed all active components as part of its repair process. But in many cases, some remnants of the malware were left behind, as inactive executable files or empty Registry keys.
Finally, AV-Test found that the speed of Security Essentials scanning was about average compared with that of other security products.
AV-Test's review of Security Essentials was run on Windows XP with SP3, Windows Vista with SP2, and Windows 7 RTM, both the U.S. English and German 32-bit editions. A series of papers on the methodology used by AV-Test in its testing process are at the company's Web site.
CNET's Seth Rosenblatt also looked at Security Essentials this week, while CNET News reporter Ina Fried has said the beta version of the product recently saved her from a Koobface attack.
A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.
Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.
(Credit:
Panda Security)
The study found that in the U.S., Trojans and Adware were the two most pernicious types of malware, followed by worms and viruses.
(Credit:
Panda Security)
"This is a clear sign that hackers are becoming more and more sophisticated," said PandaLabs Technical Director Luis Corrons. "Cybercriminals have found news ways to spread their creations, frequently exploiting the latest news stories to launch attacks through social networks, videos, and e-mail. The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data."
The company based its results on data taken from users who scanned their PCs with the free Panda ActiveScan online tool. The results for September were gathered from August 28 to September 28 and compared with the results from July 28 to August 27.
Microsoft has released version 1.0 of Security Essentials, the successor to Live OneCare. Originally known as Morro, Security Essentials retains the core features of OneCare, but abandons the additional heft of a firewall, performance tuning, and backup and restore options in exchange for making the program free. Rather than taking aim at full-featured security suites made by Symantec or Eset, the features available in Security Essentials indicate that Microsoft is aiming to compete with basic-but-free security apps.
For the select 75,000 public beta testers who got their hands on the program when the limited public beta was offered in June, there will be few appreciable differences between the beta and the final version. For the rest of the planet, Security Essentials features key defenses that are boilerplate for any respectable security program.
Features
It uses both definition file and real-time defenses against viruses and spyware, and also offers rootkit protection. The program's reputation-based detection and software signature-based detection seem to rely heavily on Microsoft SpyNet, the unfortunately named cloud-based service that compares file behavior across computers running various Microsoft operating systems.
The official version 1.0 of Microsoft Security Essentials looks identical to the popular limited beta version from June 2009.
(Credit: Screenshot by Seth Rosenblatt/CNET)SpyNet was introduced in Windows Vista and extended to Windows 7, but Microsoft Security Essentials is the only way to access the network on Windows XP. Unlike other security vendors that allow customers to take advantage of the benefits of their behavioral detection engines while opting out of submitting information, there's no way to do that with SpyNet.
You can choose between two SpyNet memberships. Basic submits to Microsoft the detected software's origins, your response to it, and whether that action was successful, while the Advanced membership submits all that plus the location on your hard drive of the software in question, how it operates, and how it has impacted your computer. Both basic and advanced warn users that personal data might be "accidentally" sent to Microsoft, although they promise to neither identify nor contact you. Opting out of SpyNet, however, is not an option in Security Essentials.
Security Essentials benefits greatly from having a simple, streamlined interface. There are four tabs, each with a concise and understandable label: Home, Update, History, and Settings. The program also uses easy-to-grasp labels, imported from OneCare: green for all good, yellow for warning, and red for an at-risk situation.
From the Home window, you can run a Quick Scan, Full Scan, or Custom Scan, and a link at the bottom of the pane lets you change the scheduled scan. The Custom Scan lets users select specific folders or drives to scan, but it doesn't allow for customizing the type of scan used. For example, you're not going to be able to choose to scan only for rootkits or heuristics, as you can with other security programs. The program installs a context-menu option for on-the-fly scanning in Windows Explorer, too.
The Update pane manages the definition file updates, with a large action button, and History provides access to a spreadsheet-style list of All detection items, your Quarantine, and items you've Allowed to run. Although it's a basic layout, this no-frills approach to security could prove appealing to computer users who are overwhelmed by more detailed security choices.
Users can choose between two options for SpyNet, but no way to not contribute to it.
(Credit: Screenshot by Seth Rosenblatt/CNET)The Settings window allows users to further customize the program by scheduling scans, toggling default actions to take against threats, adjusting real-time protection settings, creating whitelists of excluded files, file types, and processes, and the aforementioned SpyNet options. There's also an Advanced option which is still fairly basic: here you can set Security Essentials to scan archives, removable drives, create a system restore point, or allow all users to view the History tab.
Security Essentials comes pre-configured to run a scan weekly at two in the morning, when your Microsoft thinks your system is likely to be idle. New malware signatures are downloaded once per day by default, although you can manually instigate a definition file update through the update tab. Attachments and downloaded files will be automatically scanned by Security Essentials.
Help is only available in the form of the standard offline Help manual that comes with all Microsoft programs. There's nothing fancy here.
Performance
I found that it installed in less than one minute, and completed its first Quick Scan in less than 30 seconds. The Full Scan took more than an hour to reach the halfway point, and this was borne out by tests performed by CNET Labs' benchmarks. Microsoft Security Essentials actually sped up the boot time of our test computer by more than two seconds, and it sped up the shut-down time by more than two and a half seconds. However, compared to major security vendors it was significantly slower at scanning--Security Essentials took 2,340 seconds to scan, whereas most scans would clock in between 1,000 and 1,100 seconds.
The program comes with a few options for customization, but not many.
(Credit: Screenshot by Seth Rosenblatt/CNET)In our iTunes decoding test it scored similarly to its competition, about 7 seconds slower than an unsecured computer. In our MS Office test and media multitasking tests it was faster than some--503 seconds versus 552 seconds for Norton AntiVirus 2010 in the Office test, and 844 seconds versus 876 seconds for Trend Micro Internet Security Pro in the media test.
While running the Full Scan, I noticed that it took up about 86 MB of RAM. However, it felt far lighter, and I was able to perform resource-intensive tasks like uploading photos without any noticeable freezes.
Third-party virus detection efficacy scores were not available at the time of writing, and it's not currently clear whether Security Essentials shares the same detection engine as Live OneCare. However, CNET reporter Ina Fried mentioned that Security Essentials stopped her from accidentally coming down with a case of Koobface.
Conclusion
Microsoft Security Essentials is a lightweight security app that people might turn to for a number of key reasons. It's easy on the system resources, it's easy to figure out how to use, and it comes pre-configured. It only works on legally licensed Microsoft computers, which is understandable but potentially leaves a large segment of the unprotected population still unprotected. You can't opt out of contributing to SpyNet, which isn't understandable at all. Overall, it's recommended for those who want something to set and ignore, but users who want more robust configuration choices or don't want to contribute to the cloud should look elsewhere.
Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid Wüest, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," Wüest said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.
However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's Wüest said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.
Nick Heath of Silicon.com reports from London.
