Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.
The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.
The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts.
About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren't considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.
Twitter has its own filtering system, but some malicious links still manage to get through, Raiu said.
While Kaspersky's regular antivirus software may detect and block 95 percent of the malware Twitter users are threatened with, malware code changes frequently to evade filters and it could take between two and 12 hours for new stuff to be classified as malicious and detected, he said.
While antivirus companies have traditionally focused on protecting e-mail-borne viruses, they are increasingly turning their attention to social-media sites as attackers do.
Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links, said Morton Swimmer, a senior threat researcher at Trend Micro.
Meanwhile, Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Gmail, Blogger, MSN, MySpace, Google search, Yahoo, and other sites.
Social-media sites are popular for attackers not only because people are flocking to them, but also because users seem to trust messages that appear to come from friends on those sites more than they trust e-mails, Raiu said.
"People are worried about unsolicited e-mail, so they are careful not to run the programs they get by e-mail, but they aren't prepared to deal with these kinds of new attacks," he said.
The most common piece of malware associated with Twitter links is Trojan-Clicker.HTMLIFrame, a malicious JavaScript that can get downloaded to a computer when it visits a compromised Web site.
(Credit: Kaspersky)
By pushing as much resource usage as possible into the clouds, Panda Security's new Cloud Antivirus aims to free up the RAM hogging that plagues many security programs. However, testing the new beta revealed slower-than-anticipated scan speeds when doing an on-demand full hard drive scan. Panda's got a solution that might help some users: turn off logging while running the scan.
Cloud Antivirus splits the usual scanning process into three separate processes. The OnAccess Scan detects executing threats, the OnPrefetch Scan detects non-executing threats that are likely to run in the future, and the OnBackground Scan checks all local files when the computer is idle. Because of the way that the scans utilize idle CPU time, the background scan could still be logging when you start an on-demand scan.
The solution is to deactivate the logging feature when you're running a heavy-duty, system-wide scan. This is risky if you forget to turn it back on after you're done, and highlights the lack of advanced options available through the interface. "It's something we're aware of and still fine-tuning," said Pedro Bustamante, senior research adviser at Panda Security, in an e-mail.
Deactivating the advanced logging works, although users shouldn't expect dramatic changes. Scan times increased from 45 percent completed in 30 minutes to 45 percent done in 25 minutes. To toggle the log, download the two Registry keys found at the top of this blog post. Double-click on LoggingOff.reg and reboot your computer to turn off the log, then when you're finished double-click on LoggingOn.reg and reboot to re-activate it. I strongly recommend reading the entire post, though. Bustamante has included a lot of information on how Cloud Antivirus works. The known problems blog post is also worth looking at.
If you do try this Registry tweak out, post your results in the comments below.
Earlier Wednesday, Panda Security introduced Cloud Antivirus beta, the first full-featured cloud-based antivirus program. It does two things that make it competitive and unique compared with its competitors that are tied to your desktop: it prioritizes threats based on type, and it attempts to lighten the load that security programs place on your system resources by moving definition files to a community-based cloud.
Panda Cloud Antivirus and its system resource usage as it performs a scan.
(Credit: Screenshot by Seth Rosenblatt/CNET)The big concern about a cloud-based antivirus is performance, and Cloud Antivirus handled itself decently enough--although it's not a record-setter. On a ThinkPad T42 with a 1.7 GHz Pentium M chip, 1.5 GB RAM, and running Windows XP SP2, Cloud Antivirus used about 23 MB of RAM when idle.
When running a scan, the scan client ate around 40 MB, but the main client jumped to around 32 MB. The scan also took a long time, with only 45 percent of the computer scanned in more than 30 minutes. Pausing the scan client dropped the usage rate from 40 MB to 2 MB.
If you install the program, you can find it listed in your task manager under PSANHost and PSUNMain. There was no noticeable lag when loading programs such as Firefox or MS Word, no browsing the Web. Granted, these tests are empirical and casual, but they bode well for future use by the average consumer.
In February of this year, Panda received higher scores than before for its antivirus detection abilities and lower false positives than in previous years from AV-Test.org.
The program uses a minimalist design to emphasize its features. Cloud Antivirus runs as a panda icon in your system tray. Double-click to open the main screen, which sports a dark theme with translucent borders. The entire window goes translucent when you drag it.
Your security status will appear first, with a large icon and font size telling you whether you're in trouble. Somewhat counter-intuitively, the status tab is on the right side of the window. Moving from right to left, the tabs use icons to identify their features. A bar chart represents the Report tab, a magnifying glass for the Scan tab, and a gear wheel for the Settings. A hard-to-see turned-corner arrow lives in the bottom-right corner of the pane. Click it, and it takes you to the "neutralized" window--basically, it's the quarantine. The arrow then moves to the lower left corner, which you need to click again to get back to the main tabbed window.
The layout isn't hard to follow, but users will have to do some exploring since there's no mouse-over labels to help here.
The Settings tab hides proxy settings and a toggle for Panda's proprietary Collective Intelligence cloud network. Turn it off, and one of the program's most powerful features goes away. You'll still get cloud-based definition updates, but you won't be contributing to the community that's keeping you safe. The Scan tab has two options: to scan your entire computer, or to scan selected files or folders from your desktop. The Reports tab lets you see the results not only of your last scan, but also of scans from the past 24 hours, previous week, and past month.
Panda Cloud Antivirus looks like a move that could have long-reaching effects for consumer security, showing that just because your protection is based in the clouds doesn't mean your head is lodged in them.
Clarification made April 30 at 12:40 p.m.: This story initially contained a typo, inadvertently giving the wrong measurement of RAM on the ThinkPad we used for our testing. It has 1.5 GB of RAM. Thanks go to several readers for pointing out the error in TalkBack.
With threats like Conficker fresh in the public's mind, security remains a top concern for Windows users. Panda Security, publishers of Panda Internet Security and Panda Antivirus, is set to take antivirus where it hasn't been yet: into the clouds. Panda Cloud Antivirus beta bets that nearly three years of development can pay off into a better protection system for users. To that end, Panda's willing to make the client free for personal use--even after it leaves beta testing.
Panda Cloud Antivirus offers on-demand scanning.
(Credit: Panda Security)You can also download the program from CNET Download.com.
The program uses Panda's proprietary cloud computing technology, which they call Collective Intelligence, to detect viruses, malware, rootkits, and heuristics. It takes advantage of "millions of users," according to Panda, to identify new malware almost in real time. Panda says that Collective Intelligence can classify new malware in under six minutes, and that it handles more than 50,000 new samples per day. The Cloud Antivirus works by classifying threats into executables that must be scanned immediately, and non-executables that are checked at a lower priority--usually when the computer is idle.
In exchange for using consumer data to build the Collective Intelligence database, Panda decided to offer the Panda Cloud Antivirus for free, said Pedro Bustamante, senior research adviser at Panda Security.
Panda Cloud Antivirus appears to be able to handle a wide range of threats.
(Credit: Panda Security)The new program reportedly takes up around 50 MB on the hard drive and eats around 17 MB of RAM when in use. That compares well against the industry average that Panda provided of 60 MB, and Bustamante said that they're aiming for 12 MB of RAM when in use.
Cloud computing may make sense from a system resources point of view, but what happens to system security when the computer isn't connected to the Internet? "The model we've implemented is to break down the traditional antivirus to client and server, so when the user is not connected they keep a local cache copy of Collective Intelligence, including detections for what Collective Intelligence sees is spreading through the community," he said.
Panda Cloud Antivirus is for Windows XP and Windows Vista, with planned support for Windows 7 when it's released. Bustamante added that it will stay in beta as it's being accepted by users, although they hope it will leave beta by the end of this summer.
Trusteer, a company that provides online protection services, announced Wednesday that it launched a malware search tool that allows users to see what kind of attacks are targeting Web sites.
Dubbed Attack Trace, the company's search engine allows users to submit a Web address and determine if it's being attacked. Once queried, the search engine performs diagnostic functions on the site to determine if malware is attacking it and how severe each instance is. Once it finds the malware, it returns a list of configuration files to inform users about the attacks the site faces.
Developing a malware search tool is a great idea, especially in today's environment of online fraud and scams, but the main issue facing Trusteer is that it will always need to catch up to malicious hackers. According to the company, the service only finds known Trojans and other well-known attacks, which means the service won't know if a Web site is being targeted by something new. For its part, Trusteer claims the search engine will be constantly updated by its research organization as it finds new malware.
Trusteer's Attack Trace search engine is live now on the company's site.
See also: Microsoft's new malware search tool.
Microsoft announced Tuesday that it updated its Live Search Webmaster Center with the ability to detect malware on a publisher's site as well as any outbound links contained on that site. It also announced the launch of a simplified authentication process that makes accessing the company's Webmaster tools much easier.
According to Microsoft's senior director of Live Search, Angus Norton, the company's new malware detection tool will crawl sites for malware. Where there is malware present, it will automatically disable all the links that contain it and alert Webmasters to the issue. A report, which can be downloaded from Microsoft's Webmaster tools page, details which pages are affected and how the site can resolve the issue. Until the malware is removed, Microsoft will flag all the harmful links contained in search results as malware.
Microsoft's new Webmaster tools are active now on the company's page.
(Credit:
Microsoft)
Facebook security chief Max Kelly has assured members in a blog post that the social network is "fighting the good fight" when it comes to several malware attacks discovered on the site in recent days.
"We spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on walls urging users to view a video that pretends to be hosted on a Google or YouTube Web site," Kelly wrote. "Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware."
The worm was first flagged by security firm Sophos, just days after another one had been identified by Kaspersky Labs.
Kelly said Facebook appreciates the efforts of watchdogs. "If we get a report of a bug or a hole from a user, a security researcher, a reporter, blogger, or anyone, we check it out and fix it as quickly as possible," he wrote. "In fact, we appreciate it when help comes our way from the many security experts and organizations out there."
Sophos and other security firms have warned that social networks such as Facebook and MySpace are particularly rife breeding grounds for security attacks: they have massive user bases, plenty of outside developers working on the site, and lots of ways (messages, wall posts) to spread malware to unwitting members.
Facebook recommends that members follow a few basic security measures: report spam postings, install the proper Mac or Windows software in the event of a malware infection, and never share your Facebook password.
That last piece of advice will be tougher for Facebook to recommend as Facebook Connect, which lets external sites use Facebook login credentials, grows more commonplace.
Sophos, a security software and research firm, has warned that social network Facebook is the battleground for a new malware attack targeting members' comment "walls."
Public wall posts purporting to be from someone on a user's friends list invite the user to click on some kind of video or image, and the URL appears to lead to something hosted on Google.com. That's a spoof--it really directs to a grinning photo of a court jester sticking out its tongue--and a downloaded Trojan. Sophos has not said what the worm then does.
Facebook representatives were not immediately available for comment.
Sophos says that this is probably not the same as a social-network worm that Kaspersky Labs flagged last week; Kaspersky confirmed on Friday that the two are different.
Additionally, Sophos says it has not yet completed its investigation of the issue and has said that the worm may not be restricted to Facebook. "Whether this really is a Facebook worm, and not simply malware being distributed via Facebook spam remains to be seen," a blog post by Sophos researcher Fraser Howard read.
In the past, Sophos has warned of social networks' potential as Petri dishes for malicious attacks, and has put out a general warning to companies that security issues might be a graver issue than productivity when it comes to choosing whether to block access to these sites at the office. "Companies need to make their own mind up as to whether they want to allow their users to access websites like Facebook and MySpace during office hours," Sophos analyst Graham Cluley said in a release.
"If workers are allowed to be given access to these sites then it's vital that they do not put their personal and corporate data at risk, and are protected from web-based infections."
This post was updated at 12:14 p.m. PT with comment from Kaspersky Labs.
There's a new piece of malware out there targeting Mac users that takes advantage of the inclination to watch porn.
Intego, a Mac security software company, issued an alert Wednesday warning Mac users of the OSX.RSPlug.A malware, which it describes as a Trojan horse. Those of you familiar with mythology recognize the reference, and OSX.RSPlug.A disguises itself as a video codec that would ensure whatever porn video you just stumbled upon will play on your Mac.
(Credit:
Intego)
But to get infected with the malware, you have to accept the invitation to download "new version of codec," open up the .dmg (disk image) file, click the installer.pkg file, and enter your administrator's password, according to Intego. Once infected, the malware changes your DNS settings to hijack Web traffic and redirect it to phishing sites or ads for porn. And you still won't get to watch the video.
If you're running Tiger, you might never realize how you were infected, but Leopard's Advanced Network preferences will at least let you recognize that the DNS servers have been changed. You'll be unable to change them back without going through a lengthy process detailed by Macworld's Rob Griffiths.
Intego coincidentally sells software that would also protect your Mac from the malware, and uses the opportunity to point that out on its security bulletin. But there's one surefire way to avoid these problems.
People, we're talking about Internet porn. There are literally millions of Web pages that cater to every imaginable interest (and a few I'm sure I can't imagine) that don't ask you to install software to view them. Most people know you should never install something on your computer unless you know exactly what it is, and who is sending it your way. But that red flag has to immediately shoot up if you're asked to install any unsolicited application or file that comes from a porn Web site. I don't care what they promised you at the other end of the process.
A little common sense goes a long way. Think about what you're doing before you do it, because no porn video is worth the risk of installing something evil on your Mac.
Every large Internet company has an online security team in place, and Google is no different. Now the search engine giant is going public. Yesterday, Google launched its new online security blog. The blog will post news on its little-known antimalware team, which, it turns out, has been in existence for about a year.
In its initial post, Google clarifies its now-famous one-in-10-Web-sites-are-malicious statement, derived from a presentation Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu gave at last month's Hotbots 2007. Provos says the figure that is quoted in the media should be 0.1 percent (less than 1 percent) since the analysis used in the paper, "The Ghost in the Browser" (in PDF), covers several billion Web sites. From that number, presenters selected a subgroup of 12 million, of which 1 million were found to be engaging in drive-by downloads of malicious code. There's also a colorful map in today's post showing which countries are responsible for hosting compromised Web sites and distribution servers (the U.S. and China both appear bright red, with Canada and Russia coming in a close second on each map).
Given that malware on the Internet is a huge problem, Google has been quietly evaluating Web sites on its own. Frequent users of the search engine may have seen statements under site names indicating that Google suspects a given site may be harmful to your PC.
This is curious, since major security vendors Symantec, Trend Micro, and McAfee currently offer products that overlay online search results with similar warnings. ZDNet blogger Ryan Naraine wonders whether Google is planning to go up against these vendors or perhaps purchase an existing security vendor. Predictably, Google declined to speculate on its future plans.
- prev
- 1
- next
