This article delves deeper to understand better the Anti-Malware industry besides discussing few ways to identify a committed Anti-Malware vendor.
Last month I talked a little about some common security mistakes, things like setting weak passwords, not patching your Operating System and leaving services like AutoRun enabled. This month, I want to concentrate a little more specifically on some of the tools that we can use for security, focusing on Anti-Malware programs.
Understanding in depth
But first of all, I want to discuss what we call ‘rogue’ Anti-Virus products; not all the products that claim to be Anti-virus products really are, and some of them are exactly the opposite. Rogue Anti-Virus might be familiar to some of you, but I’ll briefly explain the concept.
A typical scenario is as follows. You visit a web-site, and suddenly a message pops up saying “Threat’s found - Scan your computer”, you click the ‘scan’ button and it identifies some threats, but there’s a snag – you have to pay to get the version which will clean the system, so you click the link, and get directed to a website that will sell you the product. Unfortunately, it’s just a scam – there’s no scanner, it’s just a javascript (a simple computer program that works from websites) that makes it look as if your system is being scanned. In fact, it’s easy to see this if you use an Apple Mac system, as these popups work on there, and claim to be scanning your ‘C:\’ drive (non-existent on a Mac) and finding the sort of malware that only works on Windows systems. Typically, the messages displayed show that the scanner has found one or two new threats – recent ones have claimed to be finding Conficker, or Storm (another popular internet worm).
Of course, most of us are attuned to the fact that we need an anti-virus program, and we’re also trained to react when we see a message that we’re infected, so these scams pull people in. When you’ve paid your money, you may well receive a program that pretends to do something – in fact, one or two of them have even included cleaning for a very limited set of malware, but more likely you’ll just get a piece of junk that will claim to have cleaned what was never there in the first place. Still worse, there are some of these rogue programs that will actually deliberately infect your system with malware deliberately, and carry all sorts of other programs with them – I have seen some install up to 50 different programs, mostly Adware and Spyware, so not only do you lose your money, but you’ll need a real Anti-Malware program to clean up afterwards.
At the end of February, a major group of these scammers got cleaned up, because the Credit Card companies finally refused to allow any more payments to these groups. There was a website called “Traffic Converter” which ran an affiliate program. It worked like this – Traffic Converter wrote a rogue antivirus, which of course, would find ‘infections’ even on clean machines, and you had to pay to get the ‘full’ version that could ‘clean’ the found infections. Traffic Converter didn’t sell any of the software directly, but they used affiliates – people who would get paid per program purchased. Many of these affiliates used their own Botnets (I discussed Botnets last month) to install the rogue antivirus software automatically on the infected machines in their botnets, and directed users to their sites to get the ‘full’ version, so though Traffic Converter were not necessarily directly involved in the bad practices (apart from writing the rogue AV), they weren’t really careful about how their affiliates were operating. Some estimates were that these rogue Anti-Virus products were making over US$10,000 per day, so you can see it was a very profitable business for doing absolutely nothing. It’s a good thing that Traffic Converter got taken down, but unfortunately, there are still others out there. Basically if you get a popup from a website saying you’re infected, you should think twice (thrice!) about clicking on it. Best thing is to go to a reputable Anti-Virus vendor site and to get a legitimate product that can really clean the system, if it’s infected.
Identifying Right Anti-Virus Vendor
So, this raises the question of who are the legitimate vendors, and how can you tell? Well, real Anti-Virus vendors, won’t be popping up messages on your screen claiming to have found viruses on your system when you visit a website (of course, you might see web advertising from a vendor, but that’s different). Genuine Anti-Virus vendors have usually been around a long time and are part of an established community of vendors, so the first thing to look for is certifications.
Real Anti-Virus products are well tested by independent testing organisations, and will usually carry certifications to show their ability to clean up viruses. For instance, if you take a look at the K7 Website at http://www.k7computing.com you’ll see on the front page that K7 are Microsoft Gold Partners (there are strict rules to getting these partnerships), also that they have the VB100 award logo and the Checkmark award from West Coast Labs displayed.
Virus Bulletin (http://www.virusbtn.com) has been in the testing business for many years (since the 1980’s) and they are one of the most respected dedicated Anti-Virus testing organisations in the world. To achieve their prestigious “VB100” award, a vendor must demonstrate the ability to correctly detect everything on the Wild List (http://www.wildlist.org) without causing any false positives (which means you don’t detect something bad in an innocent file, nor report something that isn’t there!). Legitimate Anti-Virus vendors strive to make sure their detections are really accurate, and Virus Bulletin test to ensure that high standard has been met.
West Coast Labs (WCL) (http://www.westcoast.com) are a British Company, and part of the Haymarket publishing group that publishes the Secure Computing (SC) magazine. West Coast Labs offer a wider range of tests, and certify products over several important categories. Certifications are available for detection and cleaning of Viruses, Trojans, Spyware and Worms. There are other good testers too, who try to follow stringent guidelines on testing – such as those set out by AMTSO (http://www.amtso.org) the Anti Malware Testing Standards Organisation – because, yes, you guessed it, there are rogue testers too, who really don’t know how to correctly test Anti-Malware products!
Of course, you shouldn’t just assume that a company displaying the logo of a recognized testing organization is legitimate, there have been cases where companies have just put the logos there without being allowed to, but if you follow the links, you’ll be able to see the AV vendor listed on the testing site along with the specifics of what tests were undertaken, and importantly, when the test happened, tests should be current! For instance, if you look at the West Coast Labs site, and search for K7 Computing, you can see all the certifications we have from WCL. This gives you a level of assurance that when you buy a real Anti-Virus product, it should function as you expect, and the peace of mind to know that the product is being regularly independently tested.
Anti-Malware Evolution
Anti-Virus, or as I prefer to refer to it these days - “Anti-Malware” (malware being a contraction of Malicious Software), is an essential component of modern computer security. There are huge volumes of maliciously intended programs being released daily, and it’s so prevalent that you will almost certainly encounter it, so having an updated Anti-Malware product is essential. I’m often asked whether people need separate Spyware detection, or separate Firewall, but the truth is, most of the modern Anti-Malware suites will include detection for all sorts of malicious objects – long gone are the days when Anti-Virus only dealt with Viruses (replicating malware), and ignored Trojans and so on. These days, the vast majority of malicious software is not replicating, but it still needs to be dealt with – including Spyware, Rootkits, Trojans, Remote Access Tools, Bots and so on, any modern Anti-Malware product will deal with these.
Firewalls are also a part of most of these modern suites, and these really serve to cut down some of the threats. Software firewalls are a good supplement to Anti-Malware products - for instance, they can warn you if something new is trying to connect out to the internet. Since the first thing that a lot of Bots do is try to update their code from the internet, a firewall alert can be a good early warning that something unusual is happening.
As the threats have evolved, moving away from mainly email distributed towards being more web-based, so Anti-Malware products have evolved to account for the new threats. It’s becoming common to see some sort of automated website filtering or anti-phishing filters being included, along with the more traditional anti-spam email filters that many products have included for years. Perhaps I’ll discuss Phishing more thoroughly in a future article.
Conclusion
Ultimately, whatever product you choose to run, you should make sure that you install a legitimate product from a well established Anti-Virus vendor, and you should keep it up-to-date. Many vendors now update their products several times a day, to ensure that the latest threats are covered, so you should ensure that your updates are getting downloaded and applied. It’s amazing how many people don’t realise that their Anti-Malware product is out of date, either because the license has expired, or because updates aren’t configured correctly. If nothing else, when you’ve finished this article, check that your Anti-Virus product is updated, and if you don’t have one, it’s time you did! There are some basic free Anti-Virus products out there, but for a very reasonable sum, you can get a product that will give you good support and provide a range of functionality to keep you secure in the modern world.
—By: Andrew Lee, CTO K7 Computing Limited. |
