Wednesday, May 26, 2010

New antivirus software looks at behaviors, not signatures



The nature of the virus threat has changed significantly over the last few years. Alongside the "traditional" virus threat, there are now mass-mailers, Internet-aware worms, DDoS (distributed denial-of-service) attacks, backdoor Trojans, zombies, and the blended or hybrid threats that combine multiple attack mechanisms. This evolution of the virus threat has made the task of protecting users and corporate systems more complex, where companies with fewer resources for security are requiring more comprehensive solutions.


The problem is that most computers today rely on antivirus software that blocks malware by checking the code in a file against a database of signatures of known viruses. With thousands of new viruses arriving each day, many of them encrypted in part or otherwise disguised with modification, the signature lists require frequent updates and many new viruses slip through undetected.


"The antivirus companies are flooded with malware to add to signature databases," with 20,000 to 30,000 new unique samples coming out every day, said Roger Thompson, chief research officer at AVG. "It's time to do something different."


What is "Behavioral Analysis?"

Behavioral analysis or behavior blocking is not a new idea, and in fact, some security companies adopted the approach in the early 1990s in response to the sharp rise in number of viruses that threatened to overwhelm anti-virus researchers. It works from a set of established rules that define a program as either legitimate, or malicious - a virus, worm or Trojan. If the analyzed code breaks one of the legitimate rules or fits into a pre-defined profile established as "malicious," the code or application is flagged as a threat.

As traditional signature-based anti-virus scanning technology examines applications and code for a particular "signature" or pre-existing strain that has been discovered by anti-virus researchers, behavioral analysis technology monitors what an application or piece of code does and attempts to restrict its action. Examples of this might include applications trying to write to certain parts of a system registry, or writing to pre-defined folders. These and other actions would be blocked, with the actions notified to the user or administrator.

This fairly simple process can be further refined. It is possible, for example, to restrict the access of one application, like allowing Microsoft Internet Explorer read-only access to limited portions of the system registry while giving unrestricted access to other applications. Additionally, the actions of a downloaded application can be restricted on the local system and the application can be run in a protective "sandbox" to limit its destruction. The activity performed by the application can be checked against a set of rules in this environment, and depending on the policy set, the application's actions might be considered a violation of the policy, in which case they would be blocked.

In conclusion, which method is the best? All methods are good, there are pros and cons. So the best solution is to combine all these methods. Use antivirus that supports all these methods. But remember, for heuristic methods do not use the setting is too sensitive, to avoid false alarms. Let's fight the viruses.

In conclusion, which method is the best? All methods are good, there are pros and cons. So the best solution is to combine all these methods. Use antivirus that supports all these methods. But remember, for heuristic methods do not use the setting is too sensitive, to avoid false alarms. Let's fight the viruses.

Saturday, February 27, 2010

સ્વપ્નો ની રાજકુમારી !!!




સુંદરતાની એ મુર્તિ છે,
નિ:ખાલસતા ની એક ઝલક છે,
હાસ્ય નો એ સમુંદર છે,
આનંદ જેના વમળો છે...

અપ્રતિમ જેનો સ્વભાવ છે,
કુદરત જેવો એનો નિ:સ્વાર્થ પ્રેમ છે !
બાળક જેવી લાલચ છે,
તો પરમાત્મા જેવી સંભાળ પણ છે...

કાચ પણ જેની પાસે મસ્તક ઝુકાવે,
એવી તેની મૌલિક્તા છે !
રેશ્મિ વાળ ને નમણી કાયા,
જેની આજ સુધી મને રહી છે માયા !

સ્વચ્છ સ્વભાવ ને નિર્મળ દ્રષ્ટિ,
સુખ દુ:ખ ની છે એની શ્રુષ્ટિ,
ગુલાબી હોઠ ને મસમસળા ગાલ,
ઉદારતા ને ઉત્કંઠાથી લહેરાતી ચાલ !

મહેકતી ભીની માટીનો અવાજ,
જાણે લાગે છે એ કુદરતનો સંદેશ,
મોહ કે કોઇ માયા નથી,
દિલ દુભાવાની એને આશા નથી !


આજે હું નથી પુછતો,
તું ક્યાં છે ? કે ક્યારે આવશે ?
પણ જવાબ આપ હે પરમાત્મા,
મારો એ પ્રેમ કોણ છે ??
મારો એ પ્રેમ કોણ છે !!


- સ્પર્શક (હર્ષ જડિયા)


Thursday, February 25, 2010

Email Hoaxes and Why They Work !



Spotting the latest email hoaxes may be easier than you think!

There are thousands of email hoaxes moving around the Internet at any given time. Some may be the latest email hoaxes around. Others may be mutated versions of hoax messages that have travelled the Internet for years. These email hoaxes cover a range of subject matter, including:



* Supposedly free giveaways in exchange for forwarding emails.
* Bogus virus alerts.
* False appeals to help sick children.
* Pointless petitions that lead nowhere and accomplish nothing.
* Dire, and completely fictional, warnings about products, companies, government policies or coming events.


The most famous and possibly the most effective scam is the "Nigerian Scam" where a plea is made to assist an unknown foreigner to move a large sum of money out of his country. In the process of this shell game, the victim provides his bank account information to the scammer, and the bank account is drained of money. The scam works because it appeals to the victim's greed, and also implores the assistance of the victim in setting a wrong right. There are several variations on the theme of this scam.

Another indicator is that hoaxes tend not to provide checkable references to back up their spurious claims. Genuine competitions, promotions, giveaways or charity drives will usually provide a link to a company website or publication. Real virus warnings are likely to include a link to a reputable virus information website. Emails containing Government or company policy information are likely to include references to checkable sources such as news articles, websites or other publications.

A third indicator is often the actual language used. Email hoax writers have a tendency to use an emotive, "over-the-top" style of writing peppered with words and phrases such as "Urgent", "Danger", "worst ever virus!!", "sign now before it's too late" and so on, often rendered in ALL CAPITAL LETTERS for added emphasis. Paragraphs dripping with pathos speak of dying children; others "shout" with almost rabid excitement about free air travel or mobile phones. As well, some email hoaxes try to add credibility by using highly technical language.

Before forwarding an email, ask yourself these questions:

1. Does the email ask you to send it to a lot of other people?
2. Does the email fail to provide confirmation sources?
3. Is the language used overly emotive or highly technical?


A "yes" answer to one or more of the above questions, should start some alarm bells ringing. These indicators do not offer conclusive evidence that the email is a hoax but they are certainly enough to warrant further investigation before you hit the "Forward" Button.

For more help : Visit How to Check Out a Hoax

Source: www.sans.org
www.hoax-slayer.com

Tuesday, February 9, 2010

TCS website hacked !!



India’s largest information technology services company, Tata Consultancy Services (TCS), has become the latest target of hackers. The company has restored its website, after hackers changed its domain name and put it up for sale for nearly three hours, before the portal was restored by around 7 am. .

The hackers changed the domain name to 205.178.152.154 from 216.15.200.140, re-pointing the name server (NS) records of the company’s website. The hacker had also put up a whos.among.us widget to display how many people were on the site at any given point. The hackers, according to a report, also provided an email id, abed_uk@hotmail.com.When asked, a spokesperson said: “The TCS website, www.tcs.com, was disrupted. Subsequently, it has been restored and is functioning fine. None of the servers were compromised. Initial investigation reveals a DNS (Domain Name Server) redirection at the domain name registrar’s end. Further investigations are on.”

The hackers not only attacked the website but also allegedly changed its domain name and put it for sale. TCS spokesman said the attacks happened at the domain name registrar’s end, which is Network Solutions in this case. Network Solutions is one of the top five domain name registrars on internet, managing almost 6.4 million domains.

While this incident has raised questions about the level of security preparedness the country’s largest IT company has, experts think otherwise. “I am not at all surprised. This can happen with anyone. This certainly does not mean that the company is not giving better services to its customers. When you have signed a business deal with someone, you will give 100 per cent delivery. But, this is about a company that has probably not taken enough measures to keep its security up to date,” said a head of a security agency who did not wish to be quoted.



Hacked Website Image:




Source: www.business-standard.com


Saturday, February 6, 2010

Introducing Sandboxie

Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.





The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox, depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once.


Benefits of the Isolated Sandbox


* Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.

* Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows.

* Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system.

* Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.

Download Sandboxie

Source: www.sandboxie.com/

What Is Heuristic Scanning And Why Is It Important?


Generally speaking, there are two basic methods to detect viruses - specific and generic. Specific virus detection requires the anti-virus program to have some pre-defined information about a specific virus (like a scan string). The anti-virus program must be frequently updated in order to make it detect new viruses as they appear. Generic detection methods however are based on generic characteristics of the virus, so theoretically they are able to detect every virus, including the new and unknown ones.

Why is generic detection gaining importance? There are four reasons:

1) The number of viruses increases rapidly. Studies indicate that the total number of viruses doubles roughly every nine months. The amount of work for the virus researcher increases, and the chances that someone will be hit by one of these unrecognizable new viruses increases too.

2) The number of virus mutants increases. Virus source codes are widely spread and many people can't resist the temptation to experiment with them, creating many slightly modified viruses. These modified viruses may or may not be recognized by the anti-virus product. Sometimes they are, but unfortunately often they are not.

3) The development of polymorphic viruses. polymorphic viruses like MtE and TPE are more difficult to detect with virus scanners. It is often months after a polymorphic virus has been discovered before a reliable detection algorithm has been developed. In the meantime many users have an increased chance of being infected by that virus.

4) Viruses directed at a specific organization or company. It is possible for individuals to utilize viruses as weapons. By creating a virus that only works on machines owned by a specific organization or company it is very unlikely that the virus will spread outside of the organization. Thus it is very unlikely that any virus scanner will be able to detect the virus before the payload of the virus does its destructive work and reveals itself.

Each of these scenarios demonstrates the fact that virus scanners can not recognize a virus until the virus has been discovered and analyzed by an anti-virus vendor.

These same scenarios do not hold true for generic detectors, and therefore many people are becoming more interested in generic anti-virus products. Of the many generic detection methods, heuristic scanning is currently becoming the most important.

How Does Heuristic Scanning Perform ?

Heuristics is a relatively new technique and still under development. It is however gaining importance rapidly. This is not surprising as heuristic scanners are able to detect over 90% of the viruses without using any predefined information like signatures or checksum values. The amount of false positives depends on the scanner, but a figure as low as 0.1% can be reached easily.

What To Look For In Antivirus Software


With up to 100 new malware threats being discovered per day, antivirus software is, for many home computer users, the primary method for protecting their computer from threats.

Many computers come with some sort of antivirus software, often a trial version, installed. Unfortunately, many users fail to properly configure the antivirus software or keep it up to date, and many may let the antivirus software expire without even realizing their computer is no longer protected against current malware threats.

This article provides a listing of some of the key features or functions that are commonly found in antivirus software.

* Realtime Scanner: The antivirus software realtime scanner monitors network data as it is coming into the computer to intercept any malware as it enters your system.

* On-access Scanner: The on-access scanner does what its name implies- it scans files as they are opened or accessed to detect any malware.

* On-Demand Scanner:The on-demand scanner provides the ability to perform a custom scan of a file, folder or drive initiated by the user.

* Heuristic Scanner: Antivirus software typically has a heuristic scanner as well. Heuristic scanning uses what is known about existing malware and what it has learned from past experience to identify new threats even before the antivirus vendor creates an update to detect it.

* Compressed File Scanner: Some malware may come inside a compressed file such as a ZIP file, or may even be embedded in a compressed file within a compressed file and so on. Most antivirus programs can scan within a compressed file. The better programs may be able to scan many levels deep to detect malware even if it is buried within multiple compressed files.

* Scheduled Scans: Most antivirus software provides some method of creating a schedule to set when the software will automatically perform a scan. Some antivirus programs may restrict what sort of scans can be scheduled, while the more flexible programs allow you to run any type of pre-configured or custom scan at the scheduled time.

* Script Blocking: Script languages are frequently used to execute malicious code from web sites. Many antivirus programs have the ability to monitor Java, ActiveX, Visual Basic and other script files and detect and block malicious activity.

* POP3 Email Scanning: The ability of the antivirus software to monitor incoming and/or outgoing POP3 email traffic and the associated file attachments to detect and alert about virus or other malware threats.

* Webmail Protection: The better antivirus programs can monitor web-based email traffic such as Hotmail or Yahoo! Mail to detect and block malware in file attachments.

* Instant Messaging Protection: Many worms and other malware can now be spread through instant messaging programs such as AOL Instant Messenger (AIM) or Yahoo! Messenger. Some antivirus software will monitor instant messaging traffic to detect and block malicious threats.

* Automatic Virus Updates: One of the biggest problems users have with antivirus software is simply keeping it up to date. Most antivirus software can be configured to automatically connect with the vendor site and download new updates on a regular basis.

* Automatic Program Updates: The scan engine(s) and program itself may periodically be updated to add functionality to detect newer threats. Many antivirus software programs can be configured to automatically check for new updates and download and install them if they are available.

Source: www.about.com