Thursday, December 11, 2008

Another big updates from Microsoft

Microsoft issues mammoth security update, biggest in five years
Fixes 28 flaws in Windows, Office, IE, ActiveX development tools and more

By Gregg Keizer
December 9, 2008 (Article from: Computerworld)

Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago.

Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged to be "important," the next step down, and two were pegged as "moderate." The patches were issued in eight updates for Windows, Internet Explorer, Office, SharePoint, Windows Media, and the company's most popular development tools, Visual Basic and Visual Studio.

Researchers agreed that one of the Windows updates should be tops on everyone's to-do list. "There are a few that will stick out for a lot of people," said Andrew Storms, director of security operations at nCircle Network Security Inc. "The GDI is one."

MS08-071, which contains two separate vulnerabilities, both critical, updates the Graphics Device Interface (GDI), the core graphics rendering component of Windows. GDI has been repeatedly patched by Microsoft, most recently in September.

"This looks very similar to MS08-021," said Storms, referring to an April update that patched two other GDI bugs. Like that earlier fix, as well as the one in September, hackers could exploit the vulnerabilities by duping users into opening or viewing malicious Windows Metafile (WMF) images.

"[MS08-071] is something similar to what we saw with WMF files once before this year, and once last year, too," said Amol Sarwate, manager of Qualys Inc.'s vulnerability lab. "It's in the core kernel, it's always there, it's in all versions of Windows and the attack vector is pretty high." Like Storms, Sarwate put the update at the top of his list.

The long-running patch job on GDI will, said Storms, inevitably prompt some to ask whether Microsoft's vaunted Security Development Lifecycle (SDL) process, under which it scrutinizes code as its written for bugs, really works. "Is SDL functioning? I don't know," Storms admitted. "Without seeing the code analysis, it's difficult to presume it's not."

"Yes, I think that's a fair question," said Wolfgang Kandek, chief technology officer at Qualys. "But is it realistic to expect Microsoft to find everything? No, it's not."

Storms said the IE update, MS08-073, would be his next highest update priority, simply because of the number of vulnerabilities it fixes -- four, all critical -- and because of the dominance of Microsoft's browser. After that, it gets murkier. "GDI and IE are certainly top of the list, but beyond that it's a toss-up," he said. "It's going to be difficult for people in the trenches to understand what to go after the first and second."

Qualys' Sarwarte and Kandek, meanwhile, staked out MS08-070 as the second-most-interesting update among today's eight. "This is a far-reaching vulnerability," said Kandek, who noted that while end users won't be installing this update for Visual Basic, it can potentially affect anyone who browses the Internet with IE.

"Microsoft's telling developers that they need to update their development system and the Visual Basic runtimes, then notify users of the ActiveX controls that they've created," said Kandek, talking about the technology that provides IE with add-on functionality. "And again, all [hackers] have to do is just come up with a malicious Web site with vulnerable ActiveX controls."

The Visual Basic update patches a total of six bugs, all ranked critical.

Other bulletins include updates that patch Microsoft Word's file format (MS08-072, with a total of eight vulnerabilities), Microsoft Excel's file format (MS08-074, three vulnerabilities), Windows Media (MS08-076, two vulnerabilities), SharePoint (MS08-077, one bug) and Windows Search (MS08-075, which deals with two vulnerabilities).

Some caught the eye of researchers. "The reason why I'm expecting questions about whether SDL is working is because of MS08-076," said Storms, referring to the two-patch update for Windows Media. "Both those bugs are very similar to what we've seen before in other Microsoft products."

Eric Schultze, the chief technology officer at Shavlik Technologies LLC, agreed. "This is closely related to a security patch from last month -- MS08-068," said Schultze in an e-mail today. That bug, which Microsoft fixed in November, was in how the Server Message Block (SMB) protocol handled credentials when a user connected to an attacker's SMB server. At the time, Schultze and others claimed that the bug went back at least seven years.

"It's similar to the MS08-068 attack, but uses different communication mechanisms to log on to the computers," Schultze added. "Microsoft says that Windows Media Player doesn't play by the same rules as the operating system, and that's why this issue wasn't fixed in November. I'd get this one patched right away.

Storms, however, pointed to MS08-075, which patches Windows Search, the integrated desktop search function, in Windows Vista and Windows Server 2008. He found the update interesting, not so much because it only affects Microsoft's newest operating system, but because one of its two patches fixed a flaw in yet another protocol, this time "search-ms."

"There have been issues prior with protocol handlers in Windows," said Storms. "Why would Microsoft make it possible for a protocol handler to call my local file system? What's the validity of that?"

As Storms said, Microsoft has had to patch several protocol handler vulnerabilities in the last 13 months, starting with one in November 2007 in Windows XP and Server 2003 that the company argued for months was not its responsibility to fix.

This month's eight security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
This must be one of busiest month before the X-mas break.
I've notice my Vista computer wanting me to install around 8 updates last night.

Wednesday, December 10, 2008

More scary news before the X-mas from Antivirus vendors

Computer threats becoming more sophisticated

By Computing staff
11 December 2008

The scale and sophistication of IT security threats increased at an unprecedented rate during 2008, according to a series of end-of-year research studies published last week.

Anti-virus vendor Kaspersky Lab said that 15 million new forms of malware will have been detected by the end of this year ­ up from just two million in 2007.

IBM said data from its 3,700 managed security services customers worldwide showed that the number of security events rose from 1.8 billion to 2.5 billion per day over the past four months alone.

And security firm F-Secure said the level of malware detections trebled over the year to equal the total amount accumulated over the previous 21 years.

“It would be no surprise if the cyber-crime business [in 2008] was worth not less than US$100bn, said Kaspersky Lab chief executive Eugene Kaspersky. “Unfortunately, the anti-malware industry is in a panic. It has finally recognised that it needs to invest more in technology.”

Kaspersky estimated that there are “tens of thousands of people in the cyber-crime business”, and that security vendors are engaging in technical espionage and battling with each other to recruit the best engineers to keep up.

Mikko Hyppönen, chief research officer at F-Secure, said online crime is now more prevalent and more professional than ever before, and put the blame on the inability of national and international authorities to catch, prosecute and sentence computer criminals.

“The bottom line is that too few of the perpetrators of internet crime are either caught or punished,” he said. “If no action is taken it sends the message to these criminals that internet crime is an easy way to make a lot of money and they will never be caught or punished.”

Copyright © 2008 Computing

As expected from every year's end of the year reports by AV vendors, in another words it's expected numbers as number of computers are increasing as well as market competitions becoming difficult and these AV vendors are scared of financial meltdown may led to slow sale.
So this may help them to stay.

Tuesday, December 2, 2008

VMware: New VMware 3.0

VMware View 3 enhances virtual desktops
By Daniel Robinson 3 December 2008

VMware has updated its virtual desktop product with enhancements that
make it easier to provision and manage virtual clients, and new capabilities
that support mobile workers on laptops.Released today, VMware View 3 is a
rebranding of the firm's Virtual Desktop Infrastructure (VDI) but with several
new features.
Key among these is View Composer, which can provision virtual
machines by combining a fixed master image with changeable user data stored
separately, dramatically cutting the storage required for virtual
clients.
The second key feature is Offline Desktop, which lets a worker
download their corporate virtual client onto a laptop and take it out of the
office.
Tommy Armstrong, VMware's senior marketing manager for enterprise
desktops, explained that the development is about broadening out virtual
desktops for customers looking at more strategic deployments.
"The number one
thing customers told us they need for virtual desktops is to bring down the
initial capital investment, for example in storage requirements," he
said.
View Composer addresses this by splitting each virtual client into the
operating system, applications and user data such as files and
settings.
"Firms can manage lots of clones linked back to a single master
image. Any commonality - Windows XP, service packs - is in that 'golden master'.
The deltas [differences], which contain anything unique, can be much smaller,"
Armstrong said.
This can reduce storage requirements by up to 90 per cent
compared with traditional virtual desktop deployments, VMware claimed, as well
as enabling centralised patching and backup of the virtual
clients.
Meanwhile, Offline Desktop enables firms to implement a virtual
desktop strategy even if they have roaming users or some workers connected via a
high latency connection. It combines VDI with another VMware product, ACE, that
lets firms distribute virtual machines with corporate policy mechanisms applied
to them.
"We're bringing these together so users can connect to their virtual
desktop over the network as usual, but if a user wants to run their virtual
machine locally they can 'check out' their desktop and run it on the local
machine," said Armstrong.
Users can check their desktop back in when they
reconnect to the network, or check in a backup, a delta file that just updates
the datacentre image with any changes.
This will also allow users to make use
of local resources for demanding applications, such as those that are
graphics-intensive, according to Armstrong.
"It's about being able to run
apps where it makes most sense, being able to move the virtual machine between
datacentre and the client itself, the access device, if necessary," he
said.
View Manager 3, VMware's connection broker (previously called Virtual
Desktop Manager) can now connect users to a Terminal Services session or to
physical PCs, such as blade workstations, as well as virtual clients.
Other
enhancements address the end-user experience with virtual printing support,
better USB redirection and improved multimedia handling.
Virtual printing
lets the user print to whichever printer is currently attached to their access
device, whatever or wherever that may be, according to VMware. USB redirection
now allows for a broader range of peripherals to be connected to the access
device and used with the virtual desktop.
With View 3, VMware has licensed
Wyse's TCX technology for better media handling. This recognises media files,
such as music and video, and sends them to the endpoint access device to be
played locally.
VMware View 3 currently supports only Windows, but Armstrong
strongly hinted at future Mac support, enabling users to check out their
Windows-based corporate virtual client to an Intel-based Mac laptop, for
example.
Copyright © 2008 vnunet.com


Great news for these virtual machine users.
Link: http://www.vmware.com/products/view/whatsincluded.html

Report: Symantec Report on the Underground Economy: November, 2008

Secrets of the underground economy

By Kathryn Small 1 December 2008 01:11PM

In IRC channels and web-based forums, the underground economy is thriving, according to the latest year-long report by Symantec. Find out how much a botnet or a set of credit card details would cost you.

The ‘underground economy’ refers to commercial cybercrime activity – specifically, the purchase and sale of fraudulent goods and services. Items for sale might include sold credit card data, bank account credentials, email accounts, and other data.
Services might include cashiers who can transfer funds from stolen accounts into true currency, phishing and scam page hosting, and job advertisements for roles such as scam developers or phishing partners.

The value of the total advertised goods on underground economy servers during the twelve-month period was more than US$276 million.
Information is bought and sold on IRC channels and web forums. Sometimes sellers set up shop on legitimate servers, which makes it harder for police to shut them down.

The underground economy is highly diverse. “The top ten servers control the top 11 per cent of the revenue,” said Craig Scroggie, VP and MD of Symantec Asia Pacific.
Sixty-three (63) per cent of sellers were offering online credit as payment, using wire transfers, or funnelling money through online currencies such as Linden dollars or World of Warcraft gold.

Credit card information was the most highly prized data, accounting for 31 per cent of everything that was sold during the survey period. That included credit card numbers, credit cards with CVV2 numbers, and credit card dumps. It was also the most requested category, making up 24 per cent of all goods requested.

Credit card details might be as cheap as US$0.10 per card, ranging up to US$25, while credit cards with CVV2 numbers ranged from US$0.50 to US$12.
“The thing about credit cards is that it could cost you as little as 10 cents, but the average advertised stolen credit card limit observed by Symantec is more than US$4,000. So it’s an incredible return on investment,” said Scroggie.

“We calculated that the potential worth of all credit cards advertised during the reporting period was US$5.3 billion.”

Credit card information is popular because it’s easy to obtain and easy to use for fraud, explained Scroggie.

“Credit cards are easy to use for online shopping, and it’s often difficult for merchants or credit card providers to identify and address fraudulent transactions before fraudsters complete these transactions and receive their goods.”

Australia has a disproportionately high number of credit card transactions every year. Scroggie explained that in Australia there are 14 million credit cards in circulation, performing 1.4 billion transactions in the last year. By contrast, the UK is three times as large, but had less than 1.8 billion transactions.

“Australia’s always been an early and strong adopter of technology, and we’re an early adopter from a market stand-point. We have high credit card usage relative to other strong economies.”Next, fraudsters traded in financial accounts, at 20 per cent of the total. Stolen bank account information sells for between $10 and $1,000, but the average advertised stolen bank account balance is nearly $40,000. Symantec calculated that the total value of bank accounts advertised as US$1.7 billion.
The average price of a botnet was $25, while the price of phishing scam hosting, keystroke loggers or screen scrapers was $10.

Desktop computer games made up 49 per cent of pirated software, which Scroggie said directly correlated to retail sales in the legitimate market. Following that was commercial software suites such as Adobe’s Creative Suite. “There was a large number of pirated games but the average retail price of games is low – around $50. So there’s a large amount of piracy, but not a large amount of money.”
The underground economy is spread out across the world, ranging from loose collections of individuals to organised and sophisticated groups. North America hosted the largest number of servers, with 45 per cent of the total; Europe/Middle East/Africa hosted 38 per cent; Asia/Pacific with 12 per cent; and Latin America with 5 per cent.

The report noted that the geographical locations of underground economy servers are constantly changing to evade detection.
Scroggie said businesses and individuals could take simple steps to protecting themselves from online fraud.

“They can protect themselves by ensuring they have messaging filtering, a defensive depth strategy, multiple mutual overlapping or complementary software, such as anti-viral, anti-spyware, anti-malware and anti-phishing.
“You can buy a combination of these technologies from reputable security vendors.”

Symantec report page : Link
Actual download link for report: Here (PDF file)

Sunday, November 23, 2008

Does Microsoft's free AV will put cloud over the current AV Industry?

AVG Sees Uphill Battle for Microsoft in Its Launch of Free Anti-Virus Software
AVG Replies to Announcement of Competitor's Replication of Its Anti-Virus Software Offering

Last update: 9:22 a.m. EST Nov. 21, 2008
AMSTERDAM, Netherlands, Nov 21, 2008 /PRNewswire via COMTEX/ -- AVG, a global anti-virus and Internet security software provider with over 85 million users in 167 countries, today responded to Microsoft's announcement of a free anti-virus software product slated to appear in mid-2009.
AVG, which for eight years has offered free anti-virus software to users worldwide, noted the multiple challenges Microsoft faces in supporting a free anti-virus software product -- chief among them the enormous overhead costs it will incur for customer service and support issues, as well as for ongoing product management and upgrades.
Microsoft will also likely contend with a severe backlash from dissatisfied channel partners, whose margins and unit sales will be negatively impacted as a result of the free product offering, AVG believes.
"For over eight years, AVG has recognized and responded to the growing global threat of malware by offering a free and comprehensive tool to combat computer viruses, spyware, malware and online threats," said J.R. Smith, the company's CEO. "Microsoft is clearly following our lead, which will certainly help combat basic and less sophisticated threats. But the real threat in this scenario is to Microsoft's own profitability and channel partner relations."
AVG also highlighted the challenges facing Microsoft to keep pace with the growing proliferation of new and increasingly onerous online threats. Microsoft often relies on its monthly "patch Tuesday" updates to refresh its current anti-virus product, leaving computer users vulnerable to botnets and other malicious attacks. Importantly, the free Microsoft anti-virus software will have even less protective features than its current OneCare offering - further heightening computer users' vulnerability to fast-spreading viruses and other threats.
Statistics highlight the escalating problem. Computer infections from malware are increasing exponentially. AVG's in-house research team notes that 50,000 variants are being issued every day - further pointing up the need for real-time protection.
AVG's LinkScanner feature provides up-to-the-minute protection against the very latest threats. What's more, AVG's award-winning anti-virus products have long been recognized for providing maximum computer security and online protection with minimal resource strain.
From a global protection perspective, AVG has a strong presence in established and emerging markets. The company's strategic growth plan includes the introduction of several new native-language versions of its anti-virus programs in the coming weeks. Moreover, the company's worldwide user-support community -- with people and small businesses from 167 countries -- continues to grow as the industry's only truly "self-help" network.
"The exceptional ease of use and simplicity of AVG's products have long been a strong sell for the channel, providing more security strength and functionality at a much lower cost than Microsoft's anti-virus offerings," added Mr. Smith. "Given these tough economic times, our resellers appreciate the robust product margins we offer and the vitality of our end-user community to help drive future sales."

About AVG Technologies
AVG is a global security solutions leader protecting more than 85 million consumers and small business computer users in 167 countries from the ever-growing incidence of web threats, viruses, spam, cyber-scams and hackers on the Internet. Headquartered in Amsterdam, AVG has nearly two decades of experience in combating cyber crime and one of the most advanced laboratories for detecting, pre-empting and combating Web-borne threats from around the world. Its free online, downloadable software model allows entry-level users to gain basic anti-virus protection and then to easily and inexpensively upgrade to greater levels of safety and defense in both single and multi-user environments. Nearly 6,000 resellers, partners and distributors team with AVG globally including Amazon.com, CNET, Cisco, Ingram Micro, Play.com, Wal-Mart, and Yahoo!. More information is available at http://www.avg.com.
SOURCE AVG Technologies

http://www.avg.com
Just recently Microsoft announced that they will offer free AV for Windows users, and so does this mean everyone will use Microsoft's free Antivirus instead of paid Antivirus software?
The real question is why Microsoft is offering FREE AV? If Microsoft's AV was great Antivirus software would Microsoft give it away for FREE? Their Microsoft's Office is NOT FREE, because they know they can make profit. The bottom line is Microsoft's AV is simply not the worthy competitor in AV Industry.

Microsoft was trying to persuade Windows users to use their Antivirus program for years and failed miserably; very few customers out there will use Microsoft's OneCare as its rated one of worse performing AV.

Even AVG's free AV don't detect much as some of the paid Antivirus like Norton, McAfee, Trend Micro, Kaspersky etc.. These free AV users out there are NOT using AVG free AV or free Microsoft's AV because they want to use it but rather they have to, they wants FREE AV and don't want to pay for it. Average computer users know that AVG or Microsoft's AV is not good as others that they can buy from computer shops or Internet.

Freebie users often don't pay for other software that they are using, therefore having freebie users as main market is No good for the software company.

I remember the free Antispyware companies like Adaware and Search & Destroy; both companies are now selling their software; and they are not doing well on their sale because their initial offerings were FREE base software. Once a free, then it will have to be remain as FREE otherwise average computer users will not use them again. Why would you pay for second graded software where you can get the best available software on the market for same price?

These freebie users will use other free softwares when free versions ceased, simply means freebie users will always wants freebies. Going from freebie to pay versions is not a good marketing strategy.

If you don't make any profit then you are out of the business is fundamental law of the business

Wednesday, November 19, 2008

Microsoft dumps OneCare

Article: Microsoft scraps OneCare security suite

By Daniel Robinson
20 November 2008 06:10AM

Microsoft is to replace Windows Live OneCare with a free security service from the second half of 2009.
The company said that the replacement, codenamed Morro, will provide comprehensive protection from malware including viruses, spyware, rootkits and Trojans.

It will also be less demanding on system resources, making it suitable for low bandwidth connections or less powerful PCs.

Morro will be available as a download for users running XP, Vista and Windows 7. OneCare will continue to be available through retail for XP and Vista until 30 June 2009, and will be gradually phased out when Morro becomes available.

At the time of writing, Microsoft had not responded to inquiries regarding the reasons for dropping OneCare. Some commentators have speculated that the service has not been doing as well as the company had hoped, while others believe that Microsoft is trying to get a foothold in emerging markets.

"This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware," said Amy Barzdukas, senior director of product management for online services at Microsoft.

Other security vendors appeared unfazed by Microsoft's announcement, at least publicly.

AVG sees the move as a positive step in the anti-malware landscape, according to head of global communications Siobhan McDermott, who said that AVG did not feel threatened by Microsoft's entering the market.

"Our free product competes with most paid-for products from other vendors. We see no need to change our product at this time, based on what Microsoft has announced so far," she said.

Symantec warned that Morro would probably offer less protection than currently provided by OneCare.

"The security business is fundamentally different from any other market Microsoft plays in, and consumers are encouraged to consider how they will protect themselves, their identities and their families online," said Tom Powledge, vice president of Symantec's consumer business.

McAfee was even more scathing, suggesting in a statement that Microsoft was effectively exiting the security market because OneCare had failed.

"Microsoft has given up. They have now defaulted to a dressed-down freeware product that does not meet consumers' security needs. With more malware attacks than ever before, consumers require a trusted advisor and expert in security like McAfee," it said.

Copyright © 2008 vnunet.com

OneCare security suit have been scoring one of lowest detections from various independent virus samples testers. And despite the effort from MS marketing team, OneCare wasn't selling well; may be this made the decision to dump the OneCare.

Tuesday, November 18, 2008

Joke: Man tries to pay bill with spider drawing


Australian man, David Thorne tries to pay his over due bill with his spider drawing.
So funny! Read the email

Importance of QA in Antivirus Industry: Case 1 - False positive detection

Just recently AVG offered infected customers with free one year license or update.
Read the article:

AVG offers infected users free year of service

By Emma Hughes
17 November 2008 07:06AM
Security

AVG announced yesterday that it would be offering a free year of service after its antivirus software got confused and misidentified a key Windows system file as malware.

The problem affected non-English versions of XP.

The security vendor identified earlier this week that user32.dll was coming up as a generic Trojan which caused a warning pop-up asking if the user wanted to delete it – unfortunately for those who say ‘yes’ they were stuck in an endless reboot cycle.

Once the floods of complaints began, AVG identified the mistake and began offering workarounds for affected users – which is fine if you’ve got someone else to look it up for you.

Yesterday however, AVG announced, "As a follow-up to the rapid distribution of recovery instructions and repair CDs, AVG Technologies is offering all affected users a free license or license extension as follows.”

This basically means a free year of AVG 8.0 service, or a free upgrade for AVG 7.5 users.

The upgrade also includes users of the free AVG antivirus service.

Once the company began apologising, it seemed to be unable to stop, "AVG Technologies apologises again for the inconvenience caused to our customers and wishes to assure our users worldwide that the company is actively putting new processes in place to avoid similar occurrences in the future.”

AVG has said that it will begin contacting affected customers beginning November 24 in order to give further instructions on this service.
Look how important is QA testing for false positive in AV Industry; not only AVG have lost revenue for little mistake, it also created unwanted media attraction.

Few years ago and only few months ago, Symantec had exactly same thing when Norton AV was deleting part of Windows. It's all fixed up and updated now, but if these companies have done proper scanning testing before the release of their anti virus definitions or database then this wouldn't happened.

False positive detection must be cleared before the release of the anti virus definition/database, if only AV companies properly implemented QA testing lab to perform FP detection at least on popular operating systems like Windows XP/Vista then AV Industry won't spend their time & money on patching or fixing their mistakes.

Tuesday, November 11, 2008

Security giants propose new testing standard

By Shaun Nichols 12 November 2008

A group of leading security firms has proposed a new standardised system for testing security software.Symantec, McAfee, F-Secure and Kaspersky are among the names that have pledged support for the project, which boasts more than 40 security vendors and media groups as part of the Anti-Malware Testing Standards Organisation.

The new system would provide guidelines as to how a test should be conducted, including the types of malware used, method of analysis and accurate support for a conclusion.
The guidelines will also outline procedures for studying and disclosing new malware samples.
Security vendors and experts have long called for an updated standard for testing.

Current security tests, such as the Virus Bulletin 100 system, have been criticised for their procedures and what some say is an inability accurately to access certain types of anti-malware programs.
The new group hopes that its outlines will allow security firms and independent testing groups to research the effectiveness of anti-malware solutions with better accuracy and a built-in neutrality.

"While there have been many great security software reviews in the past, many poor reviews have confused or misled people," said McAfee senior vice president Jeff Green.
"This is a significant milestone that should skew the balance towards fair and scientific testing, providing users with a true viewpoint on the security protection vendors provide."

Copyright © 2008 vnunet.com

Thursday, October 30, 2008

Symantec adds Messagelabs to Christmas shopping basket

Symantec to acquire MessageLabs, bolster SaaS
by David M Williams Thursday, 09 October 2008

Symantec Corporation, producer of the popular Symantec Anti-Virus corporate suite and of the less-than-popular Norton consumer product, has today announced its intention to acquire global e-mail-filtering company MessageLabs. The move signals Symantec's growth as a provider of SaaS. Symantec has been on the acquisition trail for several years with other notable purchases being Veritas - of backup fame - and Altiris - known for their enterprise network management and help-desk suite.
MessageLabs differs from the products Symantec is best known for due to its Software as a Service (SaaS) model. That is, MessageLabs requires no infrastructure or maintenance within your network save to redirect your incoming mail to hit their servers, not your own.
The MessageLabs machinery scrubs and cleans your inbound e-mail stream, delivering a spam- and virus-free feed to your corporate mail server.
MessageLabs report their customers include major financial institutions and legal firms as well as governments.
Additional MessageLabs services include a web proxy element and e-mail archiving.
In one sense MessageLabs was a competitor to Symantec's existing mail security product. Yet, the acquisition appears little to do with shutting down a competitor and more about bolstering Symantec's overall presence in the growing cloud space.
The CEO of MessageLabs, Adrian Chamberlain, said the interest by Symantec proved MessageLab's SaaS model worked and that the company was a leader in its field.
Chamberlain stated at the close of the acquisition Symantec would launch a new SaaS arm which combined MessageLabs and the existing Symantec solutions for online storage, online backup and remote access. This new arm will be lead by the MessageLabs management team thus giving their division a stronger product from day one.
The purchase price will be $USD 695 million but at this time the expected completion date has not been advised, no doubt with due diligence still in progress.

Messagelabs Link

Symantec is expanding is's business but downsizing its workforce.

Seeing Tough Times Ahead, Symantec Plans Layoffs
Robert McMillan, IDG News ServiceThursday, October 30, 2008 6:10 PM PDT

Anticipating a slowdown in IT spending, Symantec expects to begin laying off employees next month.
Symantec isn't saying exactly how many jobs it will cut, but on Wednesday Chief Financial Officer James Beer said that the company is looking to trim about 4.5 percent of the cost of its workforce. Separately, Symantec is also outsourcing some of the work done by its IT and finance departments, he said during a conference call with financial analysts.
Symantec has not yet determined how many cuts it will make to its workforce of 17,800 employees, but the layoffs will affect staff in all regions, said Cris Paden, a company spokesman. "We'll be notifying employees next month," he said.
On Nov. 1, Hewlett-Packard's EDS division will start taking over some of the company's IT operations, and IT and finance employees will be moved off the company payroll over the next 12 months, Paden said. Those reductions have been planned for months, and are separate from the cuts announced Wednesday.
Symantec's stock [SYMC] dropped nearly 18 percent Thursday on the company's sober economic outlook and its reduced earnings expectations.
Starting in the last weeks of September, Symantec saw some "hesitation from some of our customers when it came to finalizing commitments," Beer said in an interview.
"We did see some pulling back," he added. "It was an effect that we saw in different parts of our customer base around the world."

Tuesday, October 21, 2008

Human error and hardware theft are the two main causes of data breaches

Data breaches caused by human error, hardware theft

By Kathryn Small
21 October 2008 05:00PM
Human error and hardware theft are the two main causes of data breaches, according to Symantec’s recent survey into Data Loss Prevention.
The global security, storage and systems management company surveyed 156 Australian companies with 100 or more employees. Results were sent in from IT managers and C-level executives. The majority of respondents represented businesses with a financial turnover of $10-$500 million.

The survey’s headline result is that 79 per cent of respondents have experienced some form of data breach, and 40 per cent have experienced anywhere from six to 20 known data breaches in the past five years.

Further, 59 per cent of respondents suspect that they have experienced undetected data breaches, with many considering it “impossible” to catch every attempted breach.

Respondents lost different kinds of data, including customer records (55 per cent); employee records (48 per cent); intellectual property (43 per cent); commercially sensitive information (35 per cent); bank and credit card details (21 per cent) and financial information (20 per cent).

Lost or stolen laptops were the top cause of data breaches, at 45 per cent. “Respondents estimated that the average cost of a data breach was the same as replacing a lost laptop,” said Steve Martin, Mid Market Manager Pacific. “But I believe that’s too low, since it doesn’t take into account the potential value of the data.”

Lost mobile phones or portable devices also weighed in at 30 per cent. “A phone is the easiest thing to lose, and the easiest thing to steal,” said Martin. “Whenever I ask groups if they have email access on their phones, and whether their phone is password protected, the second number is always very low.”

The other key cause of data breaches was accidental human error (42 per cent). Craig Scroggie, VP and MD Pacific, cited the case of a restaurant which accidentally emailed 3,500 customers a copy of their client database, containing names, addresses and dates of birth.

Malicious attacks included hacked systems (29 per cent), malicious insiders (28 per cent), paper records being smuggled out of an organisation (26 per cent) and malicious code infiltrating systems (24 per cent).

“Today’s organisations have no walls and information can be anywhere, so securing the perimeter is no longer adequate. Additionally, many organisations believe that confidential information is most at risk from malicious acts when employees are mobile and not connected to the corporate network,” said Scroggie.

Among intentional security breaches of company secrets or intellectual property, 77 per cent said that data was copied to removable storage devices, and 51 per cent said that printed paper records were removed from the premises.

Other methods of moving stolen data included email or instant messaging (41 per cent), posting to public websites (26 per cent) and copying or photographing confidential data onto mobile phones or PDAs (21 per cent).

Scroggie emphasised that Data Loss Prevention required a holistic approach to protect customers, brands and intellectual property.

“We can stop these problems today,” said Scroggie. “We have the ability to discover, monitor and protect confidential data.”

Tuesday, October 7, 2008

PC Tools to be poor man's Norton

Liam Tung, ZDNet.com.au
28 August 2008 04:16 PM

Computer security giant Symantec said it would not integrate the software of recent acquisition PC Tools into its mainstream Norton suite, instead using the products as its low-cost option for countries such as India and China.
"The goal right now is to look at emerging markets. We'd like to see PC Tools take emerging markets — countries like Brazil, Russia, India, China," said Symantec's VP of consumer engineering, Rowan Trollope.
"They have been very successful at selling to a very specific segment of the market place that is more interested in lower price solutions."
The Australian security vendor is reported to have cost Symantec AU$300 million, and according to Trollope, gives it an avenue to target these countries without needing to drop its prices for Norton.
Asia Pacific is Symantec's fastest growing region, however, it generates the least revenue of its global operations, netting the company US$231 million, or about 14 per cent, of its total revenues for Symantec's first quarter 2009 earnings.
"I think price is an important component of the offering you bring to an emerging market. Some require lower prices, some accept higher prices, but with India and China in particular, you have to go in with lower prices," the executive told ZDNet.com.au.
While Norton Antivirus 2008 costs AU$59.00, and its Internet Security suite costs AU$99.00, PC Tools' equivalents respectively cost AU$49.95 and AU$79.95.
At the time of the acquisition, technology analysts at Gartner and Intelligent Business Research Services struggled to explain why Symantec would buy PC Tools, which had similar products to its own and added just 200 staff to Symantec's ranks of 17,000.
Trollope said that PC Tools did offer it some new technologies. Registry Mechanic, PC Tools Utility Suite, Threat Fire, and Browser Defender are considered "complementary" to Symantec's products.
While Symantec planned to run PC Tools as a "completely independent company", he said some products would be assessed for overlaps with Symantec's existing products.
"[PC Tools] have Spyware Doctor and they've got some other products that are similar to our products where we will be certainly interested in looking at how do they overlap and who provides which service," he said.
Trollope declined to confirm whether it had paid AU$300 million for PC Tools.


----------------------------------

Symantec have acquired PC Tools because of Threatfire engine (formerly Cyberhawk, Zero-day behavior based anti-malware) and ThreatExpert (PC Tools's sandbox automation tool for threat analysis).

Furthermore, because AV market is increasingly becoming competitive and narrower, it’s very important to acquired competitors to stay competitive in the market place.
Both Symantec, McAfee and Trend Micro have been acquiring third party anti-malware and security product vendors in order to acquire newly developed technology or destroy possible competitors, it’s usual Art of War strategy in ever competitive business world.

Monday, October 6, 2008

Single Trojan accounts for 60 per cent of September attacks

By Lain Thomson 1 October 2008

A single family of Trojans has accounted for over 60 per cent of malware infections in September, according to Fortinet. The RogueSecurity Trojan and its variants accounted for 61.5 per cent of all malware attacks in September the company claims. The Trojan and its varients took the top four positions of the company’s malware list.“Not since the start of this year when the notorious Storm virus made a continuous run of devastating attacks has any comparison been seen with this level of activity,” said the company.“However where the Rogue security applications excel is the accumulated volume: maintaining these extreme levels of activity for at least six days, not to mention the other variants. “The bulk of malware activity occurred in the second and third week of the month, with the W32/Inject.GZW!tr.bdr Trojan peaking at nearly two million in the middle of the month.

Virustotal report from two samples:

Sample 1 Sample 2

This is usual Fakealert trojan that have capability to inject it's own dll process to any executable (PE) files that alerts users being danger of "new bogus" infection or actually telling user that their PC is compromised and buy their Anti-virus or Anti-Spy product.

Tuesday, August 19, 2008

Symantec acquires Sydney's PC Tools

Symantec acquires PC Tools

Mahesh Sharma | August 19, 2008

SYMANTEC has bolstered its consumer product portfolio with the acquisition of Australian security software developer PC Tools.

The value of the deal wasn’t disclosed. It is expected to be finalised by the end of the year.

PC Tools is headquartered in Sydney, with offices in US, Britain, Ireland and Ukraine. Symantec said the acquisition expands its reach in emerging regional markets.

PC Tools has over 200 staff globally and will remain a separate entity in the security giant’s consumer business.

Chief executive Simon Clausen will report to Symantec’s group president of consumer products, Janice Chaffin.

Symantec will not rebrand PC Tools’ products and will maintain existing partners and channels.

While there is significant overlap with Symantec’s security offerings, PC Tools also has a range of PC utility products to maintain, repair and optimise Windows operating environments.

PC Tools also recently released anti-virus software to protect the Mac OS X operating system.

Tuesday, August 5, 2008

Vista Service Pack 1 isn't actually SP1


It appears that Microsoft's woes with Vista aren't quite over yet. According to the company's official Windows Vista blog, a bug in the SP1 update is the latest in a mounting load of blunders.

A number of users reported problems resulting from the service pack prerequisite KB937287. After receiving reports of the error, Nick White, Microsoft's Product Manager, quickly responded by notifying customers that a decision has been made to "temporarily suspend automatic distribution of the update to avoid further customer impact while we investigate possible causes." Microsoft says that only a small number of users has been effected and that the company is presently working to crack the problem and put the update back online as soon as possible.

Also, if your Vista PC have installed SP1, makesure you have done all the critical Windows Updates upto late June's update. Apparently there are two major critical updates relating to Windows stability and performance issues.

Tuesday, April 8, 2008

Trend, Sophos and McAfee flunk Vista SP1 anti-virus tests

Trend, Sophos and McAfee flunk Vista SP1 anti-virus tests
That would be a FAIL, then
By John Leyden → More by this author
Published Thursday 3rd April 2008 16:52Â GMT
Article from: http://www.theregister.co.uk/2008/04/03/vista_sp1_av_tests/

Top tier anti-virus vendors including McAfee, Trend Micro, and Sophos all failed to secure Windows Vista SP1 in recent independent tests.
Virus Bulletin, the independent security certification body, said 17 of 37 anti-virus products tested failed to reach the VB100 certification standard. McAfee VirusScan, Trend Micro Internet Security and Sophos Anti-Virus overlooked threats known to be in circulation. Other vendors whose products failed to make the grade included Alwil, BitDefender, Norman, PC Tools, and VirusBuster.
Some of the ignored threats - largely polymorphic file infectors - have been in circulation for months. "It is disappointing to see so many products tripping up over threats that are not even new - computer users should be getting a better service from their anti-virus vendors than this," Virus Bulletin technical consultant John Hawes said.
Products from Symantec, Microsoft (which has problems in the past in previous VB100 tests), AVG, and Kaspersky Lab all passed.
Although still lagging behind Windows XP, Vista is likely to see more widespread use with the introduction of its first service pack, making it more important for anti-virus vendors to deliver dependable protection for the platform. Vista SP1 came out in mid March.
Virus Bulletin's VB100 tests pit each anti-virus product against a set of viruses from the WildList, a publicly available up-to-date list of viruses known to be circulating. To earn VB100 certification, products must be able to detect all the viruses contained in the WildList test set without generating false alarms when scanning a set of clean files.
Unlike other certification schemes, Virus Bulletin tests all products free of charge and does not allow re-testing. Virus Bulletin's comparative reviews also cover detection rates against a selection of zoo viruses (those not seen outside the laboratory), scanning speeds, and computational overheads.
Test results are here (free registration required). ®

Top Spam Botnets Exposed

SrizbiEstimated # of bots: 315,000Alternate names: Cbeplay, ExchangerSMTP engine: Template-basedTotal botnet spam-sending capacity: 60 billion spams/dayControl: encrypted, UDP and TCP ports 4099Rootkit-enabled: YesIdentifying strings: \SystemRoot\Minidump\%s, Udp6, Tcp6, MachineNumNotes: With the combination of stealth and an efficient SMTP engine, Srizbi is a highly capable botnetspamming machine. However, Srizbi is not a monolithic botnet - it is split between several customers ofReactor Mailer, with over a dozen control servers. Because of this, a wide variety of spam can be seencoming from Srizbi at any given time. In addition, Srizbi is one of the most active botnets attempting toseed new infections by advertising links to porn-related video files of different celebrities, which areactually new copies of Srizbi.
Srizbi has emerged over the past year as the distributed part of the long-established Reactor Mailerweb-based spam tool. Reactor may have used proxy servers in the past, but at some point a re-write of thesoftware was commissioned by the head of the company, known only as “spm”. The author who did there-write of the backend is a contract programmer living in Smila, Ukraine. It is unclear as to whether ornot he wrote the Srizbi trojan also, but it is a likely possibility.
BobaxEstimated # of bots: 185,000Alternate names: Bobic, Oderoor, Cotmonger, Hacktool.Spammer, KrakenSMTP engine: Template-basedTotal botnet spam-sending capacity: 9 billion spams/dayControl: encrypted, TCP port 447Rootkit-enabled: NoIdentifying strings: cCdipsuxX%, w:\projects\b3\release\core.pdbNotes: Despite reports of its demise, Bobax continues to be a strong player in the spam arena. At onetime, Bobax was solidly in the business of sending mortgage spam, but lately has been seen mailing lowinterestloan spam.
RustockEstimated # of bots: 150,000Alternate names: RKRustok, CostratSMTP engine: Template-basedTotal botnet spam-sending capacity: 30 billion spams/dayControl: HTTP with encryption, TCP port 80Rootkit-enabled: YesIdentifying strings: tmpcode.bin, unluckystrings, filesnamesNotes: Although Rustock started out in the stock spam business, it has branched out, and can currently beseen sending out pharmaceutical spam.
CutwailEstimated # of bots: 125,000Alternate names: Pandex, Mutant (related to: Wigon, Pushdo)SMTP engine: Template-basedTotal botnet spam-sending capacity: 16 billion spams/dayControl: HTTP with encryption, TCP port 4080Rootkit-enabled: YesIdentifying strings: Poshel-ka ti na hui drug averNotes: Cutwail is the most common spambot installed by the Pushdo malware installer system, but it'snot the only one. We've also seen Srizbi, Storm, Xorpix and Rustock installed on the same host togetherwith Pushdo and Cutwail.Canadian Pharmacy spam is one of the things we most commonly see withCutwail, but other types of spam are sent. Sometimes the botnet is used to send social-engineering emailsin order to seed more infected hosts with Cutwail.
StormEstimated # of bots: 85,000 (only 35,000 send email)Alternate names: Nuwar, Peacomm, ZhelatinSMTP engine: Template-basedTotal botnet spam-sending capacity: 3 billion spams/dayControl: HTTP on random ports with base64/zlib encoding, P2P-based server directoryRootkit-enabled: YesIdentifying strings: [blacklist], [peers]Notes: Although Storm has been rumored to be quite large in the past, it has dropped to a morereasonable size. In addition only Storm bots behind NAT firewalls actually send spam. This makes thecapacity of the spam-sending part of the Storm botnet smaller than most of the other lesser-knownbotnets. However, those other hosts don't go to waste, they are used as fast-flux HTTP and DNS hosts forthe spam system. Storm spent a lot of time sending pump-and-dump stock spam in the past, butoccasionally will send pharmaceutical spam and job-offer (phishing mule) emails. When it's notspamming, Storm is sending links to fake greeting card sites which use browser exploits and socialengineeringto infect more users with Storm.
GrumEstimated # of bots: 50,000Alternate names: None known, except for generic/misassignedSMTP engine: Template-basedTotal botnet spam-sending capacity: 2 billion spams/dayControl: HTTP on TCP port 80Rootkit-enabled: YesIdentifying strings: Hi all, Already start, $TO_HEXMAIL, /spm/s_alive, /spm/s_tasksNotes: Although little-known, Grum has accumulated a seizable botnet over the past year by sendingspam with supposed porn URLs which actually point to browser exploiting pages. This botnet usuallysends URLs hidden in non-related HTML, so it may be the botnet referred to by anti-spam vendorMarshal as “HTML”. Ultimately the links lead to Canadian Pharmacy sites.
OneWordSubEstimated # of bots: 40,000Alternate names: UnknownSMTP engine: Template-basedTotal botnet spam-sending capacity: UnknownControl: UnknownRootkit-enabled: UnknownIdentifying strings: UnknownNotes: Although we see a significant amount of spam emanating from this botnet, as of yet the malwarebehind it has yet to be identified. Due to the format of the spam it is sending, we believe this is the samebotnet which anti-spam vendor Marshal refers to as "One Word Sub". This botnet has been seen sendingCanadian Pharmacy spam.
OzdokEstimated # of bots: 35,000Alternate names: Mega-DSMTP engine: Template-basedTotal botnet spam-sending capacity: 10 billion spams/dayControl: encrypted, TCP port 443Rootkit-enabled: NoIdentifying strings: KILL_LAZZY_ON_CONNECT, KILL_LAZZY_MXNotes: Although Ozdok has a relatively small set of bots compared to some of the other botnets listedhere, it is quite capable of pumping out a generous amount of spam, most of it related to enlargementproducts, but designer knock-offs and other spam are frequently seen.
NucryptEstimated # of bots: 20,000Alternate names: Loosky, LockskySMTP engine: Template-basedTotal botnet spam-sending capacity: 5 billion spams/dayControl: HTTP with encryption, TCP port 3133Rootkit-enabled: YesIdentifying strings: 1f34ff45, taskmon.sys, /synctl/updNotes: Relatively small yet capable botnet - may have been evolving for a few years. Last seen sendingCanadian Pharmacy spam.
WoplaEstimated # of bots: 20,000Alternate names: Pokier, SloggerSMTP engine: Template-basedControl: encrypted, TCP port 8080Total botnet spam-sending capacity: 600 million spams/dayRootkit-enabled: YesIdentifying strings: %sxtempx.xxx, %.250s.lzo, ctxlsp.dll, psrip.dat, mailgrab_emails.dat, OEMSO2000Notes: Wopla is frequently installed by drive-by exploits in the same way as Srizbi, Rustock and Cutwail,although it doesn't appear to have been spread as widely. An interesting feature – Wopla can send spamdirect-to-MX or by logging into at least one public webmail service. Bots which send spam throughwebmail providers will probably continue to increase in number, since the spam can evade IP-basedblocklisting, and must rely solely on content-detection (or fingerprinting/anomaly detection at thewebmail provider). Wopla seems to be primarily dedicated to porn spam.
SpamthruEstimated # of bots: 12,000Alternate names: Spam-DComServ, Covesmer, XmilerSMTP engine: Template-basedTotal botnet spam-sending capacity: 350 million spams/dayControl: encrypted, multiple TCP portsRootkit-enabled: NoIdentifying strings: hs5p, XSMTPXNotes: Another botnet which cut its teeth mailing stock spam in 2006 and 2007, nowadays can be seensending pharmaceutical spam.
Other SpambotsIn addition to these bots, there are several other template-based spam botnets, and still many more proxybasedbotnets. Creating network-based fingerprints for proxy botnets is much more difficult, becauseultimately you are fingerprinting the mailer engine, not the bot itself. In the case where the same spamtool might utilize multiple proxy botnets, it would greatly skew the results.One template-based botnet (Warezov/Stration/Opnis) that was a major player six months ago hascompletely dropped off of the radar. Warezov was known for sending Chinese pump-and-dump stockspam. Perhaps it is no coincidence that in the same time frame that we stopped seeing Warezovspam/malware, the notorious spam kingpin Alan Ralsky was arrested and charged (among other things)with sending pump-and-dump stock spam for Chinese companies.

Global Virus Map