Malware or Not?

I’ve been doing an interesting experiment, in a virtual machine on a separate PC with no personal information  at all on it.  I’ve been going through SPAM emails and clicking on every link to see what happens.  It is an interesting exercise.  For example, I recently wrote another blog entry about how time cures much in the way of SPAM-based malware attacks because the offending web sites are typically blocked or taken down within 24 hours.  Now on to a little anatomy of one piece of SPAM I’ve been getting, and how it continues to be an issue.

I’ve seen a number of mails for different on-line gambling sites, and they all lead to the same URL in Russia.  In order to participate you have to download an app.  Can you guess what an app being offered up by a gambling site in Russia that draws in people via SPAM is likely to be?  You got it, Malware.  So I downloaded the installation file (GrandDollar_setup.exe) and submitted it for analysis by most of the anti-Malware engines out there via the Virscan.org website.  About 30% of the engines, mostly obscure ones, flagged this installation file as Malware.  The majors, including Microsoft, Symantec, McAfee, etc. , don’t find anything wrong with the file.   You can check out what the different engines think of this setup file at http://file.virscan.org/report/5ce4eac19f478b99a3ee95f7a077f373.html

We are left with the question of if the detections by the more obscure anti-Malware engines are false positives, or are the major anti-Malware vendors just exceedingly slow to respond to the threat (i.e., apparently people have been looking at this since January)?  I think the answer is neither.  I think that analysis of the Setup file continues to show no clear sign of actual malware, but that a number of engines flag it as such because there just seems to be so much about it that is fishy even if they can’t find the smoking gun.

Next I ran the setup file, and once installation is complete you have a new app on your PC called Crazy Slots Casino.  I run Crazy Slots Casino and it proceeds to run for five minutes updating files and downloading new components.  Hmm, could this be where Malware gets on your system?  Well, I notice is that the app doesn’t have a way to exit (e.g., no [x] on the upper right of the Window).  The shortcut placed on the desktop lacks an icon, indicating a rather sloppy setup program.  The App also uses Adobe Flash, which has been a major source of vulnerabilities over the last year.  This is all very suspicious.  But anti-Malware scans continue to find nothing wrong.  Next I see you have two choices, you can play for fun or you can play for money.  If you select to play for money then you have to enter your personal information (name, address, BIRTHDATE, etc.).  Then you have to go to the Cashier and put money in your account using a credit card.  Ok, so even if this app places no Malware on your system you are being asked to provide all your personal information by an app you downloaded from a Russian website that a piece of SPAM took you to.  This sounds bad; Very bad.  I would guess there is a 99% chance this is identity theft.  But does that make it Malware?

Perhaps GrandDollar_exe/Crazy Lots Casino isn’t a Virus, Rootkit, etc. but it certainly seems to meet the definition of Malware.  So why then are all the major anti-Malware vendors failing to classify it as such?   I think it is because this app has skillfully skirted the boundaries.  It doesn’t appear to do anything nasty to your system, and there is no real evidence that they are gathering the personal information for any purpose other than to facilitate on-line gambling.  This causes the “big boys” to let it pass, while smaller more aggressive anti-Malware players take the chance that it is a false positive.

I do want to put in a plug for IE9’s Reputation-based filtering on this.  IE9 doesn’t report this as Malware, it reports it as a file that is not commonly downloaded (because it doesn’t have a positive reputation) and tries to keep you from downloading it.  I jumped through the appropriate hoops to download it, despite IE9’s best attempts to stop me, so I could see what happened.  It will be great if Windows 8 just refuses to install or run an application (unless you jump through hoops) that doesn’t have a good reputation.  Imagine how much Malware that will stop dead in its tracks!

Where does this leave you as a user?  Well, I’m going to have to invoke Darwin here.  Anyone who follows a link in some email that has been flagged as SPAM, to a site in Russia, then downloads software from that site despite warnings it is suspicious, then gives that software a wad of personal information including a credit card, deserves what they get.  There is only so much that software or the law can or should do to protect you.

For those who would prefer a higher level of protection than they are currently getting even if it means more false positives I do have a recommendation.  Immunet is the only vendor I know of who makes a real-time anti-Malware solution that can be installed alongside existing anti-Malware such as Microsoft Security Essentials (MSE).  In my experience they do have more false positives than MSE but also seem to catch some real issues that MSE (and others) miss.  For example, Immunet does consider GrandDollar_setup.exe to be Malware (W32.Trojan.a9b9) and prevented it from running on my machine.  For years email anti-Malware filtering solutions such as Microsoft’s FOPE have used multiple engines in their filtering of email as a way to increase the odds of detecting Malware.  By installing Immunet alongside your existing anti-Malware solution you can now get the same benefit on your PC (or as security people sometimes call it, Endpoint).

About these ads
This entry was posted in Computer and Internet, Phishing, Security and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s