Malwarebytes blog

The “Aurora attack” has received a lot of press lately. We at Malwarebytes have been following the developments closely so we can give you our view.

“Operation Aurora” is the name researchers gave to an attack exploiting a zero-day vulnerability in Internet Explorer to get information from Google, Adobe and other large companies.
Victims of the attack were tricked into downloading a trojan payload that would trigger other such payloads, with each stage of the attack downloading and deploying others. This type of attack has been called an Advanced Persistent Threat or APT, and needs only a small hole to break a network wide open.

According to Google the attack originated from China and attempted to gain access to the Gmail accounts of U.S., China-, and Europe-based human rights activists. A recent report found that three major U.S. oil companies Marathon Oil, ExxonMobil, and ConocoPhillips were targeted by similar attacks.

What do we learn from this?
Why should you care? We believe the bottom line is that in our world today, cybercrime is organized, sophisticated, and vicious, and this incident underscores the need for all Internet citizens, both private netizens and corporations alike, to protect themselves. In essence three parties need to work together to minimize the risk of compromised systems:

• Content providers like Facebook, Twitter, and others must take every possible step to avoid APTs in their content.
• Software developers (including Microsoft) must do their utmost to avoid security holes and fix exploits as swiftly as possible.
• And users like all of us have to be made aware of the dangers present in our digital age.

The only sensible approach is a layered defense, or as a wise man told me years ago: “don’t put all your eggs in one basket.”

We at Malwarebytes strongly believe in a layered approach to security. By that we mean a combination of protective software, awareness, and safe computing practices. Layered protective software is especially important: an antivirus program is no longer sufficient to protect most users from the newest threats. Companion anti-malware software (like our own Malwarebytes’ Anti-Malware) we believe is a critical addition to “fill in the security gaps” and protect against the threats that antiviruses tend to miss: threats that are not considered viruses, like trojans and rogue security software, that are just as annoying and harmful. Add a firewall to the mix and you have a layered security solution. An educated user completes the “ideal” picture.

We will be telling you more about how we determine the kinds of threats we should target in future blog posts.

How do we view our role?
We have added detection for the Aurora threat:

and we are further developing our heuristics modules in order to recognize malware files before they are ever released in the wild. And we are always open to cooperation with the companies that provide the other layers in the security chain, so we can provide better overall protection then just the sum of the layers alone.

Every few months a major attack is featured in the mainstream media. People read about it, worry momentarily, and then forget. Take this opportunity to think seriously and critically about your security solution. The same powerful elements that target major corporations like Google and Adobe are often behind identity theft syndicates and other malware distributors that go after us as individuals. We don’t mean to be unduly alarmist, but we do believe there is a real danger out there, and it is our job to help you protect yourself. The Malwarebytes team is working every day of the year around the globe and around the clock to protect you from attacks like Aurora.

Pieter Arntz

If you are interested in certain aspects of this subject you may find the following articles interesting as well:
Exploit code has been made public
The German government warns against using IE
The New York Times: The financial loss from security breaches
The reluctance to update
Spear phishing

Merijn Bellekom, author of famous malware fighting tools like BFU, CWShredder and HijackThis has joined the developer team of Malwarebytes.
This will surely mean that the improvements to Malwarebytes’ Anti-Malware will come at an even faster rate. With his track record who knows what the future has in store for us. We can’t wait!

Merijn started coding when he was about ten and has mastered VB, VB.NET, C, C++ and Java. He also has experience working with scripting languages such as ASP and PHP.
For those of you that are unfamiliar with his work, have a look around at his site Merijn.nu

On behalf of the team, welcome and thank you for joining us Merijn.

Pieter Arntz

Another milestone will be reached, probably today.
Since the foundation of Malwarebytes we have removed 2.5 billion infections. For free!
You can keep track of this number by looking at our on-line database MalwareNET™.
Those are just counting the anonymous data we get from the users that allow it, so there are probably many more.
It also doesn’t tell us how many users of the full version were spared by our protection modules.
A proud moment for Malwarebytes and at the current rate it will not take another five years to double that amount.

Thank you for your trust in our product.

Pieter Arntz

Malwarebytes’ Anti-Malware version 1.44 has been released.
This is primarily a bugfix release, and fixes a number of stability and functionality issues in the previous release. If you had issues with 1.43, please let us know if 1.44 resolves them.

• (FIXED) Minor issue with /runupdate displaying dialogs on errors
• (FIXED) Saving bug report to initial directory failed silently
• (FIXED) Issue with protection module not starting on Windows 2000
• (FIXED) Censored license key on About tab
• (FIXED) Protection module leaking memory on certain machine configurations
• (ADDED) New command line parameter: /errorsilent (see help file)

The new version is available here.

Thanks!

-The Malwarebytes Team

Some weeks ago we presented evidence demonstrating that the Chinese company IObit had stolen Malwarebytes’ database and incorporated it into their software. In the days that followed we saw a complete denial of wrongdoing by IObit. They ascribed the matches between their database and our own to anonymous sample submissions, a dubious claim which we debunked.

Nevertheless, IObit did subsequently remove all of Malwarebytes’ definitions from their database (thereby cutting their database size by ~40% in one fell swoop). Though we did not receive an apology from them, nor any official acknowledgment of their theft, this reaction speaks for itself. Removal of our intellectual property was what we wanted, and we therefore consider that we have won. We thank the community, online media outlets and our partners for their support in helping us achieve this favorable result.

We have documented here and here how IObit’s in-the-wild detection rates dropped from over 70% to under 20% overnight after removing Malwarebytes’ definitions from their database. Unsurprisingly, IObit has abruptly ended its anti-malware comparison testing program. We invite all users to continue to compare our detection rates against in-the-wild malware to IObit’s over the next several months. We know who we believe will be on top. And we look forward to continuing to improve our products and help the online community at large.

Marcin Kleczynski

Yesterday we presented evidence demonstrating that IObit is stealing and incorporating Malwarebytes’ proprietary database and intellectual property into their software.

Our argument was that IObit detected, under the same names, fake malware files that we (1) built ourselves in-house, (2) never released to the Internet, and (3) added fake definitions for to our own database. We concluded that IObit must be stealing the definitions directly from our database. The indication of theft was not solely that they named some detections the same way — at least not for real malware. Many vendors do that. However, since the fake malware name we made up (“Rogue.AVCleanSweepPro”) does not actually exist anywhere in the wild, their use of it alone was a strong indication of theft.

Over the course of the following day IOBit engaged in a concerted campaign to suppress the evidence we presented. First they deleted the forum post showing their detection of a Malwarebytes’ Anti-Malware keygen under the same name “Don’t.Steal.Our.Software.A” we use to detect such keygens. Then they were able to have the Google cache version of the same page removed. (Fortunately the Bing cache version is still live and we also have screenshots of the thread archived.)

Next, they edited their database to remove detection of the “trap” definitions we disclosed in our report. But these were only a few examples, only a small subset of the definitions they have stolen from us! And to our great surprise, they did not remove all the stolen definitions from their database. We have attached more examples below of stolen definitions still appearing in the current IObit database.

Lastly, IObit issued a statement flatly denying any database theft or wrongdoing. They offer two arguments to support this denial:

1. They claim their database is constructed from anonymous Internet malware submissions. They claim furthermore that files like the fake files we created were submitted to them, named like we name malware, and that they included the submissions in their own database without changing the names.

   While this is at least plausible (if not likely) for the case of the Malwarebytes’ keygen they detected as “Don’t.Steal.Our.Software.A”, it does not explain how they obtained a submission of the fake file “rogue.exe” we manufactured in-house, never submitted anywhere, and named with a fake malware name “Rogue.AVCleanSweepPro” that does not appear anywhere in the wild.

   IObit explained this as follows:

   For example, rogue.exe has the same signature code with the malware “NOTSURE.dll” (VirusTotal). “NOTSURE.dll” was submitted by someone called “KXX” and described as “Rogue.AVCleanSweepPro” detected by Malwarebytes.

   We invite you to search Google for “Rogue.AVCleanSweepPro” or just “AVCleanSweepPro“. See if you can find a single place where anything called “Rogue.AVCleanSweepPro” was ever detected in the wild by Malwarebytes or anyone else. When we did this today, the only hits we got were for our own report yesterday and people talking about it. Before we published our report yesterday there was not a single hit on Google for either name. This malware name simply does not exist in reality. We made it up in-house. Only four members of Malwarebytes’ management were privy to the information about the fake files and the fake names. Therefore, any suggestion that somehow someone submitted to IObit a piece of malware anyone detected anywhere as “Rogue.AVCleanSweepPro” is simply a lie.

   As for “NOTSURE.dll” itself, all this suggests is that IObit manufactured a file that matches both our “Rogue.AVCleanSweepPro” fake signature and other vendors’ Trojan.Pugolbho signatures. This is not hard if you have already stolen the signature: after all, we also manufactured a dummy file matching the same “Rogue.AVCleanSweepPro” signature, in order to attach it to yesterday’s report. This does not prove any file was submitted to IObit over the Internet, under the name “Rogue.AVCleanSweepPro”.

   Attached are two more dummy files, “dummy1.exe” and “dummy2.exe“, benign executables built in-house to match two of our database signatures for “Adware.NaviPromo” (screenshot). You can see on VirusTotal here and here that no other security vendors detect these dummies. You can also see here (log1, screenshot1, log2, screenshot2) that IObit does detect them still, using their current database, as the same “Adware.NaviPromo”.

   IObit will likely claim once again that they received these files as anonymous submissions and added them to their database using the Malwarebytes names either by negligence or by chance. It is true that “Adware.NaviPromo” is a name used by multiple vendors, unlike “Rogue.AVCleanSweepPro”, which we fabricated in-house. But isn’t it interesting then that no other security vendor detects these dummy files (or any of the other dummies we have manufactured)? Only a single signature was added to the dummy files to make them detectable by Malwarebytes and IObit, and no other security vendors. Are we to conclude that IObit received these files as anonymous submissions and then chose to add them to their database using exactly the same signatures as we use, purely by chance? If these were common or obvious signatures, presumably other security vendors would be using them too, and the dummies should be detected by other vendors as well. But clearly they are not. Nor is this an isolated case; it has been the pattern for every example we have posted. While we realize this is not 100%-conclusive proof on its own, we hope you will agree in the context of the stronger evidence we have presented (the “Rogue.AVCleanSweepPro” detection above) that it is more than a little suspicious.

2. IObit claims they could not have copied our database because theirs is larger than ours, 4.6 MB compared to 3.1 MB. This argument does not hold water. First of all, each of our databases is compressed and we can’t easily compare the sizes of the plaintext database contents. Second, and far more importantly, if IObit has stolen not only our database but also the databases of other security vendors, as we strongly suspect they have, then of course their database would be larger. We have presented evidence of theft to other security vendors, although we will leave it to them to disclose information to the public.

We have served CNET Download.com and MajorGeeks.com with infringement notifications under the United States Digital Millennium Copyright Act (DMCA). IObit software infringes Malwarebytes’ copyright and intellectual property rights and we have requested it be removed (MajorGeeks.com has removed it already).

Apparently IObit thought they could convince the community they had done no wrong. On the contrary, we have witnessed an outpouring of support for Malwarebytes and the hard work we put into our research and products, and we are humbled and thankful to everyone for it.

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version, since they have now deleted the original) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes’ Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can’t publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don’t want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, “dummy.exe“. It is a harmless dummy executable that runs, displays a “Hello World” message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! — the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes’ Anti-Malware software and indeed it was flagged as “Don’t.Steal.Our.Software.A”. We scanned it with IOBit using their current build and database version and it was flagged as the same “Don’t.Steal.Our.Software.A”. We have included their log file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, “rogue.exe“, matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other “fake.exe“, matches an Adware.NaviPromo definition (screenshot). VirusTotal results for “fake.exe” and “rogue.exe” so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes’ proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.

As many of you know, Microsoft launched its revolutionary Windows 7 yesterday, October 22, 2009. To cater to our users’ needs, we have made Malwarebytes’ Anti-Malware Windows 7 compatible and starting with version 1.41 we now officially support Windows 7. Malwarebytes’ Anti-Malware will continue to be supported on Windows 2000, XP, and Vista along with most Server editions (both 32-bit and 64-bit).

If you are running a version lower than Malwarebytes’ Anti-Malware version 1.41, please upgrade to the latest version by clicking here.

We thank you for your continued support!

Marcin Kleczynski

Malwarebytes’ Anti-Malware version 1.40 introduces an IP blocking module for our paid customers.

The IP blocking module enhances the Malwarebytes’ Anti-Malware protection module by tremendously improving protection. When a user attempts to visit a website that is infected, the IP blocking module quickly kicks in to block the connection and alert the user. This IP blocking module is updated every time the database is updated to include the latest IP ranges that should be blocked. It also provides us with an advantage as it blocks malicious software that has not yet been released, which allows us to be proactive and not reactive.

Also, if a Trojan is executed on an infected system and it tries to download a payload, that payload will be BLOCKED by the IP blocking module. See below for a screenshot.

We hope all of our customers feel much safer now that this has been implemented!

If you have not yet downloaded Malwarebytes’ Anti-Malware, you may do so here. If you have not yet purchased Malwarebytes’ Anti-Malware, you may do so here.

As many may know, the researchers on the Malwarebytes team are competitive amongst each other. Most of our researchers like to use their own custom built systems for malware hunting. Therefore, one aspect of competition is who has the fastest system. Bruce Harrison, our lead researcher recently revealed his Malwarebytes’ Anti-Malware quick scan time — 16 seconds. That is a new record, or at least the quickest scan time we have seen. Bruce’s system specifications are as follows:

ASUS P5E3 PREMIUM/WIFI-AP @n LGA 775 Intel X48 ATX Intel Motherboard
Intel Core 2 Duo E8400 Wolfdale 3.0GHz overclocked to 4.6GHz
Crucial Ballistix 2GB (2 x 1GB) 240-Pin DDR3 (PC3 16000)
Western Digital VelociRaptor WD3000HLFS 300GB 10000 RPM (x4)

So if you’d like a 16 second Malwarebytes’ Anti-Malware quick scan, it’s time to invest into a high caliber system such as this. His full scan takes a little over two minutes, which is the average quick scan time for most of our users.

Marcin Kleczynski