web analytics

Archive for March, 2014

How to defend from the “Zero day viruses” family

Recently, viruses’ manufacturers know now how to penetrate antivirus programs. They do it by changing the virus code a little so it appears to have new “signature”. Signature is the traditional way antivirus programs detect viruses. By having a new signature, the virus is unknown to the antivirus program and it can penetrate the computer easily.

Once it is in the computer, it can do several things:

  1. Scan your computer and steal important documents.
  2. Act like a bridge head and download other viruses.
  3. Implant itself to become operated every time the computer boots.
  4. Record every keystroke/conversation/login you make on the computer and transmit it to external criminal use.

The life expectancy of such a virus is three weeks – the time it takes to the antivirus program to get updated on every computer in the world. By that time the virus manufacturer releases a new (and unknown) version.

Since the antivirus has this inherit flow, many solutions are being developed aiming to seal this “zero day virus gap”. The common solutions are placing a monitoring program in the computer that monitors the computer activities and sends suspicious incidents to network administrator attention. The incidents are evaluated based on “behavioral approach” which aims to determine if the incident indicates virus penetration or not.  Other solutions put traps on the computer and wait for a virus to trigger the trap alarm. Most of those solutions are aimed for the enterprise market and require professional staff to handle the alerts received.

 

“Magen – Malware Vigilance” was developed by programmers for the home market: It alerts the users about possible Malware penetration into their computer and allows them to disable the threat before significant damage is made. Magen is an alarm system, not an antivirus. This means that it does not block/erase/dismantle viruses, but specializes in detecting new program penetration into the computer and conveying the message to the computer owner scrutiny.

Magen detection algorithm is very efficient and patent pending. It alerts on every program implementation into the computer, which is every program that has configured itself to be automatically operated in the computer.

Using the Magen brings to the computer users attention information about significant changes in their computer and allows them to stay in control regarding their computer hygiene. From time to time it reveals legitimate program updates that install new computer services without telling the owner and without a good reason for doing so.  I consider such updates to be immoral, and the information Magen convey allow people to remove the undesired intrusion.

“Decent Spyware” can be used to inflict significant damage to the victim. From pedophiles who are able to get to kids’ bedrooms, to cyber criminals that can take home mortgage on other people’s name.

In the following example we can see a sample of Virus that is received using an Email message (Click the Image to enlarge):

Email with virus attachment

The virus trigger the following alert:

Malware alert

Pressing the “more…” reveals the program properties:


Detailed view of Malware alert

Googling for msxurpk.exe does not show any results. With the rest of the properties, it is quite evident that this is most likely a virus. The best way to disable this threat is to click on the “system restore” button and restore the operating system to an earlier date then the detection date (in our case 02/March/2014).

In these sophisticated times, when people spend many hours online, it is essential to be “Malware Vigilant” and protect your computer from being infected by “Zero day virus” which can pass through the antivirus.

To see some samples of infections and how they are revealed, you can see Cyber-Dome YouTube channel.

You can download Magen and test it free for 45 days here.