Monthly Archives: September 2011

Test Drive – ZoneAlarm Extreme Security Suite 2012

Continuing the recent series of tests for different security solutions available out there, ZoneAlarm’s top product, Extreme Security Suite 2012 was taken for a test drive. Here’s a rundown of the test:

First stop: a website infected with a Trojan. Once in it, I was prompted to download a malicious file, and emulating a not-very-savvy user, did so, then opened the downloaded file. Nothing seemed to happen. No warning from ZoneAlarm, no sign of infection either… so I resorted to the good ol’ process monitor to see what had just happened. Too many times these infections deliver their payload invisible to the human eye, so to speak.

But not this time. Very nice! ZoneAlarm did not allow the execution of the malicious file. Even though it did not alert of its maliciousness, ZA did not allow the malicious file to deliver its payload. An on-demand scan of the downloaded file was met by ZA with a correct labeling of “malicious” and deletion (I think the real-time protection module should have alerted without needing an on-demand scan, but won’t hold it against ZA. For all practical purposes that first run was a pass).

Second run: Another malicious Trojan. Similar story.

Third attempt… a fake antivirus, famous for being hard to detect. Mixed result: ZA did not allow the payload to be delivered, but this time not even an on-demand scan of the file resulted in the correct label of malicious.

Fourth run: the infamous Koobface worm. Not so new anymore so no surprise that ZA’s real-time module caught it this time, before I could even open it. But a pass is a pass.

Summary

As with others tested security programs, no evaluation was done on computer resources usage or compatibility problems. Strictly from the viewpoint of protection against drive-by download infections, ZA’s Extreme Security Suite 2012 is a pass. It therefore joins the ranks of the other 2 suites that have passed this test, Kaspersky Security Suite 2012 and VIPRE Antivirus Premium 4.

Test Drive – AVG 2012 Internet Security Suite

AVG recently released their 2012 version of the Internet Security Suite. Being as it is that the 2011 version failed the test a few weeks back when I did a number of tests on different security suites, I figured it’d only be fair to give this new version a chance.

So I installed a trial of it in my Windows 7 based test computer, and went on to visit my friends the malicious websites. Here’s a summary of the results:

One of the files downloaded by visiting a malicious website, “Root-kit  zero access”, tried to and successfully connected to internet address 193.105.154.210:80. Tsk-tsk on AVG’s firewall, it should have stopped the outbound connection attempt.

I then went on to another malicious website infected with a fake antivirus program. Upon opening the malicious download, the firewall did alert me of an outgoing connection attempt, and asked me if I wanted to allow it. I blocked it, and then the real-time protection shield proudly announced it had found an infected file… but failed to stop the infection. A few seconds later, the fake antivirus took the computer over. Game over.

And here’s the kick: Even though the firewall did block the execution of the file created by the initial download ( file name aH12402HlElD12402.exe), a post-mortem forensic analysis revealed that the originally downloaded file accessed a website in China (Internet address 122.224.4.134) without any protest or prompt from the firewall! What a joke.

Sorry, AVG fans. AVG 2012 Internet Security Suite = FAIL.

Hacking that Affects Google, More About and Clarification

After my latest article was published last week, I received feedback from some of my readers asking me for clarification of how the stolen certificates situation I talked about in it translated to the average Joe/Jane user. What would he/she run into and what can he/she do?

Let’s see how it would work in a real case scenario. Let’s say, for example, you want to sign in to your gmail email. You’d go to a secure (encrypted) webpage, like

https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&ss=1&scc=1&ltmpl=default&ltmplcache=2&from=login

And from there provide your email address and password. But even before you do that, as soon as you click on the above link, your browser will check the certificate presented by the website, and thus corroborate that indeed, the website is legitimately what it purports itself to be. This all occurs behind the scenes, so to speak. The user does not see this process. However, if for some reason the certificate is expired, is different than expected or contains any other outpoints, the browser will alert you. In Firefox (for example), you might see something like:

You would then be able to avert the impersonation. And that’s how certs help you.

Now, if a cert is stolen and used in, let’s say, a phishing email, and you click on a link of what seems to be a gmail login, but it’s something else, AND it is using the stolen cert, you would not get the alert and thus not realize these are not the androids you’re looking for (Go see Star Wars Episode IV if you don’t get the reference 🙂 ). And so you sign in and thus give the malicious hackers your credentials.

That’s just one possible way of how stolen certs could be used for malicious purposes.

I mentioned in my last article Windows XP and Server 2003 users were the most likely to get affected. Microsoft has just released a Windows Update (KB2607712) that permanently blocks all certificates issued by DigiNotar. The update should be available to you if you have automatic updates enabled in your computer. If you don’t, want to install it manually, and know what you’re doing, here’s the link to it:

http://support.microsoft.com/kb/2607712

If you have any questions, don’t hesitate to ask.