PC Tools questions current approach to top threat lists

San Francisco, April 16, 2008: Leading security software vendor, PC Tools today said that it questions “top” threat lists created and published by security vendors claiming that many of these lists are simply threats ranked by volume without any reference to the actual danger they pose to consumers. PC Tools argue that such lists do not adequately represent the current and changing threat landscape and are of no practical use for the security industry or consumers.

“Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat” said Simon Clausen, Chief Executive Officer, PC Tools. “But the threat landscape has changed significantly and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats.”

PC Tools identifies three parameters in addition to volume which may assist with identifying and classifying top threats:

• A threat’s complexity and the challenge it presents for analysts and software to detect and remove it
• Its adoption of new techniques and how fast it is responding to detection
• The danger it poses to the recipient and what type of malicious payload it carries

For example, security experts at PC Tools say Netsky, a threat discovered over four years ago, is still appearing on top threat lists by security vendors based purely on high propagation rates and absolute numbers. However, research conducted by PC Tools showed that the threat presented by Netsky may be overplayed.

Kurt Baumgartner, Chief Threat Officer, PC Tools said, “Netsky’s behavioral and static characteristics are well known to analysts in the anti-malware industry, and freely available anti-virus technology detects and removes it with ease.. Accordingly we think it is less of a threat than reported by other security vendors.”

Another example of a top threat listing that security experts at PC Tools suggest may be inaccurately classified is “packer” detection. Other security vendors have identified the generic detection of the packer NSAnti as a “top threat”. The “NSAnti” detection simply identifies that an executable’s contents are packed and therefore may be hiding a threat from analysis, but the packer itself is not a threat and so PC Tools believes that should not appear on top threat lists.

Research conducted at PC Tools also showed that users are often being infected through un-patched vulnerabilities on their computer systems, accounting for many of the high propagation rates of older, well-known threats which have good antivirus coverage. Despite most vendors releasing patches often years ago, some systems continue to be infected via these vulnerabilities.

“This fairly common occurrence indicates that either users are failing to update their computers to protect them from these old vulnerabilities, the same systems are being reinfected or possibly that consumers are using pirated operating system software. Pirated software often requires automatic updates to be turned off to avoid detection as a pirated copy, thus leaving consumers vulnerable to threats,”said Baumgartner.

Baumgartner also warned, “Consumers are continuing to fall for fairly persuasive, but now common, social engineering schemes.” PC Tools argue that the emergence of next generation malware; Malware 2.0, has meant that the threat landscape and its analysis is much more complicated than the current, one-dimensional top ten threat lists suggest.

“Top threat lists have little or no practical use for the average consumer for a number of reasons. First; they do not reflect the reality of the threat landscape. Secondly; they do not provide the sort of information consumers need to seek out adequate protection. Thirdly, because most vendors only release these lists on a monthly basis, at best,” said Clausen.

PC Tools encourage vendors to employ a more frequent and multi-dimensional approach to threat listing by identifying threats based on the real danger a threat poses and consider other parameters such as the threat’s complexity and the malicious payload it carries. This approach will provide consumers with current, useful and realistic information about the changing threat landscape.

Brief summary of changes in the current Threat Landscape include:

• There are a handful of bot families exhibiting characteristics complex enough to evade security solutions and create massive botnets out of compromised systems. They are capable of sending billions of spam per day. The greatest bot threats currently are identified as Kraken/Bobax, Srizbi, Cutwail/Pandex and Storm.
• There is new evidence of successful reincarnation of old dangerous techniques such as file infection from Trats/Vundo/Virtumonde or Master Boot Record infection by Mebroot. Blending the old DOS-era techniques with the new advanced threats creates deadly mixtures such as Torpig/Mebroot bot that is capable of taking control over the system while simultaneously remaining under the radar of many anti-malware solutions.
• The growing phenomenon of rogue anti-spyware, such as the Zlob/FakeAlert family of financially motivated fraudulent software, is increasingly adopting new distribution methods such as affiliate/pay-per-click programs, wider reliance on various exploits, inventive social engineering tricks and other methods associated with authors from the “malware camp”.

Note to Editor

This release is part one of a three-part educational campaign for consumers demonstrating how computer security can be made easy.

ABOUT THREATFIRE

ThreatFire uses advanced patent pending technology to detect signs of malicious behavior commonly used by malware threats. ThreatFire is unlike traditional anti-virus products that rely on signature technology and require updating every time a new threat occurs. ThreatFire’s ActiveDefense Technology is able to identify and paralyze threats that are too new or too sophisticated to be recognized by traditional security software. ThreatFire only alerts the end user to truly malicious behavior.

www.threatfire.com

ABOUT PC TOOLS

PC Tools is a global software leader with a cache of security and utility products, including the multi award-winning Spyware Doctor®. PC Tools is an industry leader in real-time anti-spyware and has a number of key patents pending.

The PC Tools Malware Research Center monitors trends and emerging spyware issues and provides security solutions for the consumer and enterprise marketplace. The company is headquartered in Sydney, with offices in San Francisco, London, Shannon (Ireland), Melbourne, Kiev, and Boulder. PC Tools has a global network of distributors, resellers, and retailers.

www.pctools.com