New Antivirus Scanner Release to Detect Malware that Starts Before the Operating System Does

Cezurity, a Russian malware protection and anti-hacking software company, announced a new release of Antivirus Scanner. Version 3.0 of the product takes advantage of Deep Insight, an innovative method of bootkit detection and removal. Bootkits are malicious programs that gain root access to computer systems, making their detection and removal a daunting task for most antivirus solutions. In addition, the new Scanner release enables protection against malicious extensions to Yandex.Browser and Browser.

Detection and removal of bootkits is one of the toughest challenges for the antivirus industry today. Bootkits are malicious programs that infect the boot sector of a hard drive. Boot sectors store data necessary to start the operating system. Infecting the boot sector enables malware to start ahead of operating system and antivirus, and by doing so gain control over the computer. Bootkits often come bundled with rootkit components that help hide malicious activities from antivirus software. For example, malware is able to cheat operating system or antivirus software on attempt to access an infected item by substituting it with the original uninfected item.

Introduced by Cezurity, the Deep Insight method involves collecting data about boot sectors and other critical computer components that may have been modified as a result of infection. This data is summarized and transferred to the Cezurity Cloud for analysis. Data is collected at a very low, near-hardware level, without using the operating system. Obtained data is summarized and made subject to comprehensive analysis in the Cezurity Cloud. A part of analysis involves comparing data received from different computers. This allows detecting anomalies that are instrumental in deciding whether a system has been compromised.

“Two distinct trends are underway when it comes to computer security,” said Yulia Mikheyeva, Lead Antivirus Expert at Cezurity. “First of all, every year brings dramatic increase in diversity of relatively simple malware, which is a consequence of technology being available to a wide range of newbie virus developers. On the other hand, although new sophisticated viruses are not as quick to emerge, people developing them are pushing the limits of creativity. Antivirus software that relies on local computer scanning, whether signature-based or behavioral, can’t adequately address threats anymore. This is true both for simple threats that show exponential growth and complex threats that are getting more and more refined. In the past, employing cloud technologies was seen as not much more than a useful development but today there’s no way antivirus systems can provide efficient protection without cloud computing.”

The new version of Antivirus Scanner also adds detecting malicious extensions for two Russian browsers, Yandex.Browser and Browser. Although both of these browsers are based on Google Chromium platform, each of them requires dedicated protection tools. This new feature enables Antivirus Scanner to detect malicious extensions for all browsers that are popular in Russia and CIS, namely Chrome, Internet Explorer, Firefox, Yandex.Browser, and Browser.

“We have updated Antivirus Scanner to detect malicious extensions to Chrome and Firefox in July this year,” said Yulia Mikheyeva. “We have since learned that out of all virus incidents in systems protected by other antivirus programs, about a quarter is related to browser extensions. Users install browser extensions themselves, unaware of malicious functionality hidden inside them.”

Existing Antivirus Scanner users do not need to take any additional action in order to use the new version: update and migration of settings are fully automatic.


RpcTonzil Trojan Has Attacked at Least 50,000 of VK Users' Computers

Cezurity, a Russian company that develops protection against malware and hacker attacks, said that the pattern of the trojan infection in social networks is becoming an epidemic.

According to the Cezurity Virus Lab, today at least 50 000 VK users have been affected by this malware. It is confirmed by the analysis of data retrieved from Cezurity Cloud - a next generation cloud-based virus protection technology, which can detect similar threats by identifying abnormal files. Most antivirus products can detect only some modifications of Trojan.RpcTonzil. Computers running 32-bit and 64-bit Windows operating systems could be infected.

Hence, the intruder takes advantage of their status to access your social media account, spam emails from your hacked account, steal your private data and send you scam text messages.

Trojan.RpcTonzil modifies computer queries sent to the DNS server. Thus, by singing in at their service own web page, the user is directed to the phishing website crafted by attackers that imitates the look or looks just the same as the VK actual site, where the user’s account is reported to have been hacked. Next thing the user is asked to do by fraudsters is create a new password and verify their cell phone number associated with their account. The user might be deceived by the web address because it would appear correct and give the impression that this is the actual VK website. The trojan also blocks access to most antivirus company sites and Microsoft Update servers. Therefore, antivirus laboratories do not often have enough data to monitor the spread of infections to other websites. Different versions of the trojan virus have already been localized and detected by antivirus companies since this March. However, the RpcTonzil trojan virus continues to spread across the Internet, and, further, most anti-virus software either completely fails to spot this malware or detects only some modifications of it.

What makes difficult to identify all modifications of RpcTonzil is that this malware uses fairly sophisticated virus concealment techniques. The malware has different tactics to find its way onto the user’s computer. Sometimes, an infection can be prevented by antivirus embedded behavior-based security mechanisms.

"Once the computer is infected this trojan malware can exist only in its encrypted form. The decoding and startup are executed by using a slightly modified system library rpcss.dll. This trojan infection is similar to the EPO (Entry Point Obfuscation). Most antivirus programs are unable to detect an infection done in this way, that is they might mistakenly detect a trojan like that by its behavior alone without proper recognition. What makes detection process more complicated is that a system library fragment seems to be provisional and arbitrary", - says Kirill Presnyakov, Lead Virus Analyst in Cezurity.

The task of malware detection and removal becomes even more complicated when it targeted at certain geographic locations. The thing is that it causes damage only to users of Russian social networks. "This trojan program is curious not as an example of infection strategy (the industry has a long history of similar methods), but rather is a good illustration of the situation that exists in the antivirus industry. The program has been out there for three months now spreading on and on, however, most anti-virus products can neither detect it at all nor they are able to recover your PC from a virus infection.", - says Aleksey Chaley, General Director of Cezurity.

The company recommends that users check their computers with the free Cezurity Antivirus Scanner, which is responsive to and recognizes every modification of Trojan RpcTonzil.


Cezurity Introduces a Cloud-based Malware Detection Technology

Cezurity, a Russian malware protection and anti-hacking software company, announces the finalization of the Cezurity Cloud, which is a new generation cloud-based antivirus technology. The Cezurity Cloud effectively addresses several challenges facing the antivirus industry. Firstly, it increases the accuracy of detecting malware whose amount is growing rapidly and becoming more complex.

The Cezurity Cloud technology is based on the analysis of file properties running on the Cezurity’s server (in the cloud). A wide range of critical object properties are collected from user computers and transmitted to the cloud. Prior to transmission the information is anonymized and transformed into a format that assumes no leakage of any sensitive data whatsoever.

On the server the data are categorized and secured in a special depository. Processing information and making decisions as to the degree of harm from certain objects produces a new automatic categorization, which goes to show that the Cezurity Cloud is a self-taught system. However, if the received data were not enough to decide as to the hazard of an object, additional information is requested. The Cezurity Cloud analyzes over 200 properties of each file, including such attributes as distribution area, location within the system, behavior of files when executed. 

"It is a known fact that traditional malware detection methods lead us into a blind alley. Back in 2008 antivirus signature databases contained more than 2 000 000 entries, whereas the last few years have seen an exponential increase in the amount of malware. Neither heuristic or behavior detection methods that rely on local checks alone are not able to provide an adequate solution. Challenges facing the industry can be met if we make use of the benefits of the clouds and analysis tools for large arrays of heterogeneous data.", - says Aleksey Chaley, General Director of Cezurity.

The Сezurity Cloud technology has all necessary flexibility for various applications. Thus, the server can receive and process different information depending on tasks, which are determined by the technical features of each product or solution. Today, the Cezurity Cloud is used by the Virus Scanner – a free service designed to detect and repair PC infections. In the future, this technology will become one of the key drivers for other Cezurity products and services.


Cezurity is Testing a New Antivirus Service

Cezurity announces the launch of the Antivirus Scanner beta testing. Antivirus Scanner is a free cloud service for the users of the social network VKontakte for malware detection and infection treatment on their computers.

St. Petersburg, September 14, 2012 - Cezurity, Russian developer of the security methods against malware and hacker attacks, announces the launch of the Antivirus Scanner beta testing. Antivirus Scanner is a free cloud service for the users of the social network VKontakte for malware detection and infection treatment on their computers.

One of the problems that are constantly encountered by the social network VKontakte support staff is the increasing number of complaints from the users whose computers were infected by malware. For example, a computer infection caused spread of spam from user's account. As a result, VKontakte administration had to block this account. Moreover, when the user called VKontakte help desk, it was quite difficult to help him, as it turned out that his computer was also infected. It was often recommended to purchase and install an antivirus because before the launch of Antivirus Scanner, there were no simple remedies that could be offered to the users so that they would be able to quickly scan and disinfect their PCs.

To solve the problem of rapid testing and treatment of computers, Cezurity created Antivirus Scanner. One of the distinguishing features of Antivirus Scanner is the speed of installation and operation. It can be used to scan a computer in just a few minutes, which is achieved through the use of cloud technology, and therefore, there is no need to download any signature databases on a local PC. At the same time, the use of Antivirus Scanner is very simple, it can be controlled not only from a window in a local computer, but also directly from VKontakte personal page.

As a result of the integration of Antiviirus Scanner with the interface of the social network, VKontakte technical specialists obtained another tool for helping users. For example, information on the test results and computer treatment from Antivirus Scanner helps better understand a problem and give a clear recommendation.

Antivirus Scanner can detect and remove all types of malware, including viruses, Trojans, spyware and rootkits. At the same time, malicious objects, depending on the impending danger, can be assigned to different categories. For example, if some programs are known to be harmful, others may only have the potential to cause any harm. It can be software for remote administration, copyright protection (DRM), and various utilities. In addition, users often deliberately install and use dangerous software, where malware capabilities can be an addition to the features they need. Assignment of hazardous programs to categories allows for flexible customization of security and, in case of problems with PC performance, it allows for quick discovery of the causes.

Antivirus Scanner is not designed to prevent infection, as it does not protect computer in real-time (on-access scanning). Regular inspections by Cezurity Antivirus Scanner allow for timely detection and treatment of an infection.

"As the popularity of social networks grows, the risks associated with their use are growing as well, - says Kirill Presnyakov, Cezurity virus analyst, - on one hand, simple interface of a social network makes it accessible for a wide range of people who have never used the Internet before, very often their level of computer literacy is quite low. On the other hand, for many social network users, this environment seems quite trusting, people here feel protected and do not think about an impending danger. If you add a huge audience of a social network such as VKontakte, the appeal of this medium for all sorts of scam and malware distribution becomes obvious."

"Antivirus Scanner is based on quite complex and largely new technologies in the industry - says Alexey Chaley, Cezurity CEO, - first of all, of course, it is our cloud, Cezurity Cloud, where at any given time millions of files are processed. Although our scanner already handles users objectives very well, we will invite no more than 1000 people to participate in beta testing, this will allow us to replenish the database of clean files and make sure that there are no problems on the server side during scaling."

Beta testing of Antivirus Scanner will continue until mid-December 2012. To participate in beta testing, please visit VKontakte social network or the group of Antivirus Scanner

Subscribe to RSS - Press-releases