ESET India Cyber Threat Trends Report Q1

18
ESET Cyber Threat Trend Report. India & Globe Quarter I, 2012 Table of Contents THE TOP TEN THREATS IN INDIA, QUARTER I, 2012 2 TOP THREATS (INDIA) IN BRIEF 3 THE TOP TEN THREATS (GLOBAL) 5 TOP THREATS (GLOBAL) IN BRIEF: 6 SIZING UP THE BYOD SECURITY CHALLENGE 8 WIN32/CARBERP GANG ON THE CARPET 10 CARBERP: THE RUSSIAN TROJAN BANKER NOW AIMS FACEBOOK USERS 11 FROM GEORGIA WITH LOVE: WIN32/GEORBOT INFORMATION STEALING TROJAN AND BOTNET 12 FAKE SUPPORT, AND NOW FAKE PRODUCT SUPPORT 13 SUPPORT SCAMMERS (MIS)USING INF AND PREFETCH 15 RECENT ESET PUBLICATIONS IN INDIA 17 ABOUT ESET 18 ADDITIONAL RESOURCES 18
  • date post

    20-Oct-2014
  • Category

    Technology

  • view

    1.510
  • download

    1

description

 

Transcript of ESET India Cyber Threat Trends Report Q1

Page 1: ESET India Cyber Threat Trends Report Q1

ESET Cyber Threat Trend Report. India & Globe

Quarter I, 2012

Table of Contents

THE TOP TEN THREATS IN INDIA, QUARTER I, 2012 2

TOP THREATS (INDIA) IN BRIEF 3

THE TOP TEN THREATS (GLOBAL) 5

TOP THREATS (GLOBAL) IN BRIEF: 6

SIZING UP THE BYOD SECURITY CHALLENGE 8

WIN32/CARBERP GANG ON THE CARPET 10

CARBERP: THE RUSSIAN TROJAN BANKER NOW AIMS FACEBOOK USERS 11

FROM GEORGIA WITH LOVE: WIN32/GEORBOT INFORMATION STEALING TROJAN AND BOTNET 12

FAKE SUPPORT, AND NOW FAKE PRODUCT SUPPORT 13

SUPPORT SCAMMERS (MIS)USING INF AND PREFETCH 15

RECENT ESET PUBLICATIONS IN INDIA 17

ABOUT ESET 18

ADDITIONAL RESOURCES 18

Page 2: ESET India Cyber Threat Trends Report Q1

The Top Ten Threats in India, Quarter I, 2012

Page 3: ESET India Cyber Threat Trends Report Q1

TOP Threats (India) in brief:

1. INF/Autorun.gen.

A detection for 'autorun.inf' files that may be used by worms when

spreading to local, network, or removable drives.

When copying themselves to a drive, these worms also create a file

named 'autorun.inf' in the root of the targeted drive. The

'autorun.inf' file contains execution instructions for the operating

system which are invoked when the drive is viewed using Windows

Explorer, thus executing the copy of the worm.

2. HTML/ScrInject.B.Gen

Generic detection of HTML web pages containing script obfuscated or

iframe tags that that automatically redirect to the malware

download.

3. Win32/Sality

Sality is a polymorphic file infector. When run starts a service and

create/delete registry keys related with security activities in the

system and to ensure the start of malicious process each reboot of

operating system.

It modifies EXE and SCR files and disables services and process

related to security solutions.

More information relating to a specific signature:

http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality

_am_sality_ah

4. Win32/Ramnit.A.

Win32/Ramnit.A is a file infector. Files are infected by adding a new

section that contains the virus. The virus acquires data and

commands from a remote computer or the Internet. It can execute

the following operations: capture screenshots, send gathered

information, download files from a remote computer and/or the

Internet, run executable files, shut down/restart the computer.

5. LNK/Autostart.A

Exploit:Win32/CplLnk.A is a generic detection for specially-crafted,

malicious shortcut files that exploit the vulnerability that is currently

exploited by the Win32/Stuxnet family. When a user browses a folder

that contains the malicious shortcut using an application that displays

shortcut icons, the malware runs instead.

6. INF/Autorun

This detection label is used to describe a variety of malware using the

file autorun.inf as a way of compromising a PC. This file contains

information on programs meant to run automatically when

removable media

(often USB flash drives and similar devices) are accessed by a

Windows PC user. ESET security software heuristically identifies

malware that installs or modifies autorun.inf files as INF/Autorun

unless it is identified as a member of a specific malware family.

Page 4: ESET India Cyber Threat Trends Report Q1

7. HTML/Iframe.B

Virus . HTML/Iframe.B is generic detection of malicious IFRAME tags

embedded in HTML pages, which redirect the browser to a specific

URL location with malicious software.

8. Win32/Autoit

Win32/Autoit is a worm that spreads via removable media, and some

of it variants spread also thru MSN. It may arrive on a system as a

downloaded file from a malicious Web site. It may also be dropped

by another malware. After infecting a system, it searches for all the

executable files and replace them with a copy of itself. It copies to

local disks and network resources. Once executed it downloads

additional threats or variants of itself.

9. Win32/Toolbar.Babylon

This class of threats ESET classifies as OUA (Potentially unwanted

application). A potentially unwanted application is a program that

contains adware, installs toolbars or has other unclear objectives. There

are some situations where a user may feel that the benefits of a

potentially unwanted application outweigh the risks. For this reason,

ESET assigns them a lower-risk category compared to other types of

malicious software, such as trojan horses or worms. While installing

your ESET security software, you can decide whether to enable

detection of potentially unwanted applications.

10. Win32/Virut.NBP

Win32/Virut.NBP is a polymorphic file infector. The virus connects to

the IRC network. It can be controlled remotely. The virus searches for

executables with one of the following extensions: .exe, .scr.

Executables are infected by appending the code of the virus to the

last section. The host file is modified in a way that causes the virus to

be executed prior to running the original code.

Page 5: ESET India Cyber Threat Trends Report Q1

2. The Top Ten Threats (Global) (March 2012)

Page 6: ESET India Cyber Threat Trends Report Q1

TOP Threats (Global) in brief:

1. HTML/ScrInject.B (see above)

2. INF/Autorun (see above)

3. HTML/Iframe.B

HTML/Iframe.B is generic detection of malicious IFRAME tags

embedded in HTML pages, which redirect the browser to a specific URL

location with malicious software.

4. Win32/Conficker

The Win32/Conficker threat is a network worm originally propagated

by exploiting a recent vulnerability in the Windows operating system.

This vulnerability is present in the RPC sub-system and can be remotely

exploited by an attacker without valid user credentials. Depending on

the variant, it may also spread via unsecured shared folders and by

removable media, making use of the Autorun facility enabled at

present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat

contacts web servers with pre-computed domain names to download

additional malicious components. Fuller descriptions of Conficker

variants are available at

http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

5. JS/Agent

The trojan displays dialogs that ask the user to purchase a specific

product/service. After purchasing the product/service, the malware

removes itself from the computer. Trojan is probably a part of other

malware.

6. JS/Iframe.AS

JS/Iframe.AS is a trojan that redirects the browser to a specific URL

location with malicious software. The program code of the malware is

usually embedded in HTML pages.

7. Win32/Sirefef

Win32/Sirefef.A is a trojan that redirects results of online search

engines to web sites that contain adware.

8. Win32/Sality (see above)

9. Win32/Dorkbot

Win32/Dorkbot.A is a worm that spreads via removable media. The

worm contains a backdoor. It can be controlled remotely. The file is

run-time compressed using UPX.

The worm collects login user names and passwords when the user

browses certain web sites. Then, it attempts to send gathered

information to a remote machine. This kind of worm can be controlled

remotely.

10. JS/Redirector

JS/Redirector is a trojan that redirects the browser to a specific URL

location with malicious software. The program code of the malware is

usually embedded in HTML pages.

Page 7: ESET India Cyber Threat Trends Report Q1

Threats India vs Globe (January, Febryary, March 2012)

Page 8: ESET India Cyber Threat Trends Report Q1

Sizing Up the BYOD Security Challenge

Stephen Cobb, ESET Security Evangelist

On the plus side of BYOD known you may get more work

from people when they can work in more places and at more times

of the day (from the breakfast table in the morning to the kitchen

table at night and the coffee shop in between). There can be cost

savings too: equipment outlays can be reduced if employees use

their own devices instead of the company buying them.

At the same time, IT security managers must weigh those

benefits against the security risks that come with these devices,

plus the cost of bringing them into line with existing security

policies and compliance standards. For example, what are the legal

ramifications of an employee’s personal laptop going missing when

it contains your customer list or sensitive internal

correspondence? To help companies get a handle on the scale and

scope of these risks, ESET engaged Harris Interactive to survey

some 1,300 adults in America who are currently employed. We

found more than 80 percent of them “use some kind of personally

owned electronic device for work-related functions.” Many of

these devices are older technologies like laptop and desktop

computers, but smartphones and tablets are already a significant

part of the BYOD phenomenon.

Page 9: ESET India Cyber Threat Trends Report Q1

Unfortunately, the survey paints a worrying picture of security

on these devices; for example, encryption of company data is only

happening on about one third of them. One third of those

surveyed responded that company data is not encrypted when it is

on their personal devices and the remaining third did not know

one way or the other, which is worrying in itself. You can see more

of the findings in the accompanying infographic.

One particular area of concern is small devices—like tablets

and smartphones—that are easier to steal than laptops and

desktops but pack tremendous processing, storage, and

communication capabilities. Consider the Microsoft Word

document in which the results of ESET’s BYOD survey were

presented. This file takes up 170 kilobytes of storage space and

contains 17 pages of charts, tables, and text that summarize the

most important findings from this not inexpensive research. That

means you could easily store more than 70,000 similar reports on

16 gigabyte smart phone or microSD card. A smartphone could

transmit all 70,000 documents to the other side of the world in

matter of minutes on a WiFi or 4G/LTE connection (the latter could

prove costly, but the recipient might be happy to pay the data

overage).

So it is not good news to learn that only 25 percent of

smartphone users, and less than 10 percent of tablet users, say

they have enabled auto-locking on these devices (the feature that

locks the device after a period of inactivity and requires a

password or code to unlock). Overall, we found that less than half

of all devices in the BYOD category are protected by basic security

measures. On the bright side, BYOD security could be boosted

cheaply and quickly if companies did the following:

Mandate auto-locking with password protection on all

devices.

Enable remote lock/wipe to protect data on any

stolen devices.

Enable encryption of company data on all devices.

Make sure up-to-date anti-malware protection is

active on all devices.

In summary, now would be a good time to check how your

company is handling BYOD security. With roughly two thirds of our

survey respondents reporting that their employer had not yet

implemented a BYOD policy, or provided any security training,

those would be good places to start.

Page 10: ESET India Cyber Threat Trends Report Q1

Win32/Carberp Gang on the Carpet

On March, 20 Group-IB, ESET’s partner in Russia providing

comprehensive investigation of IT security incidents and breaches of

information security, announced the results of its joint investigation

with the Federal Security Service (FSB) and the Ministry of the Interior

(MVD) of Russia resulting in the arrest of a gang of eight accused of

offences under the Russian Federation's Criminal Code including

larceny, creation and distribution of malicious software,

and unauthorized access to computer information. The fraudsters

were engaged in online banking fraud, affecting the clients of

over a hundred banking institutions worldwide within last 2

years. The group of hackers manages to steal over 130 million

rubles just within a quarter.

Group-IB have identified them as using Win32/Carberp and

Win32/RDPdoor in pursuit of criminal profit, going beyond

stealing banking credentials and plundering bank accounts to

DDoS (Distributed Denial of Service) attacks.

It's been suggested that if convicted, they can expect sentences

of up to 10 years. The investigation of the botnet and its servers,

obtained as a result of interaction with specialized organizations

in various countries, including Holland and Canada, helped

prevent theft of funds from clients of over a hundred banking

institutions worldwide.

For the first time in international practice it was possible to

establish the entire criminal chain, including the head of this

group and owner of a botnet, those conducting fraudulent

transactions, and those directly involved in cashing the stolen

funds. In all, a total of eight individuals comprised the group. It

should be noted that in addition to stealing funds from bank

accounts, the criminals were also involved in carrying out

distributed denial of service (DDoS) attacks.

The criminals hacked websites actively using accountant services

in their operations, as well as popular news media websites and

online stores, infecting them with malware. Having established

remote access to the computer of a potential victim, and having

detected online banking details on that computer, the criminals

created a fraudulent payment order to transfer funds to a

specially prepared account. Then the stolen funds were cashed

via bank cards, established for dummy individuals or legal

entities. In order to have a comfortable working environment, an

office was opened by the criminals, functioning as a data

recovery company.

“Our experts did an enormous amount of work, which resulted in

identifying the head of this criminal group, the owner and

operator of a specialized banking botnet, identifying the control

Page 11: ESET India Cyber Threat Trends Report Q1

servers, and identifying the directing of traffic from popular

websites in order to spread malware infection,” noted Ilya

Sachkov, Group-IB CEO in company’s press release. “The

investigations conducted by our Forensics Lab confirmed the use

of the Win32/Carberp and Win32/Rdpdor malware by the

criminals in order to carry out theft of funds.”

ESET whitepaper on Win32/Carberp is available here:

http://go.eset.com/us/resources/white-papers/carberp.pdf .

Carberp: the Russian Trojan banker now aims Facebook users

David Harley and a Russian research colleague, Aleksandr Matrosov, explain that the most widely spread banking trojan in Russia is now trying to steal money from Facebook users.

ESET researchers noted that Win32/Carberp used bootkit

components from malware called Ronix, which was also the

subject of scrutiny in February.

The article specifies different kind of information about this

threat such as:

Fake Facebook Lockout

Demanding e-Cash

Faking Facebook

Web-Injects

Carberp Detection in Russia

Global infection statistics

Bypassing DDoS Prevention Systems

The complete description can be read from Facebook

Fakebook: New Trends in Carberp Activity.

Also, there was a related post to new trends in Carberp

Activity is Rovnix Reloaded: new step of evolution which

explains the new developments of this threat. This is detected

as Win32/Rovnix.B trojan, this appears to be the first bootkit

to employ VBR (Volume Boot Record) infection.

Page 12: ESET India Cyber Threat Trends Report Q1

From Georgia With Love: Win32/Georbot information stealing trojan and botnet

by Righard Zwienenberg Senior Research Fellow

Malicious software that gets updates from a domain belonging to the

Eurasian state of Georgia? This unusual behavior caught the attention

of an analyst in ESET's virus laboratory earlier this year, leading to

further analysis which revealed an information stealing trojan being

used to target Georgian nationals in particular. After further

investigation, ESET researchers were able to gain

access to the control panel of the botnet created

with this malware, revealing the extent and the

intent of this operation.

Finding a new botnet is not unusual these days and

most are not particularly interesting from a nerdy,

techie point of view, but it turns out that this one

(dubbed Win32/Georbot) is both unusual and

interesting. Amongst other activities, it will try to

steal documents and certificates, can create audio and video

recordings and browse the local network for information. One

unusual aspect is that it will also look for “Remote Desktop

Configuration Files” that enables the people receiving these files to

connect to the remote machines without using any exploit. That

approach will even bypass the need for RDP exploits such as the one

that was revealed last week (MS12-20).

Win32/Georbot features an update mechanism to get new versions

of the bot as an attempt to remain undetected by anti-malware

scanners. The bot also has a fall-back mechanism in case it can’t reach

the C&C (Command and Control) server: in that case it will then

connect to a special webpage that was placed on a system hosted by

the Georgian government. This does not

automatically mean that the Georgian

government is involved. Quite often people are

not aware their systems are compromised. It

should be also noted that the Data Exchange

Agency of the Ministry of Justice of Georgia and

its national CERT were fully aware of the

situation as early as 2011 and, parallel to their

own – still ongoing – monitoring, have

cooperated with ESET on this matter.

Win32/Georbot uses various obfuscation techniques to make static

analysis more difficult, but for experienced malware analysts that is

not much of a problem to overcome, and Win32/Georbot was well

worth the time it took to undertake a detailed analysis. The full white

paper containing the detailed analysis available as a PDF file.

Page 13: ESET India Cyber Threat Trends Report Q1

Fake Support, And Now Fake Product Support

David Harley Senior Research Fellow

There's a blog article I've been wanting to write for a few days, but

haven't so far been able to make time for. However, Martijn Grooten

drew my attention to a blog on much the same topic from our friends at

Avast! and one of ESET's partners alerted me to a very relevant and

related post by Brian Krebs, so I've pushed it to the top of the stack.

I first became aware of the plague of Indian companies operating PC

and anti-virus support scams because one of our competitors advised

me that one of them was apparently carrying out unethical marketing

on ESET's behalf. (They weren't, of course, anything to do with ESET:

see this blog series and this paper.)

I recently learned from my colleagues at ESET UK that cold-callers

from Mumbai have developed a new twist on this cold-calling scam,

calling people in the UK and apparently claiming to offer paid support in

response to problems that don't exist, because, they claim, "ESET

doesn''t offer free support." (Don't panic! For genuine ESET customer

support, there are contact details on the web page for the ESET partner

or distributor responsible for the region in which you live. In India ESET

is obviously provoding support to all customers, the contacts are the

following: www.esetindia.com, https://www.facebook.com/esetindia,

Toll Free Phone 1800-209-1999).

It appears from a recent Avast! blog that Avast! customers are suffering

a similar experience, 'receiving phone calls from “Avast customer

service” reps who need to take control of their computer to resolve

some issue and who, for a fee, wish to charge them for this privilege.'

Unfortunately, according to Brian Krebs, "users are reporting that the

incidents followed experiences with iYogi, the company in India that is

handling Avast’s customer support." (The relationship is confirmed by

an Avast! blog here.)

While someone describing himself as the co-founder and president of

marketing at iYogi has strongly denied any connection with the usual

gang of out-and-out scammers, the use, as described by Krebs, of the

Event Viewer ploy characteristic of Indian support scams means that

iYogi is going to have to work hard to prove its innocence. My guess is

that if Avast!, a company with an excellent reputation previously,

discovers that iYogi is indeed operating on the side of the non-angels,

heads – and outsourcing contracts – will roll.

Support services for anti-virus products obviously vary according to

vendor and product. Free one-to-one support may not be available for

free products, and other support may range from free but basic, to

cattle-class, to business class or de luxe. However, reputable security

Page 14: ESET India Cyber Threat Trends Report Q1

companies do have standards that should apply at all points on the

spectrum:

They don't make unsolicited phone calls to tell you about viruses you

don't have. Sorry, but I can't guarantee that you won't get

marketing calls but they should be within acceptable legal and

ethical boundaries, and that doesn't include pretending to see

malware on a system they don't have access to.

They won't use nasty semi-fraudulent techniques to "prove"

you have a virus problem like telling you that Event Viewer, or

ASSOC (the CLSID trick described here), or "Prefetch virus" or

INF is listing malicious files. (Those last two tricks are

now summarized in a separate blog article here.)

If you're subscribed to some form of premium package that

attracts a subscription rate, they're not likely to try to gouge

even more cash or financial data out of you by ringing you up to

scare you to death.

They won't try to get direct access to your system free versions

of commercial remote access software so that they can upload

various free/limited functionality security packages: if a

professional AV company needs access to your machine, they

won't do it by misusing free licences for another company's

software.

Unless, of course, they partner with a support organization that doesn't

see the difference between legitimate marketing and outright

misrepresentation and fraud. If Avast! has, in fact, fallen into that trap,

they have my sincere sympathy. But it will be hard for them to recover

from that misstep, and the reputation of the rest of the AV industry has

also taken a blow. We can only hope that some good will come out of

this, like real progress on effective legal action against support scams.

Paying for third-party support for a free product may sound like a good

idea in principle, since AV companies don't don't normally offer one-to-

one support for free products. But it's generally safer to upgrade to a

paid version, especially if you already suspect that you have malware on

your system. The problem here is that sometimes people don't get AV

until they have a problem, and at that point, saving money with a free

solution may be a false economy.

Cold-calling (or spamming support forums) to offer paid support for

products that already offer free support to paying customers may not

sound particularly ethical (well, it doesn't to me). Worse, it may actually

cause damage to your system which may even, depending on the

vendor and the actual circumstances, compromise your ability to

get the legitimate support you've already paid for. But it isn't

necessarily fraudulent. (Or illegal, though it may go against privacy

legislation covering "Do Not Call" lists, for example, though if the Krebs

story is correct, the existence of a pre-existing support relationship may

Page 15: ESET India Cyber Threat Trends Report Q1

be used to get round that. And unfortunately, cold-callers from India

tend to ignore local do-not-call lists: in fact, some legitimate companies

seem to be taking advantage of offshored support to bypass such lists.)

But if the call is made on the basis of reports of malware that you don't

have, or at some stage the caller tries to persuade you that utilities like

INF, PREFETCH, ASSOC and EVENTVWR are proof that you have

malware issues, the intent is clearly fraudulent.

Personally, I'd suggest that you regard any unsolicited phone call from a

company claiming to offer antivirus support, even for a product you

actually have, as a probable scam.

Support Scammers (mis)using INF and PREFETCH David Harley Senior Research Fellow

Tere's a quick summary of the PREFETCH and INF ploys I mentioned

above. These are alternatives (or supplements) used by support

scammers from India to the Event Viewer and ASSOC/CLSID ploys also

used to "prove" to a victim that their system is infected with malware or

has other security/integrity problems.

The "Prefetch" command shows the contents of C:\Windows\Prefetch,

containing files used in loading programs.

Page 16: ESET India Cyber Threat Trends Report Q1

The "INF" command actually shows the contents of a folder

normally named C:\Windows\Inf: it contains files used in

installing the system.

INF and PREFETCH are legitimate system utilities: so how are

they misused by scammers? By asking a victim to press

Windows-R to get the Run dialogue box, then asking them to

type in something "prefetch hidden virus" or "inf trojan

malware". When a folder listing like those above appears, the

victim believes that the system is listing malicious files. In fact,

neither of these commands accepts parameters in the Run box.

You could type "inf elvish fantasy" or "prefetch me a gin and

tonic" and you'd get exactly the same directory listing, showing

legitimate files. Neat trick: but don't you fall for it!

Page 17: ESET India Cyber Threat Trends Report Q1

Recent ESET publications in India

ESET researchers and speakers are often invited to contributefor other publications, in India and worldwide. Here’s a selection of few

articles that have appeared in Indian media this quarter.

SME Channels, Mar 28, 2012 ESET’s Caveat Against Sharing Facebook

http://smechannels.com/news/eset-s-caveat-against-sharing-facebook.aspx

EFYtimes.com Employee’s Facebook Passwords Can Be Dangerous For Your Company

http://efytimes.com/e1/80931/Employees-Facebook-Passwords-Can-Be-Dangerous-For-Your-Company

Information Week, April 12, 2012 , Humans and Heuristics: Making people part of information security solutions

http://www.informationweek.in/Security/12-04-12/Humans_and_Heuristics_Making_people_part_of_information_security_solutions.aspx

Business Standard Jan 23, 2012Cyber crime is now a booming industry

http://www.business-standard.com/india/news/cyber-crime-is-nowbooming-industry/462549/

PCQuest January 09, 2012 Future Outlook of Cyber Crime & Security

http://pcquest.ciol.com/content/topstories/futureoutlook/2012/112010908.asp

Biztech2.com 18th February, 2012 Cybercrime Predictions 2012

http://biztech2.in.com/blogs/industry-expert/cybercrime-predictions-2012/125402/0

Page 18: ESET India Cyber Threat Trends Report Q1

About ESET

Founded in 1992, ESET is a global provider of security solutions for businesses and consumers. ESET’s flagship products ESET NOD32 Antivirus, ESET

Smart Security and ESET Cybersecurity for Mac are trusted by millions of global users. ESET NOD32 Antivirus holds the world record for the number

of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. The Company

has global headquarters in Bratislava (Slovakia), with regional distribution headquarters in San Diego (U.S.), Buenos Aires (Argentina), and

Singapore. ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Prague (Czech Republic), Krakow (Poland), Montreal (Canada),

Moscow (Russia), and an extensive partner network in 180 countries.

In India ESET products are exclusively supplied and supported by "ESS Distribution Pvt Ltd". The sales of ESET products are executed through the

Channel Partners across India.

Additional resources

Keeping your knowledge up to date is as important as keeping your AV updated. For these and other suggested resources please visit the ESET

Threat Center to view the latest:

ESET India Facebook

ESET India Twitter

ESET White Papers

ESET Blog

ESET Podcasts

Independent Benchmark Test Results

Anti-Malware Testing and Evaluation