Internet Security Zone Blog

By Jordy Berson, group product manager, ZoneAlarm products

We just got the results in from our malware testing team. We don’t like to claim victory early, even when we are fairly certain of a win. But now we know (Technical details are in the last paragraph for the “just the facts” folks).

“Are you ready to ruuumble??”

To be sure, it wasn’t the best fight. ForceField won. Easily. There wasn’t even any contact. It made for a snoozer of a fight. But a snoozer is exactly what you want when your identity and security are at risk.

 

Here’s how it went down:

The victim user went to one of many possible sites. So far, more than 3,000 Web sites have been attacked including a popular entertainment site and sports site. The second the victim arrived on the infected site, Gumblar was waiting. And not for a fair fight. 

 

When you cannot even see the enemy, what chance do you have? 

Far from facing its victims, Gumblar sneaks right past you, through a vulnerability in your computer software. Normally, the fight would end here. Gumblar would find a quiet place on your computer and take over. He could then do any number of things as these types of threats do. He could spy on you, watch what sites you go to, record everything you type, open doors to let some of his friends onto your computer, and use *your* computer to attack other computers!

 

But not this time

The enemy Gumblar faced was ForceField. Not brawny, but definitely wise and clever, ForceField saw right through that invisible cloak and instantly knew Gumblar was an uninvited guest. So when Gumblar snuck onto the victim computer, ForceField did a classic sneak attack of its own.  Gumblar ended up on the victim computer, sure enough, but landed straight in jail. Here, Gumblar was completely isolated from the rest of the computer and was unable to do anything at all. This maneuvering on ForceField’s part was done automatically – you as a user had to do nothing to protect yourself. 

 

So were you a victim or not?

·         First of all, it is more likely you did NOT hit a Gumblar-infected site than you did**.  So take a breath and read on.

 

·         People using ZoneAlarm ForceField as a trial or who own ZoneAlarm ForceField are protected.  Right on!

 

·         People using ZoneAlarm Extreme Security get the protection of ForceField as well. But in ZoneAlarm Extreme, you have to activate the virtualization protection as it’s off by default.  Go to the Browser Security panel of ZoneAlarm Extreme, click the Settings button, and make sure there’s a checkbox next to “Enable Virtualization.” 

 

·         If you are running ZoneAlarm anti-virus: ZoneAlarm anti-virus signatures have been updated to offer an additional layer of automatic protection against Gumblar.

 

·         If you weren’t running ForceField virtualization, see my previous blog “Gumblar – Not a new Parker Brothers game” for details on how to know if you’ve been infected.

 

**The likelihood of falling victim to a single attack is low. But because there are so many attacks out there, the likelihood you’ll hit one eventually is much greater. So protect yourself!  Even if you don’t run ForceField, at least make sure all the software on your computer is always up-to-date!

 

Gumblar versus ForceField: Just the facts

·         We were able to locate an actual Gumblar attack and test ForceField against it. ForceField successfully defended the computer against Gumblar.  

 

·         ForceField used virtualization to redirect the automatic, hidden drive-by download so it could not run on the victim computer. It also used heuristics to label the host site as suspicious and warn the user not to download anything from the site or enter personal information into the site (this was done in case Gumblar had a social engineering component to its attack in addition to the drive-by download attack, which in this case it did not).

 

·         Based on this successful test, it is very likely ForceField protects from other variants of Gumblar (though it is the nature of this quickly-evolving business that nobody can ever be 100% certain).

 

·         ZoneAlarm anti-virus signatures have also been updated to offer an additional layer of automatic protection against Gumblar.

 

·         As always, users should ensure they have the latest version of their browser, operating system, Adobe software, and all other software including security software.

 

Test conditions we used:

1. IE v. 7.0.5730.11

2. Adobe Reader v. 9.0.0

3. ForceField v. 1.3.153.0

 

 

By Daniel Armao, Security Advisor (Guest blogger)

 

            Adobe has released information that its PDF software Adobe Reader and Adobe Acrobat have two new critical vulnerabilities (CVE-2009-1492 and CVE-2009-1493). If exploited, the vulnerabilities could allow an attacker to take control over victim’s computer and download malware to steal banking information, turn the computer into a botnet, or download fake “antivirus” programs. The vulnerability could be exploited by viewing a website or opening an email attachment.

 

            Adobe recommends disabling Javascript in Adobe Reader and Acrobat by opening Adobe Acrobat Reader>edit>preferences> go to Javascript>uncheck “enable Javascript.” Adobe expects to provide a product update for by May 12, 2009.

 

Some security experts have recommended using an alternative PDF which can be found at: http://pdfreaders.org/. Other alternatives not listed are Foxit Reader and CutePDF.

 

The drive by download attacks that take advantage of the Adobe PDF vulnerability in web browsers may be prevented by ZoneAlarm ForceField. ForceField’s technology puts your computer in a “protective bubble” that isolates the browser (Internet Explorer, Firefox, etc.) from the rest of the hard drive preventing drive by downloads from downloading and modifying system files without your consent.

 

More information will become available at Adobe's security bulletin and advisories at: http://www.adobe.com/support/security/

 

by Daniel Armao, Security Advisor

 

The Conficker worm recently received a new update by using a peer to peer network. The new update will download a bogus "antivirus" program called SpywareProtect2009. SpywareProtect2009 will try to trick users into buying the fake antivirus by using scare tactics. The scare tactic is a fake “virus scan” that offers to “delete” nonexistent threats only if a consumer buys the fake antivirus. SpywareProtect2009 will also generate popups that show messages such as “your computer is infected” and will hijack the infected computer's Web browser. There is speculation that Conficker might be using the Waledac, a botnet that spreads by email in the form of fake holiday e-card, to send spam from infected machines and to steal passwords by the use of a keylogger.

 

If you encounter a scareware popup on the Web do not click on the popup at all, not even the Cancel and X option. To get rid of the popup prior to infection, access the task manager (Ctrl-Alt-Delete) and in the application’s tab click “end task” on your Web browser (Internet Explorer, Firefox, Safari, etc.).

 

            Scareware such as SpywareProtect2009 can also infect a user without Conficker on the Web. To protect yourself against scareware and other malware make sure you have the latest updates from Windows, have your ZoneAlarm Internet Security up to date and use the ZoneAlarm firewall. ZoneAlarm Forcefield will also protect from scareware and other malware by keeping the browser in a protective bubble. Make sure you do not buy SpywareProtect2009 because not only are you out of $49.95, the creators will also now have access to your credit card number…and we all know what that means – unauthorized charges on the card. If you are a victim of scareware tactic, please dispute all charges with your credit card company.

 

More information on how to detect and remove Conficker can be found at:

http://blog.zonealarm.com/blog/2009/03/the-conficker-worm-signs-protection-and-removal.html

By Jordy Berson, Group product manager, ZoneAlarm products

Social engineering is a cruel hacking technique that plays on our naivete, behavioral patterns, curiosity and general humanness.  A few examples:

• HACKER SEND US: An e-mail on Valentine's Day with subject, "Someone wants to kiss you!"

• WE: Must know who.  The woman I spilled my cinnamon dolce latte on at Starbucks? The guy at 7-eleven who bought M&Ms while I bought Reese's Pieces?

• RESULT: Click the Web link from the e-mail, go to the Web site, malware secretly downloads to our PR to spy on us.

Or:

• HACKER CONTACTS US: Our lost uncle from Britain whom we never knew died (sad) and left us $50,000 (sadness fading a bit). We just need to send in $1000 for handling to get the money.

• WE: Send in the $1000 and wait by the mailbox like Linus in the pumpkin patch.

• RESULT: The $50,000 (and The Great Pumpkin) never arrives

These scams piss me off more than any other because they take people's dignitiy along with the prize they're after.  What pisses me off even more is that hackers around the world are bringing in comfortable six-figure incomes purely by plundering us workers!  (See related article that my buddy Frank sent around the office:) http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html?wprss=securityfix

The best way to protect yourself from these online parasites, may they all be caught and jailed, is to use the same street smarts online that you use in the real world.  Be suspicious! Don't respond to offers that are too good to be true or seem weird in the least without checking them out first. Never click a Web link from a strange e-mail. Use updated security software to protect yourself.  Keep all of your computer programs, browser plug-ins, and your operating system up-to-date at all times.

But it's not always easy!  Even the best of us can be tricked because hackers make use of the same processes we've come to use and trust online in order to trap us.  I was talking with my fellow blogger James this week about this because a journalist had asked us to consider: What if hackers took advantage of e-mail viral marketing to attack us and our friends?  For example, Web sites such as Yelp! and LinkedIn among many others will go into our address book to invite our friends to participate in their services (with our permission). For example:

• TRUSTED WEB SITE: Offers to e-mail our address book of friends on our behalf and invite them to use Yelp, Facebook, etc.

• WE: Trust them.

• RESULT: No harm done. We and our friends have special moments together online through our increased connectedness.
  

Now we've been trained to trust this technique.  So it's ripe for the taking as far as hackers are concerned.  A hacker could attack the legitimate Web site we trust; could spoof the Web site we trust (we think it's the legitimate site, but it's a malicious site made to look just like the legitimate site); or could create a brand-new site from scratch. In any case, this same technique could e-mail our friends on our behalf.  Our friends get an e-mail from us so they trust it (social engineering), follow the Web link, and KABLAM! Spyware downloads to our friends' computers.

This puts extra stress on our relationships.

Then James brought up a similar scenario that's even more dangerous.

• TAX PREP SOFTWARE: Offers to automatically gather our tax info from Fidelity, eTrade, etc.  We just need to give it our username and password to each financial site.

• WE: Hate taxes, and will do anything to make it go faster and easier.

• RESULT: We are sad (if we owe), happy (if we get a refund), but no harm done.

But it's easy to see how the above could have an unhappy ending.  I have no doubt the tax prep companies such as Turbo Tax do a great job of ensuring security.  And I've yet to hear of any vulnerabilities in this area.  But the fact that hackers are highly motivated by their six-figure incomes and the fact that no security is 100% secure makes me think things could go very wrong here. Imagine just handing over the keys to your financial information to a hacker because they've stepped in between you and a trusted Web site or have spoofed a Web site you trust. 

The lesson: Think before you give the away the keys to any of your information. Consider the cost/benefit to these types of automated features.  Certainly make sure the entity you're trusting is deserving of your trust and is who it says it is.  This is not to say you should abstain from these automated features.  The risk as of now and as far as I know, is small to nil of getting hacked in this way.  We'll see what the future brings.

 

By James Grant, Team Lead and Senior Developer

Usually, when you hear about massive online attacks using botnets, it is legions of infected Windows computers that are doing the dirty work. Here is something new, the exploitation of routers:  Network Bluepill -a stealth router-based botnet has been DDoSing DroneBL for the last couple of weeks:

“…this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems. Many devices appear to be vulnerable. The size of this botnet so far cannot be determined The author of this worm has some sophisticated programming knowledge, given the nature of this executableAction must be taken immediately to stop this worm before it grows much larger. We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure two weeks ago, and feel that this botnet was the one which flooded DroneBL.

We are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know. …If you intend to disassemble this botnet, you should note it's UPX-compressed. I estimate that at the time of writing, there is at least 100,000 hosts infected. I suspect that the .sql and .pma exploit tools are used for finding more controllers. But I do not have the controller payload. This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away.”

My worry here is that it is even harder for Internet users to keep their peripheral hardware secure compared to keeping their own computer secure. As users, we don't like the idea of viruses and malware on the computer we use, but it is easier to ignore someone misusing our equipment, as long as it doesn't prevent us from doing what we want.

By Daniel Armao, Security Advisor

Experts believe that the Conficker worm, which has infected millions of PCs, is programmed to change on April 1^st 2009, dangerously increasing the number of domains that infected PCs contact to run an update program. This worm has not delivered a payload yet, but if it does, it could install spyware on the infected machines to steal financial information or conduct a denial of service attack against websites.

The Conficker worm, first discovered on October 2008, infects a PC through a vulnerability in the Windows Server service that was patched by Microsoft Windows security patch MS08-067. (Note that Mac operating systems are not at risk.) The worm tries to find connections to systems that are unprotected by the patch. When it infects a PC, it connects to a rogue web server that is controlled by the Conficker creators.

To protect yourself from Conficker:

·        Make sure you update your PC with updates from Microsoft by using the automatic update feature. Network Administrators must make sure to get the latest security updates by Microsoft.

·        USB drives may get infected by the Conficker worm if Autorun is not disabled. To prevent a USB infection, PC users can download a patch that allows the option to disable the Autorun functionality: http://support.microsoft.com/kb/967715

·        Make sure your PC has active, updated security software and the latest virus signature definition updates to detect:

o        In ZoneAlarm, click Antivirus on the left navigation bar, then click the Update Now button. (ZoneAlarm is set to receive virus signature updates several times a day—you can set them to happen hourly by going to the Antivirus panel and clicking Advanced Options.)

o        To make sure your product is up-to-date, click Check for Updates on the main panel, lower left corner.

o        A strong two-way firewall is also recommended, so a suite that includes a firewall and antivirus is ideal. (For example, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, or ZoneAlarm Extreme. Free trials are available.)

·        Networks with weak passwords can also allow the Conficker worm to infect systems by the use of brute force software which is designed to guess short and simple passwords. To protect yourself, use long and complex passwords that have at least 6 characters, are unique, and include numbers, upper- case letters, and symbols.

Signs you may be infected with Conficker:

·        Windows services are disabled—such as Automatic updates (in System Properties panel), Background Intelligent Transfer Service, and Error Reporting service (in System Properties).

·        Some security-related web sites are blocked. This web page loads several of the security sites typically blocked -- http://eyechart.sie.isc.org/  -- so you can check it to see if you may be infected.

·        You experience a slow response from network domain controllers (i.e., slow security authentication request responses)

·        Your system restore points are deleted

 

REMOVAL INSTRUCTIONS FROM ZONELARM TEAM:

To detect and remove the Conficker worm:

·        If you do not use ZoneAlarm, please check for removal details at the Web site for your security software.

·        If you have ZoneAlarm, click Antivirus on the left navigation bar, then:

1.     Click the Update Now button.

2.     Click the Scan for Viruses/Spyware button.

3.     If the scan results show a virus with any variation of the names conficker, kido or downadup, remove it immediately with our remover tool. Download tool.

By Liam T, Security Advisor, SecureTec Australasia

Firewalls, antivirus, and antispyware programs are an essential part of keeping your computer secure, but allowing insecure programs to access the internet threatens to undermine this protection. An “insecure program” is simply a program which contains a known security vulnerability which all too often has the potential to allow an attacker unrestricted access to the computer. In my experience it is not uncommon to find between 5 -10 insecure programs installed on an average computer.

A firewall can stop unauthorized access to the computer and prevent unauthorized programs from accessing the internet, but allowing an insecure program to access the Internet is a bit like leaving a bank vault door open and hoping the security guard inside (your antivirus/antispyware protection) is tough enough to deal with the criminals which will inevitably show up.

Ensuring you have the latest updates for Windows and “all” the other software installed on your computer will protect your computer from many common security exploits and in essence close the door to the vault. But this can be harder than it sounds, which is why I’m sharing a few tips to make it easier to stay ahead of exploits.

1. Make sure you have enabled Automatic “Microsoft” Updates.  The first step in ensuring your computer is up to date, is to make sure that the Windows Automatic Updates are turned on and that you are checking for “Microsoft” Updates as opposed to “Windows” Updates. Microsoft Updates will update the majority of Microsoft products (including Office) in one go, whereas Windows Updates generally only updates Windows itself. To enable checking for Microsoft Updates click the link below and follow the prompts:

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

2. Check for and update insecure programs. Checking for and updating insecure programs installed on your computer can be quite troublesome, but thankfully this task has been made significantly easier with the release of software scanning tools from Secunia:

Secunia Software Inspector program (free for home use):

Secunia Corporate Software Inspector (more advanced paid version for businesses):

3. How secure are the programs you use? Ensuring software is up to date is an important step in staying secure but it will still not prevent exploits in programs for which a patch or update has not been released. For example, Internet Explorer was vulnerable to exploits for 284 days in 2006, leaving users exposed to potential attacks. Other easily forgotten software which use browser plugins, such as Macromedia/Adobe Flash, Adobe Acrobat, Java and QuickTime, also tend to be hit by several exploits a year. If you would like to check the security of specific programs you use, you can do so here: http://secunia.com/search/

Many users have also experienced fewer incidences of browser exploits using Mozilla Firefox as an alternative to Internet Explorer. Firefox, like Internet Explorer, has its share of security flaws but their patch release time is extremely fast, averaging 1-3 days, unlike Internet Explorer which has at times been weeks or even months before a patch was released. More information about Firefox can be found here: http://www.mozilla.com/firefox/. Users of alternate web browsers like Firefox still need to ensure that the plugins for their browser such as Flash, Acrobat, Java and QuickTime are always kept up to date.

As many security exploits target common web browsers and their plugins, ZoneAlarm ForceField was released to provide protection against these threats. ZoneAlarm ForceField protects Internet Explorer and Mozilla Firefox, and their plugins, by creating a virtual "bubble" around the web surfing session, protecting the computer from fraudulent websites, Phishing scams, Spyware websites, and dangerous downloads. If you aren’t already using it, you should seriously consider it.

NOTE from the ZoneAlarm team: ZoneAlarm security suites also have a program control feature that may provide some protection when no vulnerability patch is available. By default, ZoneAlarm program control’s “least-privilege” policy can help prevent an application from running in a way that allows the vulnerability to be exploited. For example, say a vulnerability exists for an application and you cannot patch it yet. The vulnerability may require that the application have server rights to in order to be exploited, but thanks to the least-privilege policy, server rights would not be granted.

By John Gable

ZoneAlarm Director of Product Management

 

Hardly anyone knew about it.

 

The Los Angeles Angels website was recently hacked overnight with a drive-by download. It tried to download “AntiVirus 2009”, a well known fake security program that actually installs malware, onto visitors' systems. The Angels fixed the problem the next day, but damage was done.

 

I don’t mean to pick on the American League West Champions. This happens much too often, not just in major league baseball, but also the National Football League (Miami Dolphins), job sites (Monster.com), financial institutions (Bank of India) and plenty more.

 

What else don’t you know about?  Did you know about …

• the virus/spyware that hit Check Free, the online bill pay service used by many major banks and others, which infected around 160,000 users?

• the latest Internet Explorer 7 vulnerability that gives hackers a hole to silently install malicious software onto your PC?

• the Waledac botnet Valentine email and e-card attack?

I suggest there are 3 good reasons most people don't hear about such incidents.

1. Hackers want to be invisible.  Gone are the “good ole days” when a hacker wanted to become famous. The "I Love You" virus was a big problem, but at least you knew if you were infected. Now hackers go to great lengths to make sure you don’t know anything is happening as they take over your PC.

2. Web sites that have been hacked don’t exactly spend marketing funds to tell the world what happened. Responsible sites, like Check Free, quickly contact any potential victims to help them. But the last thing most sites want is to scare you away.

3. Same logic applies to software vendors, even security companies. Plus, sometimes they don’t want to advertise vulnerabilities because they don’t want to educate hackers how to break in.

Special kudos to the companies that do a good job at communicating threats. Adobe just issued a security bulletin about a buffer overflow issue with Adobe Reader 9 and Acrobat 9.

 

I’m happy to report that our new ZoneAlarm Extreme Security, which integrates our latest PC security suite with our web browser security and more, is the only security suite that blocked any of the threats I listed above from the very first moment they hit the Web (someone else might have stopped the LA Angeles attack - but I can verify that others missed all the other attacks).

 

In fact, ZoneAlarm Extreme Security blocks all of them. See our Stops Attacks Others Miss page for more details.

 

Do you think people need to know about these Web attacks or is ignorance bliss?

by John Gable

 

Another Valentine's Day special.

 

You may have been reading how the Waledac botnet, a successor to the Storm botnet, has come to haunt your Valentine's Day.

 

This botnet is running a Valentine’s Day "campaign" soliciting people with phony Valentine’s themed e-mails and greeting cards. When users click through to a Web site to receive their messages, malicious software is silently and automatically downloaded to their computer. The malicious software can do any number of nasty things such as logging and transmitting everything a user types, stealing their credit card numbers and online passwords, and turning their computer into a launch pad to attack others.

 

With over 1000 variants in just one day, this is very hard to stop.  Perhaps impossible to stop for typical antivirus software that relies on lists of known threats.

 

This is yet another example of how important browser security has become.  We need to stop attacks like these at the point of entry - the web browser - and prevent that malware from getting onto the PC in the first place.

 

Thank you ZoneAlarm ForceField.  Just add ZoneAlarm ForceField to IE or Firefox, and you will be protected from attacks like this.  Our browser security prevents this and other attacks from hacking your PC by keeping the browser inside a "virtual sandbox" where malware can not access your system.  It also includes other powerful browser defenses like dual-engine anti-phishing (signatures and heuristics) and more.

 

Question:

 

So far, ZoneAlarm ForceField is the only mainstream consumer security product I can find that blocks this attack and the other Waledac botnet attacks starting on day one.  Anti-spam should block some or most of the spam that initiates this attack, but it is rarely 100% reliable.  Good internet sense may stop you from clicking on the link, but who knows, maybe you do have a Valentine somewhere that loves you.  There are some techy PC virtualization and sandbox software programs out there, but they are too cumbersome for most people. 

 

Is there a better way to block this attack?

 

PS.  If you want to learn more about the Waledac Valentine's Day attack, the Waledac botnet or Storm botnet, these are my favorite posts on the subject:

 

Malware Writers Use Multiple Botnets to Spread Valentine's Day Heartache

eWeek by Brian Prince

 

Another Waledac Valentine's Day Spam Run Has Started

MX Logic IT Security Blog

 

New And Improved Storm Botnet Morphing Valentine's Malware

Dark Reading by Kelly Jackson Higgins

Going surfing? It’s dangerous out there - wear layers.

Is the Internet really dangerous? As you surf, are you *really* at risk? The answer is YES, but nothing hits a point home like a modern-day example.

The example comes from our old “friends” at Zango (formerly 180Solutions). Those who follow ZoneAlarm events will remember the court case 180Solutions brought against us just a couple years back for protecting our customers from installing their application. They eventually dropped the complaint after we refused to back down (http://download.zonealarm.com/bin/free/pressReleases/2006/pr_1.html), but that didn’t stop Zango from continuing their tricky tactics.

 

It all starts with a secret crush

So you’re on Facebook, and there in the top right you see what any breathing human would consider a titillating, intriguing message: “1 secret crush invitation.” Oh, and a little red heart. Gentlemen, ladies – how many of you will take notice and click through? Could you use a little company? Perhaps the next Mr. or Mrs right?

But in this case, its no secret admirer. It’s a “corporate admirer,” and the only company you’re going to get out of the deal is a sneaky little piece of adware that downloads to your computer and watches you. (Fortinet, who discovered the exploit, has the details nicely recorded here: http://www.fortiguardcenter.com/advisory/FGA-2007-16.html.) 

 

Social engineering ends in heartbreak

This practice Zango used is called social engineering. It can hit you anytime, anywhere. It’s the way that hackers get you to willingly download crap to your PC. This crap can by anything from bothersome adware that slows your PC and flashes banner ads, to programs that record anything you type such as credit card numbers. 

You could even end up with a vicious rootkit, keylogger or spyware program that just all-out takes control of your PC to attack your friends and family, attack the government, send illegal porn, and other very bad things. Estimates say that about 25% of us have at least one of these types of program on our PC.  

 

Get protection – layers of protection

We all need to do a lot to protect ourselves, those around us, and the Internet-at-large. In the above Zango case, I believe its incumbent upon Facebook to qualify the widgets that are offered through their service. And it’s incumbent upon companies that are creating really cool, open services like Facebook and widgets to consider security implications along with all the fun.

And here’s what we should do: Simply protect ourselves with a lot of layers of security. This way, even if a threat gets by one or even several layers, there will always be another layer (or several) to catch it.

In the Zango example, ZoneAlarm products protect in a number of ways. Here’s how:  

 

ZoneAlarm ForceField

This is the product designed specifically to protect you as you surf the Web. (It’s currently in beta as a free download.)

ForceField caught Zango variants with two of its layers. First, it found a Zango URL variant that was dangerous (below) through its spy site blocking:

Next, it found a variant of the Zango executable as it downloaded to the PC through its dangerous download detection (below).

 

ZoneAlarm Internet Security Suite

This is the single firewall-based product designed to protect you and your PC from everything that gets thrown at it. It caught Zango variants with three of its layers:

First, like ForceField, it caught Zango at the Web site source through its spy site blocking feature (below).

 

Next, its antivirus caught and eliminated the variant as soon as it was downloaded to the PC (below).

 

The final layer was ZoneAlarm’s program control, which catches malicious applications through a behavioral approach (below).

- JordyB