Calendar Of Updates: Malware Detections of Free Anti-Malware/Anti-Spyware - Calendar Of Updates

Jump to content


Page 1 of 1

Malware Detections of Free Anti-Malware/Anti-Spyware Re-post

#1 User is offline   Donna 

  • Guinea Pig???
  • PipPipPipPipPipPipPipPipPip
  • View blog
  • Group: Admin - Site
  • Posts: 17,374
  • Joined: 11-October 03


Users Awards

Posted 12 August 2008 - 06:55 AM

Malware Detections of Free Anti-Malware/Anti-Spyware

Overview

Malware is short term for "Malicious Software". It's not considered just a single risk (which could be a virus, worm, trojan, rogue software, worm, botnet, spyware, untrusted adware, keylogger or rootkit) but can be a combination of any two or more of these risks.

Obviously, you wouldn't want to have any malware on your computer. Users need to complement their antivirus programs with an anti-malware or anti-spyware program (that is capable of detecting malware). Malware can spread in a number of different methods, including links in unwanted e-mail, e-mail attachment, P2P, web, etc.

You can learn more about malware by going to http://en.wikipedia.org/wiki/Malware or by asking a questions in our forums.

We previously presented another test, Rogue Detections by Free Anti-Malware or Anti-Spyware Programs. The goal of that test was to prove that a multiple scanners do a significantly better job than using a single scanner. You can read it at here.

As stated earlier, malware is a combination of different types of risks. One of the risks is rogue software, malware that will install an icon on your desktop, a toolbar, a pop-up or notification alert. If the user clicks on any of these, they'll be offered a download of rogue software. Many users become victims of this type of trick by malware. If your anti-malware or anti-spyware fails to detect a rogue software but only removes other malware traces or the malware dropper/installer, the computer is still infected and could be at risk. Below are are example screenshots:

This particular malware dropped a shortcut on the desktop to download "rogue software" and it also installed mIRC client:
Posted Image

This particular malware added a toolbar offering "rogue software" to the user. This malware could annoy a user by showing frequent alerts through a notification area, dialog box and will automatically open the default browser (even if not connected to the internet!) offering the rogue programs:
Posted Image

The goal of this malware test is similar to Rogue Detections Test, a simple demonstration that more than one malware scanner is recommended because no single scanner will detect all types and traces of threats. A secondary goal is to educate users so that they will be encouraged to install and use anti-malware or anti-spyware scanners along with anti-virus scanners. You should not depend on an anti-virus program alone, because no single anti-virus or anti-malware program is capable of detecting all of the types of risks. A final goal of this test is to help the user choose the appropriate scanners for their needs and ones that they should use if they suspect their computer is infected.

Testing Environment/Tools and Method Used

Test System: Guest system is Windows XP Pro with SP3 using Microsoft Virtual PC. Host system is Vista Ultimate with SP1
Tools:
1. Outpost Firewall 2008 in Host system, XP's built-in firewall in the guest system.
2. Screen capture utility -- SnagIt
3. Snapshot utility - InstallWatchPro
4. File Analyzer - FileAlyzer
5. Microsoft Virtual PC 2007

Scanners (freeware) used in this test

Anti-Malware/Anti-Spyware
1. A-squared Free by Emsisoft (A2)
2. Ad-Aware 2008 Free by Lavasoft (AAW)
3. MalwareBytes' Anti-Malware Free (MBAM)
4. SUPERAntispyware Free by SUPERAntispyware.com (SAS)
5. Spyware Doctor Starter Edition by PC Tools (thru Google Pack BETA)
6. Spybot Search & Destroy by Safer Networking (SSD)
7. Windows Defender by Microsoft (WD)

Freeware & Standalone Anti-Rootkit Programs
1. F-Secure BlackLight by F-Secure
2. GMER by gmer.net
3. Panda Anti-Rootkit by Panda Software
4. RootAlyzer BETA by Safer Networking
5. RootkitRevealer by Microsoft / SysInternals

These tests consist of three phase:
  • Phase I - Malware Dropper or Malware Installers Detection Test
  • Phase II - Malware Traces and Dropped Files by Malware Detection Test
  • Phase III - Anti-Rootkit Detection Test (this is to verify if any anti-malware scanners failed to detect rootkit that was dropped or installed by malware)


The method used in testing the above Phase:
  • Phase I - The malware dropper or installer was scanned using the free editions (or versions) by the seven anti-malware/anti-spyware programs listed above. We uploaded the samples to VirusTotal's free online scan service. Their online service will scan the samples using thirty two scan engines by different security vendors. We decided to scan the twenty samples using VirusTotal in order to verify that the samples are malware. We presented the result of the VirusTotal scan to allow users to see if their antivirus is able to detect these samples that are currently in circulation.
  • Phase II - The malware traces and the dropped files by the malware dropper were scanned using either the Quick, Smart or Intelligent scanners of the seven anti-malware programs listed above. Please note that the full or deep scan was not used because the test system was scanned already prior to installing any malware using the full or deep scan mode. Vendors usually recommend users scan their system for infection using their Quick, Smart or Intelligent scanner after a scheduled or manual full system scan. The seven malware scanners were configured not to unload, quarantine, remove any detected infection during or after the scan. Also, please note that Quickscan or SmartScan or Intelligent Scan will scan Windows directory (C:\Windows and its sub-folder), Program Files folder and its sub-folder, Startup items, Running or active processes, files that boot into memory, running or active services, etc* (*etc that their Quick, Smart, Intelligent scanners is programmed to scan).
  • Phase III - After successfully scanning the system using Phase II method, the system is scanned using several anti-rootkit (freeware) to verify the anti-malware findings on any rootkit infection.


Note: There are five malware samples in each round of Phase II. The total sample size is twenty malware droppers or installers (that will drop one or more risks or unwanted files). As a result there will be four rounds of testing (twenty samples at five samples per round).

Testing Date: June 3 to June 7, 2008

Testing Method Details:
1. Before executing the malware dropper or installer, the seven scanners were run to check for updates. All scanners were using current definitions and program versions as of the testing dates.
2. A snapshot of the whole drive is taken.
3. After executing the malware droppers, the malware droppers were given 10 minutes to allow it to perform any function that it was programmed to (i.e. to download additional software, change system settings or modify anything on the test system).
4. To see the effect (if any) in executing the malware, the system is rebooted and then given another ten minutes to stay online.
5. After five minutes, the firewall in the host system was configured to block all connections. The networking in the guest system (where the malware was executed and currently running) was disabled. This was done to prevent the malware from downloading additional files.
6. The snapshoot tool is run to get the snapshot analysis
7. A HijackThis log was taken
8. The system was scanned using an anti-malware and an anti-spyware program. All logs are kept.
9. An anti-rootkit scan were performed (to verify if the malware scanners were able to detect a rootkit or not). All logs are kept.
10. The number of malware traces and the files that the malware dropped or installed was counted and the filenames were noted. Note: Modification of all of the malware samples in the Registry, the browser's homepage (hijacked homepage), disabled Registry Editor, Task Manager and System Configuration Utility were not counted.
11. If possible, a copy of the installed files and traces by the malware were kept (the system was configured to show hidden folders and files)
12. The snapshot analysis and the scanner's log were compared to the pretest versions to determine the number of items that the scanner detected as well as the number it failed to detect.
13. The guest system's state was deleted.

Note: Samples of the malware droppers and the seven scanner logs are kept. Vendors may request their product scanner's log by sending me a Private Message or Contact me using our contact form.

Testing Limitations to Note
The test results reports only the detections by the scanners with twenty samples in circulation and there is NO removal test.

About the Malware Samples
The malware dropper/installer in this test are currently in circulation and obtained from either:

E-mail attachment:
Posted Image
NOTE: The above screenshot is an email with infected Document.exe. This is a variant of old threat called Bagle worm and in circulation.

Posted Image

Posted Image

Posted Image

Posted Image

Website that offer infected codecs (via links from spam):
Posted Image

Posted Image

Test Results
NOTE: These are detection tests only. This is NOT a removal test

Phase I - Malware Dropper Detection Test

Posted Image

Note: To view the anti-virus and other malware scanner result using VirusTotal, please download the attached compressed file in this topic. (The download is not available at the moment, I will reupload this week)

Phase II - Malware Traces Detection Test
Round I
http://www.dozleng.c...-1218525886.jpg

Details of Phase II Round I
Malware dropper details:

Auto-Start & Memory: mppds.exe, spoolsv.exe, winhost.exe, CbEvtSvc.exe, CcEvtSvc.exe, svchost.exe
BHO & Toolbar: sockins32.dll
Rootkit: Pebg28.sys
File Traces: 127 files in different locations

Round 2
http://www.dozleng.c...-1218526167.jpg

Details of Phase II Round 2
Malware dropper details:

Auto-Start & Memory: farkrish.exe, CbEvtSvc.exe
BHO: agsagqsvpnhws.dll
Rootkit: No Rootkit
File Traces: 8 file traces in different folders

Round 3
http://www.dozleng.c...-1218526386.jpg

Details of Phase II Round 3
Malware dropper details:
Auto-Start & Memory: service.bat, jrevm.exe, gnowmebk.dll, pxgdslro.dll, mirc.exe, gbppsv.exe, services.exe
BHO & Toolbar: awtrPhIx.dll, nldfmtappdm.dll, gbiehdst.dll, gktxaspm.dll
Rootkit: No Rootkit
File Traces: 63 in different folders

Round 4
http://www.dozleng.c...-1218526659.jpg

Details of Phase II Round 4
Malware dropper details:

Auto-Start and Memory: WinCtrl32.dll, adgpfoxs.dll, erpobmsw.dll. tmdo.exe, qhkhibiv.exe, llnpjly.exe, msprint.exe, wjcxslgp.exe, mssrv32.exe
BHO & Toolbar: byXOiJAp.dll, nogxfvblowa.dll, nmwegbsf.dll
Rootkit: Winou05.sys
File Traces: 31 in several folders

Phase III - Anti-Rootkit Detection Test
Note: RootAlyzer flags Panda Anti-Rootkit as rootkit. It's a false positive.

http://www.dozleng.c...-1218526859.jpg

Analysis
  • The seven malware scanners performed poorly detecting new and in the wild malware traces and installers.
  • SUPERAntispyware is the only anti-malware program that manage to detect the hidden rootkit that was installed by the malware (please see Phase II - Malware Traces Detection Test Round 4). However, it failed to detect the rootkit in Phase II - Malware Traces Detection Test Round 1)
  • A-squared is the only scanner that succeed in detecting more than half of the malware droppers or installers (please see Phase I - Malware Dropper Detection Test)

General Recommendations
  • Users should scan the system using a dedicated anti-rootkit scanner because not all of the malware scanners were capable of detecting rootkits.
  • Most anti-virus programs were capable of detecting the malware. Please ensure that you have the most up-to-date detection at all times to help protect against malware. New malware is being created all the time.
  • Use more than one anti-spyware or anti-malware scanner because none all of the malware scanners will be able to detect all of the different types of risks. This was proven in the test presented above (Malware Detection Test) as well as a previous test (Rogue Detection Test).


Please see our disclaimer at http://www.dozleng.c...?act=boardrules

For any comments and questions, please post a reply here. Please do not hotlink the images.

You may download (NOT available. I need to re-upload the screenshots taken during the testing date) the attached compressed files (.xls and .html files) to view the screenshots of the scan results by the seven malware scanner, 5 anti-rootkit programs and the scan results by 32 scanners using VirusTotal.

Preview of the excel document:
http://www.dozleng.c...-1218527138.jpg

Note: When you click the filename in the excel viewer, you'll see the screenshot of the 32 malware scanner's scan result using VirusTotal.com
The .html file in the attached zipped file has link to the scan result's screenshots of the seven freeware edition of the malware scanners and five standalone anti-rootkit programs.

Share this topic:


Page 1 of 1

Fast Reply