Link to Main Site

Click here to visit our main site

Tuesday, 10 January 2012

A cautionary tale - one antivirus tool is not enough!

Last night I decided to test Microsoft Security Essentials v4 Beta against a "safe" threat. The results I achieved resulted in running similar tests on other products then and finally to this post.

Let me start by adding a caveat to this report: I do not have the tools or time available to thoroughly test. However, I do have many years of field experience across a range of platforms & systems and although (among other services) I resell various Antimalware tools, this report is neither intended to endorse any one tool nor to compare the absolute performance of one against another.

OK, now I have your attention, what got me so bothered?

To my surprise the majority of tools recommended by many people failed to detect the threat. Those few that did detect failed to fully contain all of it's features in the first pass.

Test Details
The host machine was a fully patched Vista 32bit SP2 running under VirtualBox (I do not advise trying this type of test unless you can safely hose your system - a virtual platform is a good start). The OS had a pre-existing MSE v2 (production release) installed.

The attacking tool was the All-in-One Keylogger from Relytec. The keylogger is a commercial tool offered for business and residential customers. In residential uses it is most often used for parental control, child protection and "marriage breakup" scenarios. I installed the 7-day trial version.

The tool appears to obfuscate itself in an randomly named executable in a hidden directory and registers a randomly named service that links to a dll located in the System32 directory. The tool comes with ample help, good vendor support, plus an easy to use uninstaller. It's not malware pushed by criminals.

Upon downloading, I installed it using the least stealthy settings so as to leave entries in the start menu and on the desktop, plus a quick launch icon in the taskbar. I had intended to progress from least stealthy toward most stealthy until the tool could not be discovered.

Where possible, for each tool used, I enabled realtime file system and spyware protection, plus used scanning on maximum settings in each case. If there was any detection during real-time use or scanning, I rebooted the virtual machine check for start-up detection.

After each test run, I reverted the VM to its original state, removed the pre-existing MSE v2 and installed the next test candidate.

Test Results
I'll try to summarise the results here rather than end up with a huge ammount of detail in one post.

  • MSE v2 : No detection in real-time or in full scan
  • MSE v4 Beta: No detectrion in real-time or full scan
  • MalwareBytes AntiMalware Pro Trial: No detection in real-time or in full scan
  • SuperAntiSpyware Trial: No detection in full scan - real-time not available in the trial
  • AVG 2012 Free: No detection in real-time or in full scan
  • Avast Free v6: No detection in real-time or in full scan
  • Avira Free: No detection in real-time or deepest system scan
  • Windows Defender: No detection in real-time or full scan
  • Spybot S&D: Detection of the Start Menu entry and Desktop Shortcut only. No detection of registry entries, nor of active keylogging, screen capture or application tracking.
  • TDSS Killer: No detection during scan.
  • Online Armor ++ 30-day Trial: Detection of the Start Menu item. Detection of the randomly named hidden executable, but no initial detection of the keylogging. After reboot, OA++ detected the randomly named start-up service as a keylogger and offered to block. Blocking was successful for the keylogger, but the screen capturing and application tracking and logging were still active. This may have been because of the way to tool launches
  • Autoruns: Ability to disable the randomly named start up service, which prevented the tool from launching any logging - this was different from the behaviour when OA++ offered to block the start-up service. However, it should be noted that for most people, it would have been nearly impossible to locate the obfuscated service in the autorun report and there would have been no reason to run autoruns unless suspicious activity had already been noted - in other words, I knew what I was looking for by then.
  • Bundled uninstaller: Removed the tool completely.

The Keylogger used is a genuine tool which serves a valid and useful purpose. It clearly states restrictions of use in its T's and C's. However, in the wrong hands, tools such as this could be used maliciously and evade detection.  More specifically, there are classes of Malware that can evade most commonly used tools that are recommended by the "man-in-the-street".

Most importantly, no single tool can detect all malware. If any single tool gives a positive result, it should be carefully investigated with a range of other tools - some antimalware only found the shortcuts, not the active components.

Finally, just to re-iterate: this is not an advert for any specific tool or product, and not to compare absolute performance, but to highlight the dangers of complacency and illustrate a class of potential malware that can go undetected by many common AV tools.

No comments:

Post a Comment