Your desktop antivirus product may be leaving you wide open to attack

Malware guru Ed Skoudis tests various antivirus products.

Your antivirus product isn't doing the job you think it is.

Antivirus is one of the most mature infosecurity technologies and the undisputed mainstay of desktop and network defense against nasty code lurking on the Internet. But, too many of us put unwavering trust in these applications to stop malware attacks.

Such blind faith is misplaced, as Information Security found in its month-long test of 10 leading desktop antivirus products against 11 criteria (see About this review).

We found that many antivirus products are surprisingly easy to defeat, can't detect malware using alternative attack vectors and are difficult to manage. Strikingly, the capabilities and reliability of the products varied greatly.

In the two decades since the first viruses appeared, most antivirus vendors continue to push the same basic signature-based technology. Feature sets have been added and functionality improved, but the products haven't evolved as rapidly as the capabilities of viruses and worms.

For this reason, rather than simply testing the breadth and effectiveness of vendors' signature libraries, we focused on other critical -- and often neglected -- aspects of antivirus products: effectiveness against attack mechanisms designed to fool or disable antivirus protection; detection of increasingly popular forms of malware such as spyware and backdoors; and, in particular, enterprise-scale manageability (see Report Card).

We discovered that not all antivirus products are equal, and many don't provide the protection you think they do.

1. Evading antivirus

Malware writers are constantly looking to give their malcode the ability to evade detection and gain unfettered control over target systems. Signatures won't work if malware can dodge antivirus protection. To test the antivirus tools' resilience, we exposed each product to malware for which it had a signature, then attacked it using various techniques to fool or disable it. We found that some products were easily subverted, while others were made of sterner stuff.

Delving into hidden streams

Attackers can -- and often do -- insert malware into an alternate data stream (ADS) under a directory or file on a Windows NTFS partition. ADSes are subterranean structures hiding inside the file system and are invisible to built-in Windows directory tools. Attackers can easily tuck malicious code into an ADS using a variety of Windows programs, including a simple "type" command.

There was something of a hubbub in 2000 because most antivirus products didn't scan ADSes. Most vendors say they've closed this gap, but the problem hasn't gone away. Not only were we able to plant malware in ADSes under executables, text files and directories, but the majority of the tested antivirus products ignored ADSes during on-demand scans when set to default configurations. Even more chilling, several products overlooked ADS-borne malware in real-time scans.

Only Network Associates detected malware in ADSes during both on-demand and real-time scans with its default configuration, which offers a solid level of security.

Default real-time protection against ADS-borne malware is also provided by Computer Associates (CA), F-Secure, Grisoft, Panda Software and Sophos.

Kaspersky Labs and PestPatrol, on the other hand, offer no real-time protection against malware in ADSes. In these products, an on-demand scan will detect ADS-borne malware -- unless a user disables it.

Symantec and Trend Micro offer protection, provided it's turned on. Symantec's default configuration provides no malware protection in ADSes -- a significant concern. Trend Micro's default settings check for ADS-based malware attached to .exe files but completely ignore code stashed under other file types. These defaults are dangerous because the vast majority of organizations don't tune their desktop antivirus settings.

Resisting antivirus killers

Many malware specimens, including last summer's Bugbear.B worm, attempt to disable antivirus before infecting a target system. Here's how it works: A worm initially launches a small "warhead" to disable antivirus by killing its processes, then installs a backdoor. Alternatively, a clueless or malicious user might try to disable a scan or kill its running processes.

We attempted to kill the processes associated with each antivirus product to disable real-time protection by running a kill script that simulates the action of malware. The good news is that malicious code or users without admin rights couldn't shut down any of the antivirus solutions. But the results were mixed when we tried the same thing using malware with admin privileges.

This is a serious concern: There's the threat of malicious code running with admin or system privileges, and many organizations give users local admin privileges on their desktops -- a dangerous and frustratingly persistent practice.

Only Kaspersky was bulletproof against this attack. We couldn't shut down its antivirus processes, even as admin-level users. Kaspersky kept on running, displaying an error message as it thwarted our attempts. Some of the others keeled over and died, while the balance fell somewhere in between:

  • As a local admin, we disabled real-time antivirus protection on systems running CA, F-Secure and PestPatrol, rendering them vulnerable to malware until the next on-demand scan or reboot.

  • We temporarily disabled Panda's and Trend Micro's antivirus protection, but the processes restarted automatically within 30 seconds. While that's certainly better than no protection, it leaves a brief window of exposure.

  • We were able to kill antivirus processes on Network Associates- and Sophos-protected machines, but doing so crashed the systems and forced a reboot. It wasn't graceful, but the machines weren't compromised.

  • We could kill processes associated with Grisoft and Symantec, but antivirus protection never ceased.

Compressing and concealing

Attackers also attempt to hide malware by compressing it. We evaluated the antivirus products' ability to detect common malware specimens compressed with WinZip, Win-Zip twice compressed, Tar, gzip and Bzip2 formats.

F-Secure, Kaspersky, Network Associates and Panda rose above the rest by detecting compressed malware in several formats. However, the default configurations of CA, PestPatrol and Sophos couldn't detect tar-compressed malware, which can easily be opened with WinZip and is popular for distributing malicious code.

Spotting modified malware

For most of the tests in this review, we used unmodified malware specimens that were safely downloaded and moved to our air-gapped lab. But we also wanted to see how antivirus products would respond to a very small and common tweak of some popular backdoor tools -- tini.exe, Ultor's Trojan Port and NTbindshell.exe -- each of which provides a backdoor shell that listens on a TCP port.

Most antivirus vendors focus on detecting malware files that are exactly the same as those found in the wild. Using a hex editor, we made slight alterations, modifying just two bytes in the executable itself so that the program would listen on a different TCP port. This is a common tactic among attackers, who can customize ports in a backdoor based on what's accessible in the target network.

Only Network Associates, Panda and Trend Micro detected all of our modified malware specimens.

>> Read part two of this review.

>> Find out who made the grade.


This was first published in June 2004

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close