Tip

Your desktop antivirus product may be leaving you wide open to attack, part two

2. Beyond viruses and worms

In addition to viruses and worms, attackers plant hidden backdoors to control machines and use Windows boxes to stage attacks into Unix and Linux systems. Aggressive Web sites and intruders push spyware onto users' machines to log keystrokes and track surfing habits.

We see this stuff as we respond to computer incidents, but can antivirus solutions protect us? As it turns out, no, most of them can't.

The tested antivirus products focus almost exclusively on detecting self-replicating malicious code (viruses and worms) but almost never detected spyware or backdoors. Overall, the results were rather disappointing.


MORE INFORMATION ON THIS REVIEW:

  • Read the

    Requires Free Membership to View


Finding backdoors

Attackers install backdoors and trick users into running them to gain remote access to the heart of your enterprise. The most popular programs used to create backdoors are Netcat, which creates a remote command-shell listener, and the Virtual Network Computing (VNC) suite, used to control a machine's GUI across a network. Because of their immense usefulness, both security pros and black hats use these tools in their protection/penetration regimen. Even though they have legitimate uses, most security personnel want a heads up when they get installed -- potentially by an attacker.

Eight of the 10 antivirus tools left our test systems wide open to Netcat and VNC. Only PestPatrol detected both; Panda detected VNC.

Rooting out *nix-based malware

Antivirus vendors focus their efforts on most malware writers' target of choice: Windows. However, attackers can also use compromised Windows desktops as a staging ground to put rootkits and other malware onto Unix and Linux boxes.

While Windows-based antivirus products can provide early warnings to detect files that could be used to attack *nix systems, by and large, they don't. (See Linux Guru.)

The results were disappointing when we exposed Windows-based antivirus products to the most popular malware for Unix and Linux, including the Linux Rootkit 5 (LRK5), the Universal RootKit (URK), Adore, Kernel Intrusion System (KIS) and the SuperUser Control Kit. Kaspersky, Network Associates, Panda, Symantec and Trend Micro detected only LRK5, while the other products ignored all of the *nix malware.

Unmasking spyware

Lately, the Web seems like a cesspool of aggressive spyware. Keystroke-loggers running on a manager's desktop can learn user IDs and passwords or reveal sensitive business information.

It's alarming, but don't count on antivirus products for protection.

We exposed the antivirus products to 15 common spyware programs, including SaveKeys (a commercial keystroke logger), Perfect Keylog-ger Lite (a free version of a popular keystroke logger), FreeScratch- AndWin (a tool that inserts ads into users' browsing experience) and the controversial Gator software (which aggregates user surfing habits for the commercial benefit of advertisers).

PestPatrol, which specializes in detecting malware other than worms and viruses, performed relatively well, identifying 10 of the 15 specimens, and was the only application to detect Gator. F-Secure, Kaspersky, Network Associates and Panda all detected the same three or four spyware programs. CA, Grisoft, Sophos and Trend Micro detected either one or none of our spyware samples.

For their part, most of the antivirus vendors maintain that these spyware programs are simply doing what they advertise: recording information about users' actions, consistent with their README files and EULAs. The vendors won't classify these tools as malware, regardless of their impact on users and enterprises. Some vendors even cite legal concerns to characterize commercial keystroke loggers as malicious code.

>> Read part three of this review.

This was first published in June 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.