Problem solve Get help with specific problems with your technologies, process and projects.

Your desktop antivirus product may be leaving you wide open to attack, part two

Malware guru Ed Skoudis puts several AV products to the test.

2. Beyond viruses and worms

In addition to viruses and worms, attackers plant hidden backdoors to control machines and use Windows boxes to stage attacks into Unix and Linux systems. Aggressive Web sites and intruders push spyware onto users' machines to log keystrokes and track surfing habits.

We see this stuff as we respond to computer incidents, but can antivirus solutions protect us? As it turns out, no, most of them can't.

The tested antivirus products focus almost exclusively on detecting self-replicating malicious code (viruses and worms) but almost never detected spyware or backdoors. Overall, the results were rather disappointing.


Finding backdoors

Attackers install backdoors and trick users into running them to gain remote access to the heart of your enterprise. The most popular programs used to create backdoors are Netcat, which creates a remote command-shell listener, and the Virtual Network Computing (VNC) suite, used to control a machine's GUI across a network. Because of their immense usefulness, both security pros and black hats use these tools in their protection/penetration regimen. Even though they have legitimate uses, most security personnel want a heads up when they get installed -- potentially by an attacker.

Eight of the 10 antivirus tools left our test systems wide open to Netcat and VNC. Only PestPatrol detected both; Panda detected VNC.

Rooting out *nix-based malware

Antivirus vendors focus their efforts on most malware writers' target of choice: Windows. However, attackers can also use compromised Windows desktops as a staging ground to put rootkits and other malware onto Unix and Linux boxes.

While Windows-based antivirus products can provide early warnings to detect files that could be used to attack *nix systems, by and large, they don't. (See Linux Guru.)

The results were disappointing when we exposed Windows-based antivirus products to the most popular malware for Unix and Linux, including the Linux Rootkit 5 (LRK5), the Universal RootKit (URK), Adore, Kernel Intrusion System (KIS) and the SuperUser Control Kit. Kaspersky, Network Associates, Panda, Symantec and Trend Micro detected only LRK5, while the other products ignored all of the *nix malware.

Unmasking spyware

Lately, the Web seems like a cesspool of aggressive spyware. Keystroke-loggers running on a manager's desktop can learn user IDs and passwords or reveal sensitive business information.

It's alarming, but don't count on antivirus products for protection.

We exposed the antivirus products to 15 common spyware programs, including SaveKeys (a commercial keystroke logger), Perfect Keylog-ger Lite (a free version of a popular keystroke logger), FreeScratch- AndWin (a tool that inserts ads into users' browsing experience) and the controversial Gator software (which aggregates user surfing habits for the commercial benefit of advertisers).

PestPatrol, which specializes in detecting malware other than worms and viruses, performed relatively well, identifying 10 of the 15 specimens, and was the only application to detect Gator. F-Secure, Kaspersky, Network Associates and Panda all detected the same three or four spyware programs. CA, Grisoft, Sophos and Trend Micro detected either one or none of our spyware samples.

For their part, most of the antivirus vendors maintain that these spyware programs are simply doing what they advertise: recording information about users' actions, consistent with their README files and EULAs. The vendors won't classify these tools as malware, regardless of their impact on users and enterprises. Some vendors even cite legal concerns to characterize commercial keystroke loggers as malicious code.

>> Read part three of this review.
This was last published in June 2004

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.