Saturday, November 22, 2008

Anti Virus EffectiveLESS

I am trying to measure the effectiveness of AntiVirus engines, as there are lots of talks about AV companies, so I decided to try myself.

The huge variations of malware that appear everyday is making things harder on the AV vendors. Here is a clear and practical example:

I am using Bifrost as my test malware, it is well known trojan since 2006, very easy to use, you just need to configure it and it will generate a server.exe file that when you run it on the victim's machine, it will connect to your Bifrost trojan on your machine.

- Bifrost will allow you to have full control over the victim, things like file manager, offline and online key logger, screen shots with different resolutions, ...... it is a nice tool indeed.

- Let us check how many AV will detect the server.exe file as a malware, the detection rate is more than 95%, which is good if we discard the fact that all AV should detect it as it is an old well known trojan, however let us skip this part.

- My goal here is to trick AV, let us do some packing, and use MS IExpress, which is MS tool to create a self-extracting and self-installing package.

- Let us check the results now, detection rate is 52%, wow, Mcafee and Symantec did not catch it, as most Enterprises I knew are using Mcafee and Symantec AV, this should be an alarming sign to them, watch out. Kaspersky, MS, AVG, clamAV, sophos,.. detected it.

- Let us add some complexity to the AV engines, I will change the extension of the server.exe file to server.jpg, and create a shortcut to it , then zip the 2 files as SFX exexutable file winrar, the end result is server.exe. the detection rate now is 51%, not bad, we are progressing.

- Let do something else, I will email the last file to myself using some of the widely used free web mail services, here is what i got:
Google: did not allow me to attach the file.
Hotmail: the email was sent but it was placed it in the spam section, with a warning that there might be some unsafe content.
yahoo new interface: the email went to the spam folder.
yahoo classic: the email was delivered in the inbox with no warning

Now imaging that a hacker has crafted a nice well prepared social attack against you, and attracted you to open the file even it is in the spam folder,.... job done :)

The message is clear now, AV engines are not good anymore, they have to evolve or die.

One last nice note, Microsoft AV detected them all !!!

No comments: