FIRST PART based on the behaviourNB: "Accès refusé" on screenshots means "Access denied".1) Execution protectiona) with the TaskManager launched via Ctrl+Alt+Del: F1/F2b) with srip32 launched by explorer.exe: F1/F2c) with shellcode for running notepad.exe:...
These tests concerns endpoint threats: with the success of USB key, IPOd, and removable media, this is an excellent attack and infection vector.Tests a, b, and c are simple demo which dump the content of My Documents folders, and file type content (Slurp).Other test can really be a threat,...
B) Classical ("hiders"/intrusion/hackers tools), malwares/automated and demo Rootkits:1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender):a) detection: P1/P2
By ProcessWalker:
b) prevention: P1/P2Servicedriver installation is detected.But if we allow the...
C) Stealth keyloggers:Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges.Some keyloggers hide their own folders (not seen in Program Files folder).The result are often:F1: fail result for the Proactive module: no "hidden...
Rootkit prevention and detectionA) Detection and prevention protection:Also for prevention (service/driver instalation, phisical memory access) see the part 1 (behaviour tests).Here we use Agony rootkit to hide file, registry key and active process.We also use a commercial program designed to...
-Backdoor Aladino: P1/P2-Backdoor Clindestine.152.a: P1/P2Symantec? never heard of that...
-Backdoor.Yuri (DrWeb and Panda have the more appropriated name): P1/P2The "disable Task manager" choosed for the server is easily detected and blocked:
-Backdoor Zdmon: P1/P2
-BrainBot:...
-Bdoor backdoor: P1/P2-Hanuman Backdoor: F1/P2This backdoor does not try to be permanent by wrinting the run key (F1):-HKShell backdoor: P1/P2-ICMPDoor backdoor: P1/P2NB. ICMP is consdered as a "poor protocol", but it is certainly one of the most interesting for firewall and IDS...
On part 7 and 8 we'll illustrate trojan spy and trojan bankers, a kind of brazilian speciality...People who use to surf on .br or .por domains should take a look at this site where an helpful forum and a specific tool are dedicated in the eradication of this kind of pest.As malwares coders...
-Trojan Downloader Small.dam: P1/P2
-Trojan Obfuscated.ev: P1/P2
-Trojan Spy Lmir.bgk: P1/P2
-Trojan Spy Mara.bo: P1/P2
-Trojan Spy Small.bs: P1/P2
Here again system process terminology is used: svchost is a generic process in relation with many services (for those who are not...
-Trojan Spy QQPass.rq: P1/P2
-Trojan Spy Bancos.tl: P1/P2-Trojan Spy Bancos.yt: P1/P2-Trojan Spy Banker.axc: P1/P2
-Trojan Spy Banker.ccc: P1/P2
-Trojan Spy PdPinch.gen: P1/P2
-Trojan Spy Banbra: P1/P2
-Backdoor Delf.ag: P1/P2
-Backdoor Shadows (detected only as...
-Backdoor VB.aw: P1/P2
-Dialer CapreDeam.p: P1/P2
-MSNIPstealer: F1/F2 (only detected by Webwasher)NB. This is here a hack tool designed to " steal" IP of MSN users."fail" results can't really be considered as important: the goal was more to demonstrate how it is...
b) Worms and virus:-Feebs : P1/ P2. KAV detects the launch of IE browser, which can be blocked, and detects startup entry once mshta.exe is running. Mshta.exe is not killed, but no harmful changes are made.
AV detection :
- WormRays : P1/ P2. Wormray is blocked instantaneously once...
16) Trojan Downloader Win32.Small.emg/SpamBot variant:We can't reproduce a real life situation for this test (the infection occurs via web sites), and we jus run the files locally.Detection with Helios Lite and Spyware Process Detector (a clone of Security Task Manager) and two CMDLine hidden...
-Zhelatin worm: P1/P2-"Kav Virus": P1/P2Here we just create a simple malicious scripts that we call "kav virus":
-P2P-WORM.Win32.Small.y: P1/P2
-Worm.Win32.Agent.ak: P1/P2-IM Worm Win32.VB.as: P1/P2Scan for the first test ("fresh mawlare"):Scan for the...
-PoisonIvy Rat: P1/P2
In this example the server file (orishas.exe) is not detected by the scanner engine as malicious:
-MiniTunnel (pure backdoor which does not install itself on the system but just acts as a server): F1/F2 False positives of 2 scanner engines (F-Prot and...
- Armageddon trojan: F1/P2
- IRC bot: P1/P2
- Fake codecs, zlob and variants:P1/P2Kav prevents only the malware from being permanent, not the download of roque products.
In a live system, this trojan is difficult to remove for inexperienced users...
=================================================Registry Key : HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun.RENName :...
- backdoor oscar: P1/P2
- Fearless keyspy: P1/P2
- backdoor Seed: P1/P2
- Code Injection Downloader: P1/P2
- Iow A's Webdownloader: P1/P2
-Bandoork Backdoor: P1/P2:
- Poly Downloader: P1/P2 (trojan generic):
-Web Devil Proxy Trojan: F1/P2Active...
-Trojan Arduk: P1/P2:
-Trojan dialer.ht: P1/P2
-Backdoor PackBot.p: P1/P2
-Bat Virus: P1/P2
-Wmf trojan downloader variant: F1/P2
-Trojan Nyxem: P1/P2
-Backdoor Win32.vb.yh: P1/P2
-Eagle Agent Trojan: P1/P2This trojan from China is not known from AV databases: most of...
-Backdoor Win32.WinRC: P1/P2
-Trojan Spy Win32 vb.qq : P1/P2"Dialer " detections are false positive:We build a server that we call Yahoo Messenger, configured to kill Windows firewall, kaspersky antivirus (avp.exe) etc.
-Trojan Spy Win32.VB.dd: P1/P2
-Trojan Spy HermanAgent:...
-Worm Scanao: P1/P2
-Worm Delf.bg (also knwon as Worm Cekar by sophos): F1/P2
Kav self-defense:When the host is already infected, the PDM detects s suspicious behaviour, but it's too late (no prevention).-Worm Locksky.au: P1/P2
-Worm Jalabed.b: P1/P2Worm with an exhaustive list of...
7) Man-In-The-Middle Attack:a) Locally with SSLSpoofer (R) : P1/P2A fake certificate is returned but kav is able to detect the connection of SSLSpoofer on 443 port, and the fake certificate.
As it is displayed by the next image (referer), this communication is encrypted:
...
CLIENT/SERVER SIDE ATTACKS and other tests:Here we focus on attacks which occur via client applications (browser for instance) and which may represent possible attack in case of intrusion.NB. Most of these tests have been done during the summer of 2006, and new versions of IE and Firefox...
3) Malwares protection:a) Trojans and backdoors:-BasicBackdoor: P1/P2
KAV warns about rundll32 integrity violation: this can't really be considered as an alert in relation to a suspect or malicious activity.But even if the backdoor is not known from kav labs, the deny answer to the alert ...
PART 2: IN THE WILD WITH REAL MALWARES1) Protection during the boot and before the shutdowna) keylogging protection with WinlogonHijack : P1/P2
P2 ("accès refusé"="access denied"):b) New program running at the boot:-keylogger: with Ardamax...
4) Registry protection-with Scoundrel Simulator (Run Keys): P1/P2 (4/5)
-with RegTest1: P1/P2
-with RegHide (hidden key called 'can't touch me"): P1/P2
NB: Kav can prevent hidden key installation but is not able to detect already installed hidden key (see rootkit...
Most of these malwares try to install themselves and are easily blocked by the "Trojan Generic" procative alert.Some malwares only open connections, and are not blocked by the proactive module (F1 results).Unfortunately, most .jpg has been lost for most of these sample...
- Xorala: P1/P2
NB. Kav prevents the malware from being permanent, but not the creation of its files:
- Vulcano: P1/P2
- VB Fun Love: P1/P2
- IRC VBS: P1/P2
- Autoworm: F1/P2
- "Virus": P1/P2 (not known from Kav labs, uses keyboard hooks):
-Email worm Win32...