Anti-Spyware: Efficiency of the Means of Defense

Mykola Krasnostup, Dennis Kudin
20.03.2010 | 15:18

contacts@security-ukraine.com

Cybercrime is growing rapidly, and now the crucial question is whether anti-spyware and anti-viruses are capable of protecting users' confidential information from programs, specially created for stealing it?

It is the efficiency of this protection that determines whether e-commerce and online financial transactions will thrive in future. In fact, their very existence could be put at risk by cybercrime.

Identity theft Internet makes online buyers more cautious and less active, security experts say. In other words, spyware harms consumers' trust to the Web.

For example, Webroot's report "State of Spyware" for Q3 2005 (http://www.webroot.com/resources/archive/pr/0511-SoSq3top10.html), states that the number of information-stealing programs is growing, and so is the threat for the Internet users.

Consumer Reports research for Q3 2005 shows that 86% of users have made at least one change in their online behavior in fear of losing information about their identities, 30% spend less time in the Internet, 53% ceased to provide their personal information in the Web, 25% don't buy online anymore and 29% of those who still buy, do it more rarely.

It is efficiency of data protection that we made the only criterion in our comparative study. Moreover, we tested how anti-spyware and anti-viruses perform against the most dangerous information-stealing software, i.e. the very kind of programs which cybercriminals use to steal confidential information.

The method we used for the testing is simple enough to apply. Even a user not very experienced in programming can do this testing himself - and the results will be the same.

Having studied the situation at the security software market for years, we came to the conclusion that it is necessary to perform our own testing of anti-spyware and make the results public. The reasons for doing so were the following:

  1. Though various anti-spyware reviews constantly appear in the Internet, criteria of these testings vary, and so do methods of their results' evaluation. That is why top position in such lists doesn't guarantee that these products are the most efficient in protecting sensitive information from theft. For example, the basic criterion for most testings usually is the number of spyware signatures in a product's database. The problem is that there exist lots of products which signatures are not there - and sometimes will never be in any signature base. (These programs are described below in more detail.)
  2. Even if during a test one program has detected and blocked 10 pieces of spyware out of 10, and another one has managed only 7 out of 10, it doesn't mean the first program will 100% protect users' private information.

    Most of experts consider spyware any program that transmits information from a user's PC to the third party without the user's knowledge or consent, whatever the information. There is no way of finding out what a piece of "spyware" detected during the test was: relatively innocuous code for gathering users' browsing habits - or extremely dangerous software created specially for identity theft or espionage.

  3. It is criteria of evaluation that determine the result of some testings. Among these criteria can be programs' capability of closing popup ads, design of interface.
  4. As any marketing specialist knows, the most widespread product is not always the best one. Much depends on advertising, particularly on the money spent on the product's promotion.
The aim of the testing was:
  • To evaluate software which is supposed to protect critical information from stealing, using real efficiency of this protection as the main criterion. The testing simulates the situation when a computer is infested with the most dangerous kind of spyware - custom-made keyloggers, which cybercriminals use to steal information. Everybody can take source code of keylogging programs from the Internet and compile an entirely new "spy" which no product based on signature analysis will detect.
  • To check efficiency of heuristic algorithms, which most anti-virus and anti-spyware vendors proclaim they apply for detecting spyware.
The grounds for developing our testing method were the following:

The number of publications about such kind of cybercrime as stealing confidential information by means of spy software and means of protection against them has skyrocketed in the last couple of years.

In the report "The proactive approach to data protection against modern spy software" (http://bezpeka.com/en/lib/antispy/anot2868.html) we already stressed that the type of programs called System Monitors (according to the classification from SpyAudit) are especially dangerous. To System Monitors belong such programs as keyloggers and more advanced keylogger-based programs, which can intercept not only keystrokes (in user mode and in kernel mode), but also capture text from application windows and clipboard contents, make screenshots, etc.

It is the very kind of software we call "spy programs"; we do not include here any kind of adware. The reason is that the consequences of a keylogger attack and those of a piece of adware are incommensurable.

System Monitors become more and more dangerous, becoming the main threat. It is confirmed by numerous articles, surveys by Webroot, Earthlink SpyAudit, documents of Anti-Spyware Coalition (http://www.antispywarecoalition.org) and other organizations which deal with this matter.

To read more about our classification of spy programs, see "The proactive approach to data protection against modern spy software"
(http://bezpeka.com/en/lib/antispy/anot2868.html).

Anti-Spyware Coalition recently released the document named Risk Model Description (http://www.antispywarecoalition.org/documents/RiskModelDescription.htm), based on behavioral patterns of a program. Among other risk factors, the following ones are considered "high risk": Replication behavior (mass-mailing, worming, or viral); Installation without users' explicit permission or knowledge, drive-by installation, use of a security exploit; storage and transmission of personally identifiable data without notice and consent. Moreover, a program's behavior is of high risk, if it disables security software and lowers security settings in the browser, application, or operating system. Anti-Spyware Coalition hopes that its classification will yield in development of anti-spyware products of higher quality.

How a user can really protect his PC against spy programs?

It is possible only by means of a combination of software products which consists of:

  • Software Product #1 - this is a dedicated product focused on protection against information-stealing programs, based on heuristic mechanisms. It provides constant protection and does not use a signature base, which means it will protect against custom-made spy programs.
  • Software Product #2 - this is anti-virus software product to protect against a wide range of adware and spyware; its signature base should be regularly updated.
  • Software Product #3 - a personal firewall controlling access to the Internet from the personal computer on the basis of policies set by the user himself.

These products should be used together, because:

Antivirus product responds to the penetration of a keylogger-containing virus when the information has already been captured since the anti-virus base has not been enlarged by new information yet and correspondingly was not updated in the user's computer.

Personal Firewall asks too many questions - even a well-trained user can answer them incorrectly and ill-configure it. For example, some commercial monitoring programs use processes of program products with knowingly permitted access to the Internet (browsers, mail clients, etc.) As a rule the user must permit them accessing the Internet. And as the result: the information stolen, because the anti-virus program failed to prevent it, and will be sent to the Internet to the address preliminary specified by the hacker (or some other person).

And only the product of the first type works silently, asking the user no needless questions and performs its task constantly in the background.

But do all users install at least existing products to protect their computers? Not everybody, experts say. According to the survey by AOL and National Cyber Security Alliance (NCSA), 81% of PCs lacks at least one of the recommended means of defense, namely a firewall, an anti-virus product and an anti-spyware application. 56% of consumers' PCs have no antivirus at all or haven't updated it for more than a week. Misconfigured firewalls were found on 44% PCs. The same 44% have no anti-spyware product installed. (http://bezpeka.com/ru/news/2005/12/08/5221.html).

How efficient the existing anti-spyware applications are and whether a top-rated product will protect information against theft - these questions are of crucial importance now. The existing methods of testing most of the ratings are based on, do not take into account the very possibility of protection against programs, which are yet unknown to anti-spyware developers, particularly custom-made spyware. The most important criterion in such studies is usually the number of signatures in the signature database. This number means the number of variants of spyware which the product with this signature base can detect. Only programs from the signature base are recognized; all other spy programs will be running unnoticed and unstopped.

The problem is that there is good deal of people capable of creating something brand-new spy, which will not appear in any signature base. It takes about several days to write a simple keylogger, and even a novice in programming can manage it. Those who can't write a program himself can download source code from the Internet and change it a bit, making a new spy program.

The method of testing

Considering the points mentioned above, we applied different approach to comparative testing of spyware. On the one hand, it is so simple that one needn't be an expert to do this testing himself - and make sure the results are the same.

On the other hand, this method clearly shows whether popular anti-spyware products can really protect users' critical information from theft.

The testing was performed as follows:

  1. Key Logger by Jerome Scott II (K1)
    http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId
    =1645&lngWId=7
  2. KeyLoggerMore_Sample (K2)
    http://www.codeguru.com/code/legacy/system/KeyLoggerMore_Sample.zip
  3. try_wnd1 (K3)
    http://www.ladia.ru/cpp/appli/files/log.zip
  4. KEYLOGGER (K4)
    http://www.delphifr.com/gma/Keyloggers
  5. KEY LOGGER, ENREGISTREMENT CRYPTЙ + DЙCODEUR (K5)
    http://www.delphifr.com/code.aspx?id=12616
  6. SIMPLE PETIT KEYLOGGER (K6)
    http://www.delphifr.com/code.aspx?id=12279
  7. TOUCHES DE CLAVIER EN SIMULTANNЙ (HOOK) (K7)
    http://www.delphifr.com/code.aspx?id=12276
  8. Best Free Keylogger (BFK) (K8)
    http://sourceforge.net/projects/bfk
  9. Simple Python Keylogger for Windows (K9)
    http://sourceforge.net/projects/pykeylogger

Then we compiled source code of these keyloggers and got keyloggers which were used as test-spies for testing popular anti-spyware and anti-virus programs.

The testing was performed on computers with fully updated operating systems Windows XP Professional SP2 and Windows 2000 SP4, based on 32-bit Intel architecture.

For the testing we chose 22 world-known anti-spyware products which are included in most Internet ratings of this kind:


Product name Version Developer's URL Developer
Ad-aware SE Pro Build 1.06r1 http://www.lavasoft.de/ Lavasoft
AntiSpy 2.13 http://www.softvers.com/antispy/ Softvers
BPS Spyware Remover 9.2.0.9 http://www.bulletproofsoft.com/ Bullet Proof Soft, Inc.
CounterSpy 1.5.82 http://www.sunbelt-software.com/ Sunbelt Software
Maxion Spy Killer 5 http://www.maxionsoftware.com/ Maxion Software
McAfee Anti-Spyware 2.0.0.167 http://www.mcafeestore.com/ McAfee, Inc.
Microsoft AntiSpyware 1.0.701 http://www.microsoft.com/ Microsoft Corporation.
PestPatrol 5.0.2.3 http://pestpatrol.com/ Computer Associates International, Inc.
PrivacyKeyboard 7.1 http://www.bezpeka.biz/ Information Security Center Ltd
Spy Cleaner Gold 3.6 http://www.spycleaner-gold.com/ Topdownloads Networks
Spy Sweeper 4.5.7.756 http://www.webroot.com/ Webroot Software, Inc.
Spybot Search & Destroy 1.4 http://www.spybot.info/ Patrick M. Kolla / Safer Networking Limited.
SpyHunter 2.0.1086 http://www.enigmasoftwaregroup.com/ Enigma Software Group, Inc.
SpyRemover 2.46 http://www.itcompany.com/ InfoWorks Technology Company.
SpySubtrac 3.11 http://www.trendmicro.com/ Trend Micro Incorporated.
Spyware Be Gone 7 http://www.spywarebegone.com/ MicroSmarts LLC
Spyware Blaster 3.4 http://www.javacoolsoftware.info/ Javacool Software LLC.
Spyware Crusher 1.0.9 http://www.spywarecrusher.com/ Spyware Crusher
Spyware Doctor 3.2 http://www.pctools.com/spyware-doctor/ PC Tools.
Spyware Stormer 1.4.7 http://www.spywarestormer.com/ Spyware Stormer, Inc.
TrueWatch 1.2.0.0 http://www.truesuite.com/ Esaya, Inc.
XoftSpy 4.19 http://www.paretologic.com/products.aspx ParetoLogic Inc.

We tested anti-viruses as well as anti-spyware, because most anti-virus vendors declare that their products fight spyware as well. That is why the separate test of anti-virus products was carried out - by means of the same test-spies.

For the testing we chose 22 world-known anti-virus products which appear in most Internet ratings (we used http://www.virustotal.com for our testing):


Product name Developer's URL Developer Version Update
AntiVir http://www.hbedv.com/en/ H+BEDV (AntiVir) 6.33.0.70 12.23.2005
Avast http://www.avast.com/ ALWIL (Avast! Antivirus) 4.6.695.0 12.22.2005
AVG http://www.grisoft.com/ Grisoft (AVG) 718 12.23.2005
Avira http://www.avira.com/ AVIRA (AVIRA Desktop) 6.33.0.70 12.23.2005
BitDefender http://www.bitdefender.com/ Softwin (BitDefender) 7.2 12.23.2005
CAT-QuickHeal http://www.quickheal.co.in/ Cat Computer Services (Quick Heal) 8 12.21.2005
ClamAV http://www.clamwin.com/ ClamAV (ClamWin) devel-20051108 12.19.2005
DrWeb http://www.drweb.com/ Doctor Web, Ltd. (DrWeb) 4.33 12.23.2005
eTrust-Iris http://www.ca.com/ Computer Associates (Iris, Vet) 7.1.194.0 12.23.2005
eTrust-Vet http://www.ca.com/ Computer Associates (Iris, Vet) 12.4.1.0 12.23.2005
Fortinet http://www.fortinet.com/ Fortinet (Fortinet) 2.54.0.0 12.23.2005
F-Prot http://www.f-prot.com/ FRISK Software (F-Prot) 3.16c 12.22.2005
Ikarus http://www.ikarus.at/ Ikarus Software (Ikarus) 0.2.59.0 12.23.2005
Kaspersky http://www.kaspersky.com/ Kaspersky Lab (AVP) 4.0.2.24 12.23.2005
McAfee http://www.mcafee.com/ McAfee (VirusScan) 4657 12.23.2005
NOD32v2 http://www.nod32.com/ Eset Software (NOD32) 1.1335 12.22.2005
Norman http://www.norman.com/ Norman (Norman Antivirus) 5.70.10 12.23.2005
Panda http://www.pandasoftware.com/ Panda Software (Panda Platinum) 8.02.00 12.22.2005
Sophos http://www.sophos.com/ Sophos (SAV) 4.01.0 12.23.2005
Symantec http://www.symantec.com/ Symantec (Norton Antivirus) 8 12.23.2005
TheHacker http://www.hacksoft.com.pe/ Hacksoft (The Hacker) 5.9.1.060 12.21.2005
VBA32 http://www.anti-virus.by/ VirusBlokAda (VBA32) 3.10.5 12.22.2005

The results of the testing

The testing results for anti-spyware:


AntiSpy Product \Test Spy K1 K2 K3 K4 K5 K6 K7 K8 K9
Ad-aware SE Pro - - - - - - - - -
AntiSpy - - - - - - - - -
BPS Spyware Remover - - - - - - - - +
CounterSpy - - - - - - - - -
Maxion Spy Killer - - - - - - - - -
McAfee Anti-Spyware - - - - - - - + -
Microsoft AntiSpyware - - - - - - - - -
PestPatrol - - - - - - - - -
PrivacyKeyboard + + + + + + + + +
Spy Cleaner Gold - - - - - - - - -
Spy Sweeper - - - - - - - + -
Spybot Search & Destroy - - - - - - - - -
SpyHunter - - - - - - - - -
SpyRemover - - - - - - - - -
SpySubtrac - - - - - - - + -
Spyware Be Gone - - - - - - - - -
Spyware Blaster - - - - - - - - -
Spyware Crusher - - - - - - - - -
Spyware Doctor - - - - - - - - -
Spyware Stormer - - - - - - - - -
TrueWatch - - - - - - - + +
XoftSpy - - - - - - - - -

The testing results for anti-viruses:


AntiVirus Product \ Test Spy K1 K2 K3 K4 K5 K6 K7 K8 K9
AntiVir no no no Heuristic
/ Trojan.
Keylogger
no Heuristic
/Trojan.
Keylogger
no no no
Avast no no no no no no no no no
AVG no no no no no no no no no
Avira no no no Heuristic
/Trojan.
Keylogger
no Heuristic
/Trojan.
Keylogger
no no no
BitDefender no no no no no no no Generic
.Malware.
SLM.
10535C5E
no
CAT-QuickHeal no no no Monitor.
KeyLogger.
i (Not a Virus)
no no no Monitor.
BFK.
11 (Not a Virus)
no
ClamAV no no no no no no no no no
DrWeb Trojan
.KeyLogger.
342
no no no no no no no no
eTrust-Iris no no no no no no no no no
eTrust-Vet no no no no no no no no no
Fortinet no no no no no no no Keylog!tr no
F-Prot no no no no no no no no no
Ikarus no no no no no no no no no
Kaspersky no no no not-a-virus:
Monitor.
Win32.
KeyLogger.i
no no no not-a-virus:
Monitor.
Win32.
BFK.11
no
McAfee no no no no no no no Keylog.gen no
NOD32v2 no no no no no no no probably
unknown
NewHeur_PE
virus
no
Norman no no no no no no no no no
Panda no no no no no no no no no
Sophos no no no no no no no no no
Symantec no no no no no no no no no
TheHacker no no no no no no no no no
VBA32 Trojan.
KeyLogger.
342
no no no no no no no no

Summary table

The products' performance against custom-mage spy programs:


NN Product Spyware detected, %
1 PrivacyKeyboard 100,00
2 AntiVir
Avira
CAT-QuickHeal
Kaspersky
TrueWatch
22,22
3 BitDefender
BPS Spyware Remover
DrWeb
Fortinet
McAfee
McAfee Anti-Spyware
NOD32v2
Spy Sweeper
SpySubtrac
VBA32
11,11
4 Ad-aware SE Pro
AntiSpy
Avast
AVG
ClamAV
CounterSpy
eTrust-Iris
eTrust-Vet
F-Prot
Ikarus
Maxion Spy Killer
Microsoft AntiSpyware
Norman
Panda
PestPatrol
Sophos
Spy Cleaner Gold
Spybot Search & Destroy
SpyHunter
SpyRemover
Spyware Be Gone
Spyware Blaster
Spyware Crusher
Spyware Doctor
Spyware Stormer
Symantec
TheHacker
XoftSpy
0,00

Key Findings

The results of the test surprised even the testers themselves, because:

  • The test-spies were made of the source code of keyloggers which are freely available from the Internet. Compiling such a spy requires only basic knowledge in programming; so many people are capable of making it.
  • The testing results clearly showed that, generally, anti-viruses and anti-spyware cannot counteract stealing confidential information if information-stealing programs are included into viruses. Unfortunately, the number of them is constantly rising.

PrivacyKeyboard, product from Information Security Center Ltd. (http://www.security-ukraine.com), got the first place, which can be due to the fact that it doesn't apply signature analysis at all. This is a dedicated product for blocking information-stealing software programs and modules, both known and unknown. It is focused at preventing information capturing, so it overlooks adware and other not so dangerous but irritating programs.

The second place shared 5 programs, which managed to block 2 out of 9 test spies: TrueWatch (Esaya, Inc.), AntiVir (H+BEDV), Avira (AVIRA Desktop), CAT-QuickHeal (Cat Computer Services), Kaspersky Anti-Virus Personal Pro (Kaspersky Lab).

10 products which detected only 1 test-spy out of 10 got the third place.

Other 28 products detected none (!).

Everybody is welcome to do the same testing; we are sure the result will be similar. Source code of numerous keyloggers is available from the Internet, and compiling a custom-made test spy isn't too difficult even for a novice in programming. Everybody is welcome to check the accuracy of the testing with other test spies. It will be also very useful if somebody performs such a testing using computers with other operating systems and architecture.





Download the full article in one file (36 342 b, DOC+ZIP)




04.2005
spyware, spy software, hardware keylogger, keylogger, key logging