Anti-Spyware: Efficiency of the Means of DefenseMykola Krasnostup, Dennis Kudin
Cybercrime is growing rapidly, and now the crucial question is whether anti-spyware and anti-viruses are capable of protecting users' confidential information from programs, specially created for stealing it?It is the efficiency of this protection that determines whether e-commerce and online financial transactions will thrive in future. In fact, their very existence could be put at risk by cybercrime.
Identity theft Internet makes online buyers more cautious and less active, security experts say. In other words, spyware harms consumers' trust to the Web.
For example, Webroot's report "State of Spyware" for Q3 2005 (http://www.webroot.com/resources/archive/pr/0511-SoSq3top10.html), states that the number of information-stealing programs is growing, and so is the threat for the Internet users.
Consumer Reports research for Q3 2005 shows that 86% of users have made at least one change in their online behavior in fear of losing information about their identities, 30% spend less time in the Internet, 53% ceased to provide their personal information in the Web, 25% don't buy online anymore and 29% of those who still buy, do it more rarely.
It is efficiency of data protection that we made the only criterion in our comparative study. Moreover, we tested how anti-spyware and anti-viruses perform against the most dangerous information-stealing software, i.e. the very kind of programs which cybercriminals use to steal confidential information.
The method we used for the testing is simple enough to apply. Even a user not very experienced in programming can do this testing himself - and the results will be the same.
Having studied the situation at the security software market for years, we came to the conclusion that it is necessary to perform our own testing of anti-spyware and make the results public. The reasons for doing so were the following:
- Though various anti-spyware reviews constantly appear in the Internet, criteria of these testings vary, and so do methods of their results' evaluation. That is why top position in such lists doesn't guarantee that these products are the most efficient in protecting sensitive information from theft. For example, the basic criterion for most testings usually is the number of spyware signatures in a product's database. The problem is that there exist lots of products which signatures are not there - and sometimes will never be in any signature base. (These programs are described below in more detail.)
- Even if during a test one program has detected and blocked 10 pieces of spyware out of 10, and another one has managed only 7 out of 10, it doesn't mean the first program will 100% protect users' private information.
Most of experts consider spyware any program that transmits information from a user's PC to the third party without the user's knowledge or consent, whatever the information. There is no way of finding out what a piece of "spyware" detected during the test was: relatively innocuous code for gathering users' browsing habits - or extremely dangerous software created specially for identity theft or espionage.
- It is criteria of evaluation that determine the result of some testings. Among these criteria can be programs' capability of closing popup ads, design of interface.
- As any marketing specialist knows, the most widespread product is not always the best one. Much depends on advertising, particularly on the money spent on the product's promotion.
The aim of the testing was:
- To evaluate software which is supposed to protect critical information from stealing, using real efficiency of this protection as the main criterion. The testing simulates the situation when a computer is infested with the most dangerous kind of spyware - custom-made keyloggers, which cybercriminals use to steal information. Everybody can take source code of keylogging programs from the Internet and compile an entirely new "spy" which no product based on signature analysis will detect.
- To check efficiency of heuristic algorithms, which most anti-virus and anti-spyware vendors proclaim they apply for detecting spyware.
The grounds for developing our testing method were the following:
The number of publications about such kind of cybercrime as stealing confidential information by means of spy software and means of protection against them has skyrocketed in the last couple of years.
In the report "The proactive approach to data protection against modern spy software" (http://bezpeka.com/en/lib/antispy/anot2868.html) we already stressed that the type of programs called System Monitors (according to the classification from SpyAudit) are especially dangerous. To System Monitors belong such programs as keyloggers and more advanced keylogger-based programs, which can intercept not only keystrokes (in user mode and in kernel mode), but also capture text from application windows and clipboard contents, make screenshots, etc.
It is the very kind of software we call "spy programs"; we do not include here any kind of adware. The reason is that the consequences of a keylogger attack and those of a piece of adware are incommensurable.
System Monitors become more and more dangerous, becoming the main threat. It is confirmed by numerous articles, surveys by Webroot, Earthlink SpyAudit, documents of Anti-Spyware Coalition (http://www.antispywarecoalition.org) and other organizations which deal with this matter.
To read more about our classification of spy programs, see "The proactive approach to data protection against modern spy software"
Anti-Spyware Coalition recently released the document named Risk Model Description (http://www.antispywarecoalition.org/documents/RiskModelDescription.htm), based on behavioral patterns of a program. Among other risk factors, the following ones are considered "high risk": Replication behavior (mass-mailing, worming, or viral); Installation without users' explicit permission or knowledge, drive-by installation, use of a security exploit; storage and transmission of personally identifiable data without notice and consent. Moreover, a program's behavior is of high risk, if it disables security software and lowers security settings in the browser, application, or operating system. Anti-Spyware Coalition hopes that its classification will yield in development of anti-spyware products of higher quality.
How a user can really protect his PC against spy programs?
It is possible only by means of a combination of software products which consists of:
- Software Product #1 - this is a dedicated product focused on protection against information-stealing programs, based on heuristic mechanisms. It provides constant protection and does not use a signature base, which means it will protect against custom-made spy programs.
- Software Product #2 - this is anti-virus software product to protect against a wide range of adware and spyware; its signature base should be regularly updated.
- Software Product #3 - a personal firewall controlling access to the Internet from the personal computer on the basis of policies set by the user himself.
These products should be used together, because:
Antivirus product responds to the penetration of a keylogger-containing virus when the information has already been captured since the anti-virus base has not been enlarged by new information yet and correspondingly was not updated in the user's computer.
Personal Firewall asks too many questions - even a well-trained user can answer them incorrectly and ill-configure it. For example, some commercial monitoring programs use processes of program products with knowingly permitted access to the Internet (browsers, mail clients, etc.) As a rule the user must permit them accessing the Internet. And as the result: the information stolen, because the anti-virus program failed to prevent it, and will be sent to the Internet to the address preliminary specified by the hacker (or some other person).
And only the product of the first type works silently, asking the user no needless questions and performs its task constantly in the background.
But do all users install at least existing products to protect their computers? Not everybody, experts say. According to the survey by AOL and National Cyber Security Alliance (NCSA), 81% of PCs lacks at least one of the recommended means of defense, namely a firewall, an anti-virus product and an anti-spyware application. 56% of consumers' PCs have no antivirus at all or haven't updated it for more than a week. Misconfigured firewalls were found on 44% PCs. The same 44% have no anti-spyware product installed. (http://bezpeka.com/ru/news/2005/12/08/5221.html).
How efficient the existing anti-spyware applications are and whether a top-rated product will protect information against theft - these questions are of crucial importance now. The existing methods of testing most of the ratings are based on, do not take into account the very possibility of protection against programs, which are yet unknown to anti-spyware developers, particularly custom-made spyware. The most important criterion in such studies is usually the number of signatures in the signature database. This number means the number of variants of spyware which the product with this signature base can detect. Only programs from the signature base are recognized; all other spy programs will be running unnoticed and unstopped.
The problem is that there is good deal of people capable of creating something brand-new spy, which will not appear in any signature base. It takes about several days to write a simple keylogger, and even a novice in programming can manage it. Those who can't write a program himself can download source code from the Internet and change it a bit, making a new spy program.
The method of testing
Considering the points mentioned above, we applied different approach to comparative testing of spyware. On the one hand, it is so simple that one needn't be an expert to do this testing himself - and make sure the results are the same.
On the other hand, this method clearly shows whether popular anti-spyware products can really protect users' critical information from theft.
The testing was performed as follows:
- Key Logger by Jerome Scott II (K1)
- KeyLoggerMore_Sample (K2)
- try_wnd1 (K3)
- KEYLOGGER (K4)
- KEY LOGGER, ENREGISTREMENT CRYPTЙ + DЙCODEUR (K5)
- SIMPLE PETIT KEYLOGGER (K6)
- TOUCHES DE CLAVIER EN SIMULTANNЙ (HOOK) (K7)
- Best Free Keylogger (BFK) (K8)
- Simple Python Keylogger for Windows (K9)
Then we compiled source code of these keyloggers and got keyloggers which were used as test-spies for testing popular anti-spyware and anti-virus programs.
The testing was performed on computers with fully updated operating systems Windows XP Professional SP2 and Windows 2000 SP4, based on 32-bit Intel architecture.
For the testing we chose 22 world-known anti-spyware products which are included in most Internet ratings of this kind:
We tested anti-viruses as well as anti-spyware, because most anti-virus vendors declare that their products fight spyware as well. That is why the separate test of anti-virus products was carried out - by means of the same test-spies.
For the testing we chose 22 world-known anti-virus products which appear in most Internet ratings (we used http://www.virustotal.com for our testing):
|Product name||Developer's URL||Developer||Version||Update|
|Avast||http://www.avast.com/||ALWIL (Avast! Antivirus)||4.6.695.0||12.22.2005|
|Avira||http://www.avira.com/||AVIRA (AVIRA Desktop)||126.96.36.199||12.23.2005|
|CAT-QuickHeal||http://www.quickheal.co.in/||Cat Computer Services (Quick Heal)||8||12.21.2005|
|DrWeb||http://www.drweb.com/||Doctor Web, Ltd. (DrWeb)||4.33||12.23.2005|
|eTrust-Iris||http://www.ca.com/||Computer Associates (Iris, Vet)||188.8.131.52||12.23.2005|
|eTrust-Vet||http://www.ca.com/||Computer Associates (Iris, Vet)||184.108.40.206||12.23.2005|
|F-Prot||http://www.f-prot.com/||FRISK Software (F-Prot)||3.16c||12.22.2005|
|Ikarus||http://www.ikarus.at/||Ikarus Software (Ikarus)||0.2.59.0||12.23.2005|
|Kaspersky||http://www.kaspersky.com/||Kaspersky Lab (AVP)||220.127.116.11||12.23.2005|
|NOD32v2||http://www.nod32.com/||Eset Software (NOD32)||1.1335||12.22.2005|
|Norman||http://www.norman.com/||Norman (Norman Antivirus)||5.70.10||12.23.2005|
|Panda||http://www.pandasoftware.com/||Panda Software (Panda Platinum)||8.02.00||12.22.2005|
|Symantec||http://www.symantec.com/||Symantec (Norton Antivirus)||8||12.23.2005|
|TheHacker||http://www.hacksoft.com.pe/||Hacksoft (The Hacker)||5.9.1.060||12.21.2005|
The results of the testing
The testing results for anti-spyware:
|AntiSpy Product \Test Spy||K1||K2||K3||K4||K5||K6||K7||K8||K9|
|Ad-aware SE Pro||-||-||-||-||-||-||-||-||-|
|BPS Spyware Remover||-||-||-||-||-||-||-||-||+|
|Maxion Spy Killer||-||-||-||-||-||-||-||-||-|
|Spy Cleaner Gold||-||-||-||-||-||-||-||-||-|
|Spybot Search & Destroy||-||-||-||-||-||-||-||-||-|
|Spyware Be Gone||-||-||-||-||-||-||-||-||-|
The testing results for anti-viruses:
|AntiVirus Product \ Test Spy||K1||K2||K3||K4||K5||K6||K7||K8||K9|
i (Not a Virus)
11 (Not a Virus)
The products' performance against custom-mage spy programs:
The results of the test surprised even the testers themselves, because:
- The test-spies were made of the source code of keyloggers which are freely available from the Internet. Compiling such a spy requires only basic knowledge in programming; so many people are capable of making it.
- The testing results clearly showed that, generally, anti-viruses and anti-spyware cannot counteract stealing confidential information if information-stealing programs are included into viruses. Unfortunately, the number of them is constantly rising.
PrivacyKeyboard, product from Information Security Center Ltd. (http://www.security-ukraine.com), got the first place, which can be due to the fact that it doesn't apply signature analysis at all. This is a dedicated product for blocking information-stealing software programs and modules, both known and unknown. It is focused at preventing information capturing, so it overlooks adware and other not so dangerous but irritating programs.
The second place shared 5 programs, which managed to block 2 out of 9 test spies: TrueWatch (Esaya, Inc.), AntiVir (H+BEDV), Avira (AVIRA Desktop), CAT-QuickHeal (Cat Computer Services), Kaspersky Anti-Virus Personal Pro (Kaspersky Lab).
10 products which detected only 1 test-spy out of 10 got the third place.
Other 28 products detected none (!).
Everybody is welcome to do the same testing; we are sure the result will be similar. Source code of numerous keyloggers is available from the Internet, and compiling a custom-made test spy isn't too difficult even for a novice in programming. Everybody is welcome to check the accuracy of the testing with other test spies. It will be also very useful if somebody performs such a testing using computers with other operating systems and architecture.
- 29.09.2015 | 17:20 Malvertising Crooks Turn Up in Google Search Results
- 29.09.2015 | 17:19 US and China Agree Cyber Deal
- 29.09.2015 | 17:18 20-day patching gap puts many firms at risk of cyber attack, study shows
- 29.09.2015 | 17:17 Microsoft will let business users opt out of Windows 10 tracking
- 29.09.2015 | 17:11 Arabic Threat Group Targets IT, Incident Response Teams
- 29.09.2015 | 17:10 Medical devices vulnerable to hackers