According to an analysis conducted by the AV-Comparatives test lab on behalf of The H‘s associates at heise Security, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Javaversion 7 Update 6.
Two versions of the exploit were tested: the basic version that was largely based on the published proof of concept and started the notepad instead of the calculator, and, for the second variant, heise Security added a download routine that writes an EXE file to disk from the internet. The test system was Windows XP that, except in the case of Avast, Microsoft and Panda, had the full versions of the security suites installed. For Avast, Microsoft and Panda, the researchers used the free versions of the products.
Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec). Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft’s free Security Essentials component at least managed to block the basic version of the exploit.
Get the best protection that DOES block the Java exploit:
Now, keep in mind, fake antivirus software, is software that is created to trick the user into “protecting their PC”, but instead installs more malware or attempts to steal their identity/credit card. This is also called a trojan program, which is a generic name for a program that is supposed to do one thing and appears to do so, but actually does the opposite in the background. All of these collectively are scams, and are dangerous to your identity.
Typically, fake antivirus software installs itself, usually by trojans that are distributed to plugin exploits, and begins scanning your computer for malware. As it is scanning, it may report non-existent threats. Sometimes, these fake antivirus programs can install malware first, and then detect it in the scanner. Once it is done scanning, it will provide a list of results and will tell you to upgrade in order to remove it. Usually, the upgrade costs money, and you’re required to pay that money in order to remove the threats found. Most of the time, the rogue programs will not allow you to uninstall them, especially until you pay for it. This is also called ransomware.
The following are variants of Fake Antivirus that Macs will see (in order of popularity of infection):
Defense-in-depth is a security strategy that provides multiple layers of protection for a network. Security strategy like this involves making an attacker have to work through a bunch of issues before he/she can have access to your network. The idea is to make them give up before they get too far.
We’ve provided a few tips on doing a defense-in-depth strategy (works for home/small business):
- Virtual Private Network – This is a tool to be used to allow all traffic in/out of your network to be encrypted. This makes it impossible for any data to be read easily. This is the best first layer, and should provide the top protection for your data. Many services offer VPN services for as little as $5 USD per month: StrongVPN – WiTopia – overplay. It is best to note that you need a VPN capable router for VPN to work.
- Network Firewall – Using your router’s firewall will help prevent incoming attacks.
- Install antivirus software and firewall software – See a list of the best antivirus/anti-malware software
- Install a second opinion anti-malware scanner – Malwarebytes’ Anti-Malware Pro or HitMan Pro.
- Create a strong password for all devices and accounts online, etc.
- Encrypt your files. Use BitLocker or similar tools.
There is not a perfect defense-in-depth strategy, but hopefully this will work out for you!
As organizations take part in the virtualization of malware testing, it is beginning to fail.The biggest issues in testing malware on virtual machines and other environments, is that viruses and other malware are equipped with a component that recognizes the presence of a virtual environment. They are coded to see what environment they are running in, to help mitigate being tested by analysts and researchers.
There are also ways for businesses to run virtual environments to test how a threat entered their networks, what vulnerabilities exist, etc.
Hackers and malicious code writers have many ways of evading antivirus products:
- Encrypting the malware files (polymorphism) – example: the file download link stays the same on the website, but the server sends newly encrypted files each download instance.
- Testing tons of files’ malware detection using a load of antivirus engines to find out which are undetected least or not at all.
- Packing and encrypting the malware files so they have to be unpacked by the antivirus software before it can be checked.
And many more…
Anyway, what is the learning experience here? Well for one, it is a good idea to have proper protection for your entire server network in the business (see bottom of this post). Also, if a virtual environment will not successfully test the malware, you probably should test it on a live test box (a computer specified for testing that is not connected to the business network).