Spyware Warrior

[fcukdat]

Hello people I would like to share with you the results of some software testing i've undertaken as a result of a new line of "thinking" recently

This comes down to the definition of malware and malware detections as of todays date 22/2/06

Well new netizens might easily believe the following logic

Anti Virus kills Virii&worms etc

Anti trojan goes after Trojans quite possibly

and antispyware shoots down spyware/adware

right ?

Well wrong actually because there all beginning to overlap each other at a rapid rate of knots,its been happening for sometime now and as a community we need to except some home truths

I have a pot of '100' assorted specimens of malware that i've harvested from the darkest corners of the web.
Malware that can be defined as different types of the following>>>
trojans,worms,virii,trackwares,adwares,password stealers,foistware etc
Generally stuff you do not want on your computers

Remembering that detecting malware does'nt always equate to removing malware but at least if a software gives you a "head's up" you can the address the issue so the following tests are based on purely detection of a malware file and not stopping/removal.

With that i've selected a some current popular software's(mix of free and subscription based) to download onto my Pc to pit their detection databases against my pot of misery on my 'puter

Free Anti Spywares>>>

SpyBot-Search_&_Destroy =6/100



AdawareSe =14/100



Windows AS Beta* 34=/100

*Same database definitions as WindowsDefender Beta



Subscription Anti Spywares>>>

CounterSpy =38/100





SypSweeper =30/100



SpywareDoctor =37/100




PestPatrol =10/100



Free AntiTrojan>>>

a2 =50/100



Subscription Anti trojan>>>

Ewido =72/100



TrojanHunter =40/100




Free online AV scanner>>>

Kaspersky AV online scanner =75/100



Free AV softwares>>>

Avast =41/100




AVG =47/100



Well the results speak for themselve's as far as detections go and for the benefit of all here is a copy of the Kaspersky scan log

KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 26, 2006 2:54:48 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/02/2006
Kaspersky Anti-Virus database records: 167890


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\100 malwares\

Scan Statistics
Total number of scanned objects 102
Number of viruses found 54
Number of infected objects 75
Number of suspicious objects 0
Duration of the scan process 00:00:18

Infected Object Name Virus Name Last Action
C:\100 malwares\malware\1.wmv Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\100 malwares\malware\adload.exe Infected: Trojan-Downloader.Win32.Adload.l skipped

C:\100 malwares\malware\Backdoor.exe Infected: Trojan.Win32.Crypt.e skipped

C:\100 malwares\malware\bagle.exe Infected: Email-Worm.Win32.Bagle.ai skipped

C:\100 malwares\malware\csht.exe/complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip/UHANFO.EXE Infected: Trojan.DOS.ControlDuSockets.a skipped

C:\100 malwares\malware\csht.exe/complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip Infected: Trojan.DOS.ControlDuSockets.a skipped

C:\100 malwares\malware\csht.exe/complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip/UHANFO.EXE Infected: Trojan.DOS.ControlDuSockets.a skipped

C:\100 malwares\malware\csht.exe/complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip Infected: Trojan.DOS.ControlDuSockets.a skipped

C:\100 malwares\malware\csht.exe/complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe Infected: HackTool.Win32.Haktek.11 skipped

C:\100 malwares\malware\csht.exe ZIP: infected - 5 skipped

C:\100 malwares\malware\cyrpt.exe Infected: Trojan.Win32.Crypt.e skipped

C:\100 malwares\malware\FT_SilentSudokuInstaller.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped

C:\100 malwares\malware\FT_SilentSudokuInstaller.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped

C:\100 malwares\malware\FT_SilentSudokuInstaller.exe NSIS: infected - 2 skipped

C:\100 malwares\malware\gimmygames9.exe Infected: Trojan-Downloader.Win32.VB.ww skipped

C:\100 malwares\malware\HXDEF.EXE Infected: Trojan-Clicker.Win32.Delf.dm skipped

C:\100 malwares\malware\KeyGen.bat Infected: Trojan.BAT.FoldingHome skipped

C:\100 malwares\malware\keylogger3.exe/rinst.exe Infected: Trojan-Spy.Win32.Agent.f skipped

C:\100 malwares\malware\keylogger3.exe RAR: infected - 1 skipped

C:\100 malwares\malware\keylogger4.exe/Habbo Plus v3.0.exe/bpkhk.dll Infected: Trojan-Spy.Win32.Perfloger.w skipped

C:\100 malwares\malware\keylogger4.exe/Habbo Plus v3.0.exe Infected: Trojan-Spy.Win32.Perfloger.w skipped

C:\100 malwares\malware\keylogger4.exe RAR: infected - 2 skipped

C:\100 malwares\malware\kl1.exe Infected: Trojan-Spy.Win32.Small.dg skipped

C:\100 malwares\malware\loadadv728.exe Infected: Trojan-Downloader.Win32.Harnig.bb skipped

C:\100 malwares\malware\mc-110-12-0000118.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped

C:\100 malwares\malware\mc-110-12-0000118.exe NSIS: infected - 1 skipped

C:\100 malwares\malware\mqwkl.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped

C:\100 malwares\malware\msshed32.exe Infected: Trojan-Downloader.Win32.Delf.ep skipped

C:\100 malwares\malware\netskyC.exe Infected: Email-Worm.Win32.NetSky.c skipped

C:\100 malwares\malware\password.exe/smssys.exe Infected: Backdoor.Win32.ServU-based skipped

C:\100 malwares\malware\password.exe/svcmgr.exe Infected: Backdoor.Win32.Iroffer.q skipped

C:\100 malwares\malware\password.exe RAR: infected - 2 skipped

C:\100 malwares\malware\Patch.exe Infected: Backdoor.Win32.Optix.b skipped

C:\100 malwares\malware\paytime.exe Infected: Trojan.Win32.StartPage.adi skipped

C:\100 malwares\malware\sdbot.exe Infected: Backdoor.Win32.SdBot.gen skipped

C:\100 malwares\malware\searchbar.exe Infected: Trojan-Downloader.Win32.VB.eu skipped

C:\100 malwares\malware\shell386.exe Infected: Trojan-Downloader.Win32.VB.vb skipped

C:\100 malwares\malware\stub.exe Infected: Trojan-Downloader.Win32.Small.asf skipped

C:\100 malwares\malware\tool2.exe Infected: not-virus:Hoax.Win32.Renos.bj skipped

C:\100 malwares\malware\toolbar.exe Infected: Trojan-Downloader.Win32.VB.vz skipped

C:\100 malwares\malware\trojan1.exe Infected: Email-Worm.Win32.VB.an skipped

C:\100 malwares\malware\trojan10.exe/setup.exe Infected: Trojan-Clicker.HTML.Agent.a skipped

C:\100 malwares\malware\trojan10.exe RAR: infected - 1 skipped

C:\100 malwares\malware\trojan11.exe Infected: Trojan.Win32.Zapchast.ad skipped

C:\100 malwares\malware\trojan13.exe/Setup_toolBar.exe Infected: Trojan-Downloader.Win32.IstBar.nj skipped

C:\100 malwares\malware\trojan13.exe RAR: infected - 1 skipped

C:\100 malwares\malware\trojan14.exe/setup.exe/stream Infected: Trojan-Downloader.Win32.IstBar.no skipped

C:\100 malwares\malware\trojan14.exe/setup.exe Infected: Trojan-Downloader.Win32.IstBar.no skipped

C:\100 malwares\malware\trojan14.exe RAR: infected - 2 skipped

C:\100 malwares\malware\trojan15.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.lu skipped

C:\100 malwares\malware\trojan15.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped

C:\100 malwares\malware\trojan15.exe NSIS: infected - 2 skipped

C:\100 malwares\malware\trojan16.exe Infected: Trojan-Proxy.Win32.Small.ea skipped

C:\100 malwares\malware\trojan18.exe Infected: Trojan-Dropper.Win32.Delf.qf skipped

C:\100 malwares\malware\trojan19.exe Infected: not-virus:Hoax.Win32.Renos.az skipped

C:\100 malwares\malware\trojan20.exe Infected: Trojan-Dropper.Win32.Agent.agv skipped

C:\100 malwares\malware\trojan22.exe Infected: Backdoor.Win32.SdBot.gen skipped

C:\100 malwares\malware\trojan4.exe Infected: Trojan-Downloader.Win32.Tibs.cc skipped

C:\100 malwares\malware\trojan5.exe Infected: Trojan-Downloader.Win32.Tibser.c skipped

C:\100 malwares\malware\trojan6.exe Infected: Trojan.Win32.Agent.bi skipped

C:\100 malwares\malware\trojan7.exe Infected: Trojan.Win32.Agent.bi skipped

C:\100 malwares\malware\trojan9.exe Infected: Trojan.Win32.VB.aad skipped

C:\100 malwares\malware\Video.exe Infected: Trojan-Dropper.Win32.WinAD.h skipped

C:\100 malwares\malware\winsysban8.exe Infected: Trojan-Clicker.Win32.VB.lg skipped

C:\100 malwares\malware\worm1.exe Infected: Email-Worm.Win32.VB.an skipped

C:\100 malwares\malware\worm2.exe Infected: Email-Worm.Win32.VB.an skipped

C:\100 malwares\malware\worm3.exe Infected: Trojan-Dropper.Win32.VB.lu skipped

C:\100 malwares\malware\worm3.vbs Infected: Email-Worm.VBS.Gedza skipped

C:\100 malwares\malware\worm4.exe Infected: P2P-Worm.Win32.VB.dw skipped

C:\100 malwares\malware\worm5.exe Infected: P2P-Worm.Win32.Wupeer.a skipped

C:\100 malwares\malware\worm6.exe Infected: Email-Worm.Win32.NetSky.q skipped

C:\100 malwares\malware\worm7.exe Infected: P2P-Worm.Win32.VB.dh skipped

C:\100 malwares\malware\worm8.exe Infected: P2P-Worm.Win32.Krepper.c skipped

C:\100 malwares\malware\worm9.exe Infected: not-virus:BadJoke.Win32.VB.p skipped

C:\100 malwares\malware\xload.exe Infected: Trojan-Downloader.Win32.VB.wn skipped

Scan process completed.



*This maybe amateur hour and although some results seem duplicated the file size's/*hash No's varied and a scan using jotti revealed differnt malware titling by other major AV player's

Sidenote If anyone would like to have a copy of malware files for testing/research purposes then drop me a PM
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[trickyricky]

Thanks for doing that research and sharing the results with us, fcukdat.

A couple of observations:

Was Windows Defender really one of the best, percentage-wise, or should its 28/30 score really read 28/80?

What proportion of your festering pot of slimeware falls into each sub-category of malware? Eg: trojans 30%, adware 25&, and so on?

I'm not surprised that Kaspersky performed so well as it's a mature and refined product. However, my experience with AVs generally is that many nasties which are not viri per se are readily detected, but their success at removal on non-virus nasties is usually wanting.

I think I'll PM you for the devilish collection and test some apps myself, to add to your collection of results.

[fcukdat]

[EASTER]

[channi]

Thank you fcukdat for performing this test.

I can't believe how poorly Spybot Search & Destroy did!

I am very disappointed. I have made donations to their efforts in the past, and yet progress in improving it has remained very slow. I will wait to see real results before I make any more.

[Oldfrog]

[channi]

[Oldfrog]

[hornet777]

[channi]

[channi]

[Nick]

Something is not right if Spybot takes over 3 hours to scan. I can scan 250 Gigs in less than 30 minutes.

Yes, Spybot does use alot of system resources, but system resources is the number one reason why Win 98 is out of date.
_________________
Nick's Security Ticker

[EASTER]

KAV displays some very impressive! statistics on that run as does EWIDO which personally is my scanner of choice, very pleased with those results.

As concerns beta, Windows Defender looks to be showing some improvements?

Which of the above programs are also compatible with 98/Me systems?

I know some of you might argue differently but with the onset of HIPS programs, i no longer see any reason why Vendors would not consider addressing again those platforms. Just a personal notion of mine since mentioning 98/Me cannot be secured simply cannot in all honesty hold water anymore when running a SSM for one example.
_________________
*******************


THE FORCE IS VERY STRONG IN THIS FAMILY!

[fcukdat]

Well people i've got a cauldron of crud to test the scanners databases against.It now stands at 100 specimens and thats going to be the final test tally.

I'm going to edit my opening post within the next few days to show new/revised tests because i'm going to test additional softwares as well as retesting of original selection.

New software to be tested>>>

Anti-spyware
PestPatrol

Anti-virus
Avast
AVG

Anti-trojan
a2
TrojanHunter

And hopefully at some point(time allowing) i will post screenshots of Jotti's scan reports against the "100" for validation/hash referencing


*if anyone has any other softwares that they would like tested against the "100" drop me a PM/download link
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Turtledove]

Many thanks for your efforts

[wawadave]

_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[Oldfrog]

[channi]

Oldfrog,

Thank you very much for the information. That was really helpful.

[Oldfrog]

Well, while I believe that the information presented is valid the conclusions are all mine so feel free to take pot shots at them. This also points out a fundamental difference between virus scanners and AS scanners.

AV products have typically had to detect single files with particular signatures unrelated to location and have done an excellent job over the years. As a real life example, I have a captive LOP installer sitting in a folder that I have called "Vault" and the only installed scanner currently detecting it is NOD32. I know that other products scan it because NOD32 alerts whenever they access it to do so.

AS products, on the other hand, can't target against single files but have to target against threats which typically involve a number of registry entries as well as both folders and files. These can actually run as applications and have a supporting set of files just like all the legitimate applications on the system. This makes for much more complicated signatures and I hestitate to think how long it would take to scan a system if every file were compared to a list of every file ever known to be installed as part of a threat.

This is probably an over simplification but at least illustrates differences in scanning technique. I actual practice there are combinations used and striking that balance undoubtedly has a lot to do with the effectiveness, or not, of any particular product.

[fcukdat]

Sorry for the delay....
Revised&test results coming soon after a snafu with AVG Auto-heal function taking out a percentage of nasties.Like i openly admit this is "Amateur hour" tests and you live and learn
Now the revised 100 test specimens are backed up on alternative storage.So with that there is still '100' malware files but not all the original 80 intact so results will vary as an outcome to this snafu

They are comfirmed malware by at least one or more of Jotti's databases.I believe the files are executed in a sandbox and scanned and are not statically scanned unlike these tests

Types of malware roughly fall under the following>>
Trojans = 51
Worms = 11
Keylogger = 4
Dialer = 1
Adware = 33

Oldfrog,initial results do pose some questions reguardless of detection methodology used by the test softwares.

All software's are being pitted against the same folder containing inactive malware.If you say that some scanners only detect running malware then there score should = 0 in all theories.If they only detect a small number then the question has to be why only detect some and not all in their database

FWIW if someone has a file containing a SDbot called "setup.exe" on their PC and it has not been executed.Is that file malware,dose it pose a risk to the persons Pc security ? Should it be expunged ?


Initial testing is suggesting that the AV's&AT's are trouncing the botkillers into the dust for static malware recognition

*unable to test a2 until i get my hands on an activation key(ISP related problem )

**Unable to retest WinDefender again due to a "0x80070663" error on attempted reinstall.Don't ya just love Beta software
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[fcukdat]

Hi all,sorted a work around for my last two problems.Final results are in for this bout of testing
Final test results>>>

a2 registration issue sorted by using there online scanner which is the same database as the software.

WindowsDefender install prooblem was not going to resolve in a hurry so i've downloaded the original MSAS beta and updated to the current definitions which are the same for both softwares
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[EASTER]

Pest Patrol checks in with an enemic 10? out of possible 100? Is the Rogue List still available?

No, seriously, that is one sad result indeed that borders on useless?

I will say this, very surprising results in those detections with some of them.

Still very impressed with the Ewido returns.
_________________
*******************


THE FORCE IS VERY STRONG IN THIS FAMILY!

[channi]

Thank you fcukdat! Great work.

I uninstalled Spybot S&D this evening, and I am going pay for my trial version of Ewido.

[channi]

In light of these test results do you think maybe the Trustworthy Anti-Spyware Products section of the rogue list page should be updated?

[fcukdat]

[Oldfrog]

[fcukdat]

[Oldfrog]

[channi]

Thank you fcukdat for your speedy reply, and thanks Oldfrog for your good info about this too.

Of course it is going to take me a while to digest it, and it will take even longer for me to catch up, if ever I can at all.

So much to learn!

My head hurts as it is now.


.

[herbalist]

[fcukdat]

Hey Channi don't worry,were all on learning curves and get those days where the sponge gets saturated

[EASTER]

[aigle]

I want to mention one thing, people do expect AV to detect other malware also buy they don,t expect Antispywares to catch typical viruses, that,s gob of AV. So if you want to check antispwares, you should include all other types of malware except typical AV. For me personally Kaspersky online scan results are surprising, I don,t think it can detect spywares more than any typical antispyware product.
_________________
Muhammad S Hameed

[Mrkvonic]

Hello,
A question fcukdat:

How much overlap is there?

How many threats were covered by let's say Ewido + Ad-Aware + Spybot + MSAS?

Maybe this is difficult to analyze, but it could be interesting.

Mrk

[fcukdat]

[Oldfrog]

I think that an additional factor is the fact that a malware installer, like a virus, is a single file that will normally have a well defined signature. A far different thing than an installed malware product with registry keys, folders/files, etc. Dectection of the installer is far simpler and if done immediately at the point of entrance renders the rest unnecessary. Since my AV is already checking the entry points and file openings for viruses it seems appropriate to me that it also check for installer signatures. I sure don't need yet another product with the same hooks watching the same events (yes, Rick, I am exempting rule-based HIPS from the discussion). I also don't want my AV definitions cluttered with the entire file trees installed by every species of malware.

[fcukdat]

[herbalist]

[hornet777]

Wow, me too, but now (with the big file sizes) I just make a multi-volume ZIP archive, and carry along a copy of PKZIP (DOS) in case I need it. Most of the rest of the stuff (other than boot disk) I just burn onto a CD these days.

[fcukdat]

well it just gose to show the bigger the database,oh er the bigger the update file....

Hang on,the more features,types of scanning surely equals more bloat and resource hogging

In that case effective&current definitions based software will continue to grow with the rate of the increase in malware
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html