When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack
It isn't every day you get to see what a real Trojan or Social Engineering attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop, Get Secure, when I came across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
This weekend we heard from Judy, office manager for a small doctor's office, who wrote in asking,
"I'm on your mailing list, so I get your coupon deals when they come out. I saw one recently where almost everything was on sale. I didn't need a deal then, but I need one now (haha) and I don't know what to get. I'm office manager for a doctor's office.
"There are three physicians in the practice and a couple of nurses and lab techs, a billing person, plus me. About 9 people full-time.
"As if I don't have enough to do already (hahah), they asked me to research and upgrade the antivirus software we have now since ours that came on the computers when I bought them is about to expire.
"It was probably pretty dumb, but I didn't know any better and got all the computers at Best Buy since there's one really close to our office. At least it was easy.
"Wow. Sorry for so much detail. I'm totally dreading doing all this research. I'm so not a 'tech person.'
"Thanks for the help!!!
"P.S. I've got a small budget. Anything I don't spend on antivirus software I get to use to upgrade my tired printer, so I need cheap and good.
Here's my reply:
We've gotten a lot of good questions the past few days; this is a great one. Thanks.
For starters, forget about going to a store like Best Buy--or even Office Max--to renew your antivirus software. The retail stores sell home versions of the antivirus software. What you need is business or enterprise antivirus software.
(I can already hear some readers grumbling about my answer, but just keep reading, everything will be clear in a second.)
Fundamentally, home and enterprise antivirus software are exactly the same. They prevent, detect, and removes viruses (and other malware.) Fine.
The big difference is with business antivirus software you get centralized management, which you don't with home antivirus software1.
Here's the deal: when you're managing the antivirus software now, you have to walk from one computer to the next, asking the users if you can interrupt them and use their PC for a few minutes. Bleh. It's a pain in the neck.
With business antivirus software, you do everything from one place: your PC.
From your own desktop you can remotely manage the antivirus software on every PC on your network.
Got a malware issue popping up on one of the lab techs PCs? You won't have to wait for them to tell you about it--you'll see it in the central management console on your computer.
The next biggest thing about business antivirus software is some manufacturers offer different support options for businesses than they do the average home user.
You may be able to get things like 24x7x365 support, priority phone queuing, and so on.
"Sounds great," you're saying, "Now how much does all this cost?! Think of my poor printer!"
No sweat... most antivirus software for businesses is comparable in price to their home/consumer versions. What's the catch? All the A/V companies require a minimum of five users for you to qualify for their business version.
With nine users in your office, you easily qualify for business antivirus software.
So, how do you get it?
Easy. Contact us. We're available by phone, too, (1-800-297-5134) which is usually faster and easier for something like this.
In a couple of minutes we'll figure out your needs and what's the best enterprise antivirus software for your office--and get you prices.
Oh, and in case you the thought crossed your mind, most antivirus software for business is almost as easy to setup as home software. There's usually a step or two more, but that's it.
And if you do get stuck, because it's enterprise-class software, you'll most likely be getting a different level of support than you're used to, so someone will help you with any snags you hit.
Chances are it'll go just fine though. You'll probably have more issues un-boxing and setting up that new printer you've been oogling. ;-)
1 BitDefender Antivirus and BitDefender Internet Security home versions also include central management for up to five PCs. It really makes things easier for a multi-PC home, but it's not intended for use in a business.
Another great question! And another one of our most frequently asked ones, too.Other than using a real virus, which seems crazy to me, is there a way for me to test to make sure my antivirus software is actually working?
Here's my reply:
Yes, there's actually a harmless little test virus called, "EICAR," that's designed to do just that.
As long as it's downloaded from the right place, it's completely benign. It's only purpose is to trigger an alert from your antivirus software. That's it.
The official site, and only safe place to download it, eicar.org, describes EICAR as a
...legitimate DOS program, [that] produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").
We actually use EICAR ourselves when we take our screenshots of each antivirus program successfully detecting a virus.
(We don't use real viruses for our screenshots because we don't want overly curious visitors to, upon seeing real virus names, then go searching for those real viruses on the Internet to try for themselves.)
So, leave the real antivirus software testing to us, but use EICAR when you want to test that your A/V software is really working.
Got a question about antivirus software or PC security? Why not Ask the Experts?
Do you read reviews on other websites? Can you comment on your review technique vs. some other sites?
"Some sites appear to be more thorough in their reviews than others. I'm having a hard time deciding, given the very different ratings between your site and others I'm looking at.
"For example, you rate Vipre #1, another site puts it at #12 and a third site doesn't even mention it!
Grandma taught me when it comes to speaking about others, if you don't have something nice to say, you don't have anything to say.
Kidding aside, I can't speak too much about the testing methodology that the other sites use; I can tell you ours is better.
We have a repository of 500,000+ viruses, worms, trojans, rootkits, bootkits, keyloggers, spyware, adware, and every other type of malware under the sun. We test the software from soup to nuts and run it on: workstations/desktops, laptops, netbooks, and virtual machines.
Whereas a lot of other sites (not naming names, just stating fact) might test on one, or maybe two machines and/or may use a handful of viruses, we test with a huge sub-set of the 500,000 (and growing) sample set. Then, thanks to some special insight we get from our own email honeypots, we even test with fresh phishing and malicious websites when conducting the realtime part of our tests.
Beyond that, the biggest difference I can say between "us" and "them" is that our approach starts with a basic premise: break the software.
The virus writers are trying to, so why shouldn't we?
In contrast, the other sites aren't really ever doing that. Look closely at the some of the other reviews. When there aren't any "cons" is a list of "cons," someone is getting conned.
I'll let you be the judge of whether or not reviews like these sound (even remotely) unbiased.
Now, have a look at our VIPRE and VIPRE Internet Security review.
We come out guns blazing with the downsides to VIPRE, and it's our Editor's Choice! The thing is: It's not perfect, no software is. And, we're honest about that in our review of it just like we are in all of our reviews.
Aside from that, the next thing I question in some other sites testings is the small sample size of the malware they use in testing.
Then, how easy is it to get relative comparative data from other sources about two products side-by-side?
In contrast, we have several ways, not the least of which are these two:
As for VIPRE being our top pick this year, if you read our reviews, aside from excellent detection and removal, you'll see the shining star of VIPRE is their tech support.
I've personally been back and forth with another company for a week now just to get them to honor Black Friday special pricing for some customers. First their links don't work. When the links work, they have a U.K. based sale support phone number on those web pages. When that's fixed, the coupons don't work. Oh, and that phone number is just for sales support, it's not actual tech support!
Now, don't misunderstand me, I'm not saying experiences like this are representative of support from this other company, I'm not. I'm just saying that in our various calls, chats, and emails to GFI for support with VIPRE Antivirus and VIPRE Internet Security, our experience is consistently good, and we don't get the runaround.
And the same goes for the (large) group of antivirus software users who we regularly survey. We ask them about their experience with their antivirus software and the companies behind them. Their answers give us the real scoop on what's happening between customers and each of the companies, and we take this into account in our reviews.
The bottom line?
We give assessments and ratings with candor. We're honest. We look at the big picture. We get real-world feedback from consumers. And we actually test the crap out of the software with real viruses, real worms, real trojans, and so on.
Earlier this month, security researchers at Matousec released details of research they've done that, they claim, bypasses 100% of antivirus software.
As you might imagine, there's quite a bit of concern about this, particularly among business users, particularly because mainstream media has started discussing the so-called, KHOBE attack.
Let's dig into this a bit and see what's behind the hype.
What is KHOBE
It's an acronym for:
Put another way, it's a way for attackers to trick antivirus software. ZDNet's writer, Adrian Kingsley-Hughes, does a great job describing how this works here,
The attack is a clever 'bait-and-switch' style move.
"Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code.
"The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.
Kingsley-Hughes goes on to say,
Oh, and don't think that just because you are running as a standard user that you're safe, you're not. This attack doesn't need admin rights.
OK, now this is starting to sound like a pretty big deal.
Mitigating Factors with KHOBE
Here's where things *do* start to become more positive though:
|Mitigating Factor||What It Means|
|1.||Requires a lot of code.||Makes it less-than-ideal for most attacks to work.
Since this code has to somehow be transferred to your machine, its current size makes it more difficult to use as a mechanism to bypass security software.
|2.||The software has to already be on your computer.
||Wha? Yes, that's right. From what the antivirus software vendors can tell thus far, the software doesn't actually bypass their software (at least the ones we've heard from) unless it's already there to begin with.
This could be because you're installing their software after you've been infected with this code or because you disabled your antivirus program.
|3.||There aren't any known exploits--or exploit kits--that rely on this technique.
(At least not yet.)
|The chances of encountering this in the real world are still very, very minimal.|
|4.||It only affects antivirus software that uses the System Service Descriptor Table (SSDT), which is being used less-and-less frequently than it once was.||Antivirus companies are moving (or have already moved) away from the use of the SSDT since Windows Vista. Windows XP seems to be the last Microsoft Windows OS where the security vendors commonly relied on the SSDT for their antivirus software.
This means if you're running Windows Vista or 7, chances are your antivirus or Internet security software is already immune to this exploit.
Antivirus maker Sophos says,
Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all.
VIPRE Antivirus' maker, Sunbelt Software, says,
...it would affect antivirus programs that use SSDT. We don't use SSDT in VIPRE for Windows Server 2008, Vista and Windows 7. We do use it for older operating systems, like Windows XP.
|5.||It's difficult to make work.||The code works, yes, but given the many things that are required for it to work, even if you were to encounter it "in the wild," there's still no guarantee your computer will be infected.|
Antivirus Vendor Responses
Sophos and Sunbelt aren't the only antivirus companies refuting the claims, security company F-Secure says,
We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.
"And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.
Our Take on KHOBE
This is true not just for F-Secure, but for all Internet security software vendors.
If there were real-world exploits using this attack that they'd encountered, adding signatures for those attacks should be able to defeat the attack pretty easily.
Regardless of the outcome of the debate about this particular exploit, there are still a couple of take-away points as far as we're concerned,
- Run the best antivirus software you can afford.
- Keep it updated--frequently.
- Even if you're updated and protected against known threats, it's critical to regularly backup your system so that if something does get by your defenses, at least you can restore your system to a point before the infection.
We've gotten a few requests in Ye Olde Mailbag recently asking if we're planning Windows 7 antivirus reviews anytime soon.
That depends on what you consider "soon," frankly. ;-)
With the fairly recent public release of Windows 7 beta (for free, no less!), clearly the initial reviews of the OS are good, and it's clear even though it's officially labeled a "beta" product, it's very, very good.
The general consensus is that's it's everything Vista should have been.
Given the loud backlash against Microsoft for Vista, I'm glad Windows 7 is starting with such good reviews.
Do You Need Antivirus with Windows 7
With Vista's release, Jim Allchin, Microsoft's former President was quoted at betanews.com as saying,
"My son, seven years old, runs Windows Vista, and, honestly, he doesn't have an antivirus system on his machine.
"His machine is locked down with parental controls, he can't download things unless it's to the places that I've said that he could do, and I'm feeling totally confident about that.
"That is quite a statement. I couldn't say that in Windows XP SP2."
That really is quite a statement; however, he also pointed out,
"Please don't misunderstand me: This is an escalating situation.
The hackers are getting smarter, there's more at stake, and so there's just no way for us to say that some perfection has been achieved.
But I can say, knowing what I know now, I feel very confident."
Given that, as company president, it was his job to be tout the features and benefits of his company's products, I'm not surprised by the first statement, per se; however, I do think it was cavalier of him to be dismissive of antivirus software.
Here we are now, a couple of years into Vista, and clearly Vista machines are indeed being infected with viruses, worms, trojans, spyware, and all sorts of other malware (albeit perhaps in different ways that different versions of Windows) so it's pretty clear these things are still a threat to this OS as they are to other OSes.
And, viruses will continue to be a threat to Windows 7, too, no matter how well locked-down a given computer may be.
So What About Windows 7 Antivirus Reviews?!
Ah, yes, back to the original point: when are we going to get antivirus reviews up for Windows 7?
We've got some other things cooking right now with tons of new pages that help our users do a head-to-head antivirus comparison of the different A/V software we've reviewed, but once that's done, Windows 7 antivirus reviews look like they're next on the horizon for us.
The initial expectation is that A/V software that runs well on Vista should also run equally well (and perhaps better) on Windows 7.
If you're technically inclined and are interested, here's where to download Windows 7.
|While many consumers are starting to realize the importance of antivirus software, many are unaware of the significant differences in performance from one antivirus program to another.
Why is this so important?
Realizing that many consumers just go with whatever is pre-installed on their system when they get it or with whatever their ISP installs/recommends, it seemed important to question the rationale behind that.
Often, the security application that has been installed is chosen for one reason: money.
Understanding the relationship between the PC manufacturers and ISPs and the antivirus vendors is an easy one: the AV makers often pay to have their software installed (if not, they often let the manufacturers install it for free.) Huh?
The reason is, the A/V makers realize that many, if not most, consumers will renew their antivirus subscription when it expires, thus while they may have to "pay" for their antivirus software when they get their computer, they do buy the renewal subscription.
And, once they're in there, they have a revenue stream from you.
Sluggish System?So, you're cruising around with your PC for a while--maybe even a year or more, when it just doesn't feel as fast as it once did.
All those files and pictures and videos you've created and viewed over the many moons you've had your computer are stored somewhere, often they live in your Temporary Internet Files directory.
Over time, as these files accumulate in the various places of your hard drive, your antivirus software has to work harder and harder to keep up.
What happens next is where it gets ugly.
You get fed up with it slowing things down and disable it, "just to get some stuff done."
The problem is the software stays off for a while--sometimes for a long while, maybe even forever.
Now that antivirus subscription you just renewed is totally, completely, utterly useless.
Real Antivirus SolutionsWhat this boils down to is that choosing your antivirus software, and not just taking the easy route, is critical.
This is part of the reason we rate VIPRE antivirus so highly: it's highly efficient and uses very few CPU, RAM, and system resources to keep your computer safe and virus-free.
We're not the only ones saying this, either. I just came across a VIPRE review from August 2008 on ZDNet's Hardware 2.0 blog by the much-respected Adrian Kingsley-Hughes.
"Security software can have a shocking effect on performance, and can take a new system and make it feel like one that’s a few years old.
(N.B. emphasis mine)
Adrian's images, originally located here ZDNet (archived now at our site), really tell the story about VIPRE well. (Visit ZDNet for complete details.)
In his review, he compares system performance with:
|Take a look at the below images and judge for yourself...|
Original source: http://i.zdnet.com/blogs/av_shootout_system01.png
Original source: http://i.zdnet.com/blogs/av_shootout_system02.png
Original source: http://i.zdnet.com/blogs/av_shootout_system03.png
It's good to see we're not alone in leading antivirus review sites singing VIPRE's praises, they're well-deserved.
A good reminder came by way of a Montreal Gazette article on antivirus software, one of the fine newspapers published by our Neighbors to the North: "Okay, okay, this year, I’ll get anti-virus software.' Say it and mean it."
Marc Saltzman, who penned the piece, brings up a great point: since buying a new PC (given the state of the economy for many people) is perhaps not a priority, protecting the one you have should be.
He talks about five of the six things we urge everyone to do. Here's our list (in order):
- Run antivirus software
- Run antispyware
- Keep your OS and the software you run updated
- Perform backups
- Defragment your hard drive
The only thing missing:
Run firewall software.
The default one built into Windows doesn't count. It stinks. In overall importance, we'd put firewall software at the top of the list tied for first for number 1 with antivirus software.
While you're running through this checklist yourself, take a look at our new antivirus reviews for 2012. You'll see the "best antivirus software" on our list for 2012, and it has built-in antispyware and offers an optional firewall software, too, in the VIPRE Internet security version.
With our coupons you can have a complete PC security solution and be out the door for under $30, and you'll be three steps closer to keeping the bad guys out and protecting your computer.
Bear this in mind, too, the most important thing on your computer probably isn't the computer itself. It's the data.
And even if by some strange chance you put zero value on the data on your computer, there's still the cost--both in time spent and actual cash spent--to get your computer fixed if it gets infected.