Anti-rootkit software testing on the detection and by qqu18701

VIEWS: 46 PAGES: 6

									                                           Anti-rootkit software testing on the detection and removal of malware
                                                                                                                                                                  www.anti-malware-test.com
                                                                          (03.2007)

Table 2: Detailed results of testing for malicious program detection and removal by anti-rootkit solutions
                                                                                                          Trojan-             Trojan-                                  Trojan-
   Anti-rootkit \    Backdoor.Win32.     Backdoor.Win32.   Monitor.Win32.Elite    Monitor.Win32.                                               Worm.Win32.                           Trojan.Win32.D
                                                                                                      Clicker.Win32.        Spy.Win32.                              Proxy.Win32.
    Malware *          Haxdoor.fd          Padodor.ax        Keylogger.21         SpyLantern.530                                                Feebs.gt                              NSChanger.ih
                                                                                                         Costrat.af         Goldun.np                                 Agent.lb
                                                                                                                                             Successfully
                                                                                                                                             detected and         Successfully
Antivir Rootkit
                    Successfully        Detected and       Successfully          Successfully        Successfully        Detected and        removed all files    detected and    Successfully
1.0.1.12 Beta3      detected and        removed            detected and          detected and        detected and        removed             (including malware   removed malware detected and
                    removed all files   Daqjjn32.exe       removed all files     removed all files   removed the file    MemMan.dll          copies)              file            removed the file
                                                                                                                                             Successfully
                                                           Detected and                                                                      detected and
AVG Antirootkit
                    Successfully        Detected and       renamed               Successfully        Successfully        Detected and        removed all files    Successfully       Successfully
1.1.0.29 Beta       detected and        renamed            fltMgrnt.sys,         detected and        detected and        renamed             (including malware   detected and       detected and
                    removed all files   Daqjjn32.exe       mf2k.sys              renamed all files   removed the file    MemMan.dll          copies)              renamed the file   renamed the file

                                                                                                                                             Died when
                                                                                                                                             scanning had been
                                                                                                                                             started but
                                                                               Detected and                                                  detected and
AVZ 4.23                                                                       removed                                                       removed
                                                                               cyfyweb.exe,                                                  mswm32.dll when
                    Detected and        Detected and       Detected and        cyfyweb.sys,                                                  AVZ process had
                    removed             removed            removed             cyfyweba.dll,         Successfully        Successfully        been renamed and Successfully
                    tcpq32.dll,         Daqjjn32.exe,      fltMgrnt.sys,       cyfywebh.dll,         detected and        detected and        AVZGuard turned detected and            Detected the
                    tcpq64.sys          Opknnaei.dll       mf2k.sys, tdiex.sys cyfywebl.exe          removed the file    removed all files   on.               removed the file      intercepts only
                                                                               Detected and
                                                                               rename
                                                                               cyfywebl.exe,
Bitdefender
                    Detected and                                               cyfyweb.exe, but                                              Successfully
Antirootkit 1.2.0.0
                    removed all files                      Detected and        the intercepts in                                             detected and                            Detected the file
Beta2               except of         Detected and         removed all files   user and kernel                           Detected and        removed all files                       but couldn't
                    tcpq32.dll        renamed              but mslcache.dll    mode still took       Didn't detect the   renamed             (including malware Didn't detect the    rename or
                    (couldn't remove) Daqjjn32.exe         (couldn't remove)   place.                malware             MemMan.dll          copies)            malware              remove it.
F-Secure
                    Successfully        Detected and       Successfully          Successfully                            Detected and        Successfully         Successfully       Successfully
BlackLight
                    detected and        renamed            detected and          detected and        Didn't detect the   renamed             detected and         detected and       detected and
2.2.1055 Beta       removed all files   Daqjjn32.exe       removed all files     removed all files   malware             MemMan.dll          removed all files    renamed the file   renamed the file
                                                                                                             Trojan-             Trojan-                                    Trojan-
   Anti-rootkit \    Backdoor.Win32.      Backdoor.Win32.   Monitor.Win32.Elite      Monitor.Win32.                                                  Worm.Win32.                           Trojan.Win32.D
                                                                                                         Clicker.Win32.        Spy.Win32.                                Proxy.Win32.
    Malware *          Haxdoor.fd           Padodor.ax        Keylogger.21           SpyLantern.530                                                   Feebs.gt                              NSChanger.ih
                                                                                                            Costrat.af         Goldun.np                                   Agent.lb

                                                                                                                                                                                           Detected the file,
                                                                                                                                                                                           removed the
                                                                                                                                                                                           intercepts and
                                                            Successfully                                Successfully        Detected all files                                             registry key
Gmer 1.0.12.12027
                     Detected and                           removed the drivers                         removed the         but was removed                                                (through registry
                     removed all files                      registry keys but all   Removed the         registry keys but   CsdDriver.sys                                                  editor). The file
                     except of         Detected and         malware files could     registry keys for   not active file     only. The malware Died after starting      Detected the file   can be removed
                     tcpq32.dll        renamed              be removed only         cyfyweb.exe,        remain in the       was active after   the scanning            but couldn't        manually after
                     (couldn't remove) Daqjjn32.exe         manually.               cyfyweb.sys         stream.             system reboot.     process                 remove it           system reboot.
                                                            Detected and
                                                            renamed
                                                            dmdsk32.dll,                                Successfully                               Detected and
                                                            mslcache.dll,                               renamed autorun     Successfully           removed all files
McAfee Rootkit
                                         Detected and       verifsvr.exe.                               keys but they       detected and           (including all
Detective 1.0.0.41
                                         removed            Renamed registry                            were restored       renamed all files.     malware copies)
Beta
                                         Daqjjn32.exe and   keys for                                    again after         Renamed                and autorun key for
                     Successfully        registry key for   fltMgrnt.sys,       Successfully            system reboot       MemMan.dll and         mswm32.dll          Successfully        Successfully
                     detected and        running            mf2k.sys, tdiex.sys detected and            and the malware     its autorun registry   (ShellServiceObjec detected and         detected and
                     removed all files   Opknnaei.dll       drivers.            renamed all files       were active.        key.                   tDelayLoad)         removed the file    removed the file

                                                                                                                                                   Detected the        Detected the
                                                                                                                                                   intercepts from     intercepts from
Rootkit Unhooker
                                                                                                                                                   mswm32.dll after    msvcrt64.dll after
3.20.130.388
                     Successfully        Detected and       Successfully            Successfully        Successfully        Successfully           that the file was   that the file was
                     detected and        renamed            detected and            detected and        detected and        detected and           removed using the   removed using the Detected the
                     removed all files   Daqjjn32.exe       removed all files       removed all files   removed the file    removed all files      Rku features        Rku features       intercepts only
                                                                                    Successfully
Sophos Anti-Rootkit Successfully         Detected and       Successfully            detected and        Successfully        Detected and                               Successfully        Successfully
1.2.2               detected and         renamed            detected and            removed all PE-     detected and        removed                Didn't detect the   detected and        detected and
                    removed all files    Daqjjn32.exe       removed all files       files               removed the file    MemMan.dll             malware             removed the file    removed the file
                                                                                                              Trojan-            Trojan-                                    Trojan-
   Anti-rootkit \   Backdoor.Win32.        Backdoor.Win32.      Monitor.Win32.Elite   Monitor.Win32.                                                 Worm.Win32.                           Trojan.Win32.D
                                                                                                          Clicker.Win32.       Spy.Win32.                                Proxy.Win32.
    Malware *         Haxdoor.fd             Padodor.ax           Keylogger.21        SpyLantern.530                                                  Feebs.gt                              NSChanger.ih
                                                                                                             Costrat.af        Goldun.np                                   Agent.lb
                                          Detected and                                                  Successfully                               Detected and
                    Detected and          removed                                                       removed the         Detected and           removed all files
Trend Micro
                    removed all files     Daqjjn32.exe and      Removed the                             registry keys but   removed                and autorun key for
RootkitBuster
                    except of             registry key for      registry keys for   Successfully        not active file     MemMan.dll and         mswm32.dll          Successfully        Successfully
1.6.0.1055 Beta
                    tcpq32.dll            running               fltMgrnt.sys,       detected and        remain in the       its autorun registry   (ShellServiceObjec detected and         detected and
                    (couldn't remove)     Opknnaei.dll          mf2k.sys, tdiex.sys removed all files   stream.             key                    tDelayLoad)         removed the file    removed the file
                                          Detected hidden
                    Detected autorun      Daqjjn32.exe
                    keys for              process but
UnHackMe 4.0        tcpq64.sys but        couldn't removed
                    couldn't remove it.   the file. The         Removed the
                    The malware           malware ware          registry keys for   Detected and
                    ware active after     active after system   fltMgrnt.sys,       removed             Didn't detect the   Didn't detect the      Died during         Didn't detect the   Didn't detect the
                    system reboot.        reboot.               mf2k.sys, tdiex.sys cyfyweb.exe         malware             malware                scanning process    malware             malware

* - malware names are specified in accordance with the Kaspersky Lab classification
Malware names in classifications of the leading anti-virus vendors

                                          - completely detected and removed the rootkit
                                          - the rootkit was successfully detected and removed, but insignificant traces of its presence in the system remain
                                          - rootkit not detected or removal failed
Table 3: Malware names in classifications of leading antivirus vendors

          Kaspersky Lab                Symantec             Trend Micro         McAfee               BitDefender              DrWeb

Backdoor.Win32.Haxdoor.fd         Backdoor.Haxdoor.E   BKDR_Generic       BackDoor-BAC.gen.e   Backdoor.Haxdoor.FA    BackDoor.Haxdoor.173
Backdoor.Win32.Padodor.ax         Backdoor.Berbew.T    BKDR_BERBEW.AA     BackDoor-AXJ         Backdoor.Padodor.AX    BackDoor.HangUp.27
Trojan-Clicker.Win32.Costrat.af   Backdoor.Rustock.B   TROJ_RUSTOCK.NBJ   Spam-Mailbot.c       Backdoor.Rustock.S     Trojan.Spambot
Monitor.Win32.EliteKeylogger.21   -                    TROJ_Generic.ZA    -                    -                      -
Monitor.Win32.SpyLantern.530      Spyware.SpyLantern   -                  -                    -                      -
Trojan-Proxy.Win32.Agent.lb       Backdoor.Trojan      TROJ_AGENT.HQY     Proxy-Agent.ba       Backdoor.ShellBot.C    BackDoor.Shellbot
Trojan-Spy.Win32.Goldun.np        Trojan.Goldun        TROJ_Generic       -                    Trojan.Spy.Goldun.BP   Trojan.PWS.GoldSpy
Trojan.Win32.DNSChanger.ih        -                    -                  -                    -                      -
Worm.Win32.Feebs.gt               W32.Feebs            WORM_FEEBS.AZ      W32/Feebs.gen@MM     Win32.Worm.Feebs.CF    Win32.HLLM.Graz.based
Table 4: Description of the malware used in the test

          Malware name *                           Files of malware                   Processes of malware                            Comments

                                  c:\windows\system32\klgcptini.dat
                                  c:\windows\system32\qz.dll                                                 All files, Windows registry keys for running tcpq32.dll,
                                                                                        System process
                                  c:\windows\system32\qz.sys                                                 tcpq64.sys and system processes winlogon.exe,
Backdoor.Win32.Haxdoor.fd                                                                winlogon.exe
                                  c:\windows\system32\stt82.ini                                              explorer.exe are hidden.
                                                                                         explorer.exe
                                  c:\windows\system32\tcpq32.dll
                                  c:\windows\system32\tcpq64.sys
                                                                                                             Hidden file Daqjjn32.exe, processesDaqjjn32.exe and
                                  C:\WINDOWS\system32\Daqjjn32.exe
Backdoor.Win32.Padodor.ax                                                                 Daqjjn32.exe       registry key for running Opknnaei.dll
                                  C:\WINDOWS\system32\Opknnaei.dll
                                                                                                             (ShellServiceObjectDelayLoad)
                                  C:\WINDOWS\system32\dmdsk32.dll
                                  C:\WINDOWS\system32\drivers\fltMgrnt.sys
                                  C:\WINDOWS\system32\drivers\mf2k.sys                                       Hide all files and autorun keys for fltMgrnt.sys, mf2k.sys,
Monitor.Win32.EliteKeylogger.21
                                  C:\WINDOWS\system32\drivers\tdiex.sys                                      tdiex.sys
                                  C:\WINDOWS\system32\mslcache.dll
                                  C:\WINDOWS\system32\verifsvr.exe
                                  c:\windows\system32\cyfyweb.cfg
                                  c:\windows\system32\cyfyweb.chm
                                  c:\windows\system32\cyfyweb.exe
                                  c:\windows\system32\cyfyweb.sys                         cyfyweb.exe
Monitor.Win32.SpyLantern.530                                                                                 Hide all files, directories and process.
                                  c:\windows\system32\cyfyweba.dll                        cyfywebl.exe
                                  c:\windows\system32\cyfywebcc.exe
                                  c:\windows\system32\cyfywebh.dll
                                  c:\windows\system32\cyfyweb
Trojan-Clicker.Win32.Costrat.af   C:\WINDOWS\system32:huy32.sys:$DATA                                        Hidden huy32.sys file and its autorun key
                                  C:\WINDOWS\system32\CsdDriver.sys                                          Hidden MemMan.dll file and its registry key
Trojan-Spy.Win32.Goldun.np
                                  C:\WINDOWS\system32\MemMan.dll                                             (ShellServiceObjectDelayLoad)
                                  c:\WINDOWS\system32\msvx.exe
                                  c:\WINDOWS\system32\mswm32.dll                        System process       Hide all files and the autorun key for mswm32.dll
Worm.Win32.Feebs.gt
                                  c:\WINDOWS\system32\msdi                                svchost.exe        (ShellServiceObjectDelayLoad)
                                  + many own copies throughout the system disk
                                                                                                             Hide own file and the autorun key
Trojan-Proxy.Win32.Agent.lb       c:\windows\system32\msvcrt64.dll
                                                                                                             (ShellServiceObjectDelayLoad)

                                                                                                             Hidden file, no active prosesses, the registry key for
Trojan.Win32.DNSChanger.ih        C:\WINDOWS\system32\kdaup.exe
                                                                                                             Winlogon with parameter System = kdeiy.exe don't hide



* - malware names are specified in accordance with the Kaspersky Lab classification
Table 5: Malware disguise method (intercepted API)
Malware name *                                        Disguise method (intercepted API)

                                             NtCreateProcess
                                             NtCreateProcessEx
                                             NtOpenProcess
Backdoor.Win32.Haxdoor.fd
                                             NtOpenThread
                                             NtQueryDirectoryFile
                                             NtQuerySystemInformation
                                             ntdll.dll:NtQuerySystemInformation
                                             ntdll.dll:RtlGetNativeSystemInformation
                                             ntdll.dll:ZwQuerySystemInformation
                                             kernel32.dll:FindNextFileW
                                             kernel32.dll:Process32Next
Backdoor.Win32.Padodor.ax                    advapi32.dll:RegEnumKeyA
                                             advapi32.dll:RegEnumKeyExA
                                             advapi32.dll:RegEnumKeyExW
                                             advapi32.dll:RegEnumKeyW
                                             advapi32.dll:RegEnumValueA
                                             advapi32.dll:RegEnumValueW
                                             NtCreateKey
                                             NtEnumerateKey
Monitor.Win32.EliteKeylogger.21
                                             NtOpenKey
                                             Driver-filter of file system
                                             advapi32.dll:EnumServicesStatusA
                                             advapi32.dll:EnumServicesStatusW
Monitor.Win32.SpyLantern.530
                                             NtQueryDirectoryFile
                                             NtQuerySystemInformation
                                             Driver-filter of file system
Trojan-Clicker.Win32.Costrat.af              SYSENTER/Int 2E

                                             NtEnumerateKey
Trojan-Spy.Win32.Goldun.np                   NtEnumerateValueKey
                                             NtQueryDirectoryFile
                                             kernel32.dll:FindFirstFileA
                                             kernel32.dll:FindFirstFileW
                                             kernel32.dll:FindNextFileA
                                             kernel32.dll:FindNextFileW
                                             kernel32.dll:OpenProcess
                                             ntdll.dll:NtQuerySystemInformation
Worm.Win32.Feebs.gt                          ntdll.dll:RtlGetNativeSystemInformation
                                             ntdll.dll:ZwQuerySystemInformation
                                             advapi32.dll:RegEnumKeyA
                                             advapi32.dll:RegEnumKeyExA
                                             advapi32.dll:RegEnumKeyExW
                                             advapi32.dll:RegEnumKeyW
                                             advapi32.dll:RegEnumValueA
                                             advapi32.dll:RegEnumValueW
                                             kernel32.dll:FindFirstFileA
                                             kernel32.dll:FindFirstFileW
                                             kernel32.dll:FindNextFileA
                                             kernel32.dll:FindNextFileW
                                             kernel32.dll:Module32First
Trojan-Proxy.Win32.Agent.lb
                                             kernel32.dll:Module32FirstW
                                             kernel32.dll:Module32Next
                                             kernel32.dll:Module32NextW
                                             advapi32.dll:RegEnumValueA
                                             advapi32.dll:RegEnumValueW
                                             ntdll.dll:NtCreateThread
                                             ntdll.dll:NtQueryDirectoryFile
Trojan.Win32.DNSChanger.ih                   ntdll.dll:ZwCreateThread
                                             ntdll.dll:ZwQueryDirectoryFile

* - malware names are specified in accordance with the Kaspersky Lab classification

								
To top