Home » »

Methodology for Active Malware Treatment Test (February 2010)

Submitted by Editor on Tue, 02/16/2010 - 12:10

The expert group at the Anti-Malware Test Lab selected 16 malicious programs for the active infection treatment test of antivirus products. Selection was based on the following criteria:

  1. Malicious programs were selected with a view to providing maximum coverage of technologies used to mask their presence on the system and prevent their detection and/or removal.
  2. The malicious program should be widespread.
  3. All the antivirus products tested should detect the malicious program’s components.
  4. The malicious program should be able to recover if some of its components are removed.
  5. The malicious program should not deliberately interfere with the antivirus products’ operation (deleting the antivirus files and keys, antivirus processes shutdown, antivirus database update blocking etc.).
  6. The malicious program should not block system operability.

While selecting malwares for the test, priority was given to the most complicated types meeting the most of the above-mentioned criteria.

It should be noted that detection of malicious program components by all of the antivirus products tested was a critically important parameter in selecting malicious programs for the test.

All malicious programs used in the test were collected by Anti-Malware Test Lab experts in the wild.

Thus, the following malwares were selected for the test:

  1. AdWare.Virtumonde (Vundo)
  2. Rustock (NewRest)
  3. Sinowal (Mebroot)
  4. Email-Worm.Scano (Areses)
  5. TDL (TDSS, Alureon, Tidserv)
  6. TDL2 (TDSS, Alureon, Tidserv)
  7. Srizbi
  8. Rootkit.Podnuha (Boaxxe)
  9. Rootkit.Pakes (synsenddrv)
  10. Rootkit.Protector (Cutwail, Pandex, Pushdo)
  11. Virus.Protector (Kobcka, Neprodoor)
  12. Xorpix (Eterok)
  13. Trojan-Spy.Zbot
  14. Win32/Glaze
  15. SubSys (Trojan.Okuks)
  16. TDL3 v.3.17 (TDSS, Alureon, Tidserv)

Every malware selected was tested for its productivity and installation in the test system. You can find detailed description of the malwares in the detailed test report in Excel-format. 

Testing procedure

The test was performed on real computers (unlike the earlier tests) under the guidance of Microsoft Windows XP Professional with the integrated Service Pack 3.

lkd> !devstack \Device\Harddisk0\DR0
!DevObj   !DrvObj            !DevExt   ObjectName
89bcfe08  \Driver\PartMgr    89bcfec0
> 89bceab8  \Driver\Disk       89bceb70  DR0
89b74f18  \Driver\ACPI       89c0f0e0  00000061
89bd0940  \Driver\atapi      89bd09f8  IdeDeviceP0T0L0-3


The following antivirus software participated in the test:

  1. Avast! Professional Edition 4.8.1368
  2. AVG Anti-Virus & Anti-Spyware 8.5.0.40
  3. Avira AntiVir PE Premium 9.0.0.75
  4. BitDefender Antivirus 2010 (13.0.18.345)
  5. Comodo Antivirus 3.13.121240.574
  6. Dr.Web Anti-Virus 5.00.10.11260
  7. Eset NOD32 Antivirus 4.0.474.0
  8. F-Secure Anti-Virus 2010 (10.00 build 246)
  9. Kaspersky Anti-Virus 2010 (9.0.0.736 (a.b))
  10. McAfee VirusScan 2010 (13.15.113)
  11. Microsoft Security Essentials 1.0.1611.0
  12. Outpost Antivirus Pro 2009 (6.7.1 2983.450.0714)
  13. Panda Antivirus 2010 (9.01.00)
  14. Sophos Antivirus 9.0.0
  15. Norton AntiVirus 2010 (17.0.0.136)
  16. Trend Micro Antivirus plus Antispyware 2010 (17.50.1366)
  17. VBA32 Antivirus 3.12.12.0

When installing them on an infected computer, default settings recommended by the vendor were used and all the actions recommended by the software were performed (the system reboot, update, etc.):

  • Whenever possible, installation process was performed with taking all the recommended actions into consideration including the product update and malware checking.
  • If the installation manager did not suggest rebooting the malware search checking starts without the system reboot after installation. If the checking fails (a malware was not detected or was detected but not deleted) the system rebooted and the malware search checking started again.
  • If updates were not performed during installation it was performed manually before active infection treatment.
  • When treating active infections predefined g options were the first to be initiated (quick scan, startup scan, etc). If the first attempt failed the catalogue scanning from the context menu where the malware files are stored started. If this attempt failed too the whole system scanning started.
  • If an antivirus interface has an option for a separate rootkits checking it was the first to be performed in all the samples containing rootkit-component.
  • If only one of several components was detected during the checking the search for other components continued after reboot.

If several variants of action were suggested they were selected in sequence in accordance with the failure occurred: heal, remove, rename, quarantine. 

The testing process comprised the following steps:

  1. Install the operation system on a hard drive and creating a complete hard drive image using Acronis True Image (image_main).
  2. Infect the computer with a clean operation system (malware activation).
  3. Verify that the virus is functioning correctly and that it has been successfully installed on the system.
  4. Restart the infected system.
  5. Verify again that the virus is functioning correctly and create a new image of the system (image_virus).
  6.  Repeat steps 1 through 5 for all the malicious programs used in the test.
  7.  Load one of the image_virus snapshots and attempt to install one antivirus product participating in the test and disinfect the system.
  8. If disinfection of the system was successful, create a list of the remaining traces of the infection.
  9. Restoring the clean operation system image_main on the disk using Acronis True Image (booting from a CD).
  10. Repeat steps 7 and 9 for all sixteen image_virus snapshots and all seventeen antivirus products.