Selection of malicious programs for the testing of anti-rootkit software for the detection and removal of malware

Selection of malicious programs for the testing of anti-rootkit software for the detection and removal of malicious programs.

For the purposes of testing, the expert group from Anti-Malware.ru selected nine malicious programs based on the following criteria:

  1. The malicious program should conceal its presence in the system using rootkit technology.
  2.  All selected samples should use different methods of concealing their presence in the system.
  3.  All samples taken together should, to the maximum extent possible, cover the range of technologies used by virus writers to conceal the presence of malicious programs in the system.
  4. All malicious programs selected were in the wild samples, i.e., they were collected as they were spreading over the Internet (in the wild). 

All samples used in the test are sufficiently common in the wild samples (http://z-oleg.com/secur/virstat/index.php), were detected during computer disinfection on numerous occasions (http://virusinfo.info/forumdisplay.php?f=46), and users invariably had problems with their detection and removal.

The following malicious programs were selected for testing purposes (the Kaspersky Lab classification is used here; alternative names used by other vendors can be found in the complete testing report):

  1. Backdoor.Win32.Haxdoor.fd
  2. Backdoor.Win32.Padodor.ax
  3. Monitor.Win32.EliteKeylogger.21
  4. Monitor.Win32.SpyLantern.530
  5. Trojan-Clicker.Win32.Costrat.af
  6. Trojan-Proxy.Win32.Agent.lb
  7. Trojan-Spy.Win32.Goldun.np
  8. Trojan.Win32.DNSChanger.ih
  9. Worm.Win32.Feebs.gt

 Until the publication of the testing results, the list of malicious programs was kept secret and was not provided to any of the vendors whose anti-rootkit products were tested.