To quickly summarize: there has not been an anti-malware solution that was effectively able to avoid the infection of the system or to prevent the privileges escalation put into play. None of the tested solutions was also able to alert the user about an abnormal behavior of our executable.
Stop! That’s all !
The malware is a P2P (D)DoS agent written in pure C by Emanuele De Lucia with TCP SYN and HTTP Flood capabilities, named “apt.exe”. This is basically a dropper. It’s launched with the privileges of a limited account. UAC is enabled. “apt.exe” is able to use two different local privileges escalation exploits, and goes to create a new auto-starting hidden service in the target machine with a communication socket listening on TCP/9080 (master machine is listening on TCP/9081). All “svchost.exe” processes are so hidden through kernel patching techniques. A code injection is performed to “explorer.exe”, “services.exe” and “winlogon.exe”. “apt.exe” has MITB capabilities if it detectes “iexplore.exe” is running.
A video to summarize the entire infection activity with the best anti-malware i tested (in my opinion). It’s the latest available version and it’s fully updated. During the video cmd window is kept visible. The listening socket (TCP/9080) is also intentionally not hidden.
You see, nothing happens ! So, don’t trust your anti-malware product whatever it is.
List of products tested:
Trend Micro Titanium
Norton™ AntiVirus 2014
Starting up the server on one of victims at development/debug stage:
Master Client while is communicating with one of the entry bots…
Some evidences while we were testing the effectiveness of those products:
A good anti-malware solution is very important, but do not trust it completely