Home-made APT vs most trusted anti-malware solutions

Home made MalwareTo quickly summarize: there has not been an anti-malware solution that was effectively able to avoid the infection of the system or to prevent the privileges escalation put into play. None of the tested solutions was also able to alert the user about an abnormal behavior of our executable. 

Stop! That’s all !

Further details:

The malware is a P2P (D)DoS agent written in pure C by Emanuele De Lucia with TCP SYN and HTTP Flood capabilities, named “apt.exe”. This is basically a dropper. It’s launched with the privileges of a limited account. UAC is enabled. “apt.exe” is able to use two different local privileges escalation exploits, and goes to create a new auto-starting hidden service in the target machine with a communication socket listening on TCP/9080 (master machine is listening on TCP/9081). All “svchost.exe” processes are so hidden through kernel patching techniques. A code injection is performed to “explorer.exe”, “services.exe” and “winlogon.exe”. “apt.exe” has MITB capabilities if it detectes “iexplore.exe” is running.

A video to summarize the entire infection activity with the best anti-malware i tested (in my opinion). It’s the latest available version and it’s fully updated. During the video cmd window is kept visible. The listening socket (TCP/9080) is also intentionally not hidden.

You see, nothing happens ! So, don’t trust your anti-malware product whatever it is.

List of products tested:

Trend Micro Titanium

EMSISOFT Anti-Malware

Avast! 2014

Kaspersky Antivirus

ESET NOD32

Avira

Norton™ AntiVirus 2014

Some screenshots:

Starting up the server on one of victims at development/debug stage:

evidence

 

Master Client while is communicating with one of the entry bots…

3

 

 

 

 

 

 

 

 

Some evidences while we were testing the effectiveness of those products:

 

 

 

Conclusions:

A good anti-malware solution is very important, but do not trust it completely :)

2 Comments

  1. persino

    do you use Twitter? I’d like to follow you if that
    would be ok. I’m undoubtedly enjoying your blog and look forward to new posts…

Leave a Reply

Your email address will not be published. Required fields are marked *


8 + 1 =