Einleitung Das Problem: Modifizierte Malware wird oft nicht erkannt. Hintergrund Gefahren durch laufzeitkomprimierte und manipulierte Malware. Beispiel Zwei weit verbreitete AV Scanner werden ausgetrickst. AV Tests Sinn und Unsinn herkömmlicher AV Tests Scanner Wir schauen uns die Funktionsweise und Erkennungsraten verschiedener AV & AT Scanner an Forum ... zum Mitmachen

 

-- BOClean 4.11.01 --

1. Marketing (www.nsclean.com)


""Even newer, far more difficult to detect trojan technologies with new uses for process injectors and rootkits are all over the wild."

...

"BOClean is the best real-time antitrojan available."

...

BOClean works in real time, catching trojans instantly as they begun to execute, which by the nature of the process, mandates the removal of encryption, wrappers and compression in order to execute the actual program. This is the point where BOClean does its thing. It's the ultimate second line of defense, as BOClean gets what got past your firewall and AV."

...

"BOClean will run in the background automatically, monitoring your system for anything which attempts to startup and run which manages to slip past your antivirus file scanner. The reason why BOClean does not do "file scans" is that most backdoor trojan horses elude file scanning entirely. The majority of "backdoor compromises" involve FAMILIAR trojans which have been "encrypted," "repacked," "patched," "hex edited" or otherwise modified to obscure them from "pattern matches." This is HOW they sneak by antiviruses. File scanning IS the province of antivirus software and we consider it ineffective in the "real world." BOClean does not waste time duplicating a system wide file scan which is what your antivirus is expected to do, and already has done."

...

"Since BOClean utilizes a highly unique method of detection, variants are already covered by BOClean even if new techniques surface to hide them in the future from antivirus programs such as McAfee, Norton, and other antivirus software which are not designed to deal with remote control trojan horse programs ..."

...

"Most "modern" trojans will disable either your antivirus or firewall, or sometimes both. Not BOClean."



2. Previous Reports & Test Procedure


This is our first public BOClean report. BOClean follows a unique concept since is does not support file scanning. It is a sleek, small & easy-to-use resident memory scanner which will try to catch trojans when they are started or while they are running.

Therefore, our standard test procedure (see here ) had to be modified. We believe that there is only one good way to test the effectiveness of BOClean. Self-infection: you have to act like a madman and double-click on every malware sample in your test archive. And that's exactly what we did ... let's see whether we managed to compromise our test systems.



3. Version & Configuration

Our tests were performed with signature databases dated 22 Jan, 7 Feb and 28 Feb 2004.

4. Summary Report

	-- BOClean 4.11.01 --
	Category	Performance
	ORG (custom config)	see below
	ORG (default config)	see below
	ORG DLLs	see below
	BytesAdded	( + )
	DoublePacked	( + )
	HeaderFaked	( + )
	Hexedited (strings only)	( - )
	OEP (manipulated)	( + )
	Patched (code section)	easily vulnerable
	Rebased	( o )
	RePacked	( + )
	Resource (modified)	( + )
	UnPacked	( + )
	Variants	( - )
	www	not tested
	ACProtect	( + ) ?
	Armadillo	( + )
	ASPack	( + )
	ASProtect	( + )
	Crunch	( + )
	DBPE (Ding Boy)	( + )
	ExeShield	( + )
	ExeStealth	( + )
	EZIP	( + )
	FSG	( + )
	JDPack	( + )
	Krypton	( + )
	Morphine	( + )
	Netwalker	( + )
	PC Guard	( + )
	PE Compact	( + )
	PE Crypt	( + )
	PE Encrypt	( + )
	PELock	( + )
	PE Shield	( + )
	Petite	( + )
	PeX	( + )
	PKLite32	( + )
	tElock	( + )
	UPX	( + )
	WinKripT	( + )
	WWPack32	( + )
	Yoda	( + )
	JDProtect	( + )
	Obsidium	( o ) ?
	Peetles	( + )
	SVK Protect	( o ) ?
	Thinstall	( + )
	UltraProtect	( + )
	XtremeProtector	( - )
	TOTAL	n.a. (mem scanner)
	( - ) : bad performance
	( o ) : average performance
	( + ) : good performance

5. Findings


a) Overall performance

BOClean was able to detect, terminate and delete most malware samples contained in our test archive (no matter whether they were compressed/crypted or not). Also Armadillo Copy-Mem II protected samples were easily detected. This is the major advantage of a decent memory scanner: it provides "added value" to the user since even the best file scanners cannot handle each and every compressor, crypter or commercial protector. For instance, comparative scans of the BOClean test set with Ewido Security Suite 1.0, Kaspersky AntiVirus 4.5, NOD32 Version 2 (/w and /wo Advanced Heuritics) resulted in detection rates between 21% and 79%.

ORG Sections:

The following malware samples were not reliably detected by BOClean: Asylum 0.13, Insurrection 1.0, Optix Killer 3, Optix Lite FWB, Silent Spy 2.10.
Due to a weak signature only DC.Oblivion but not CC.Oblivion could be detected.

In addition, several Beast 1.9x trojans were detected but could not be entirely deleted. After a reboot they showed up again (and got terminated again by BOClean). According to the developer this can be expected to change with the upcoming BOClean version 4.12.

Variants Section:

Several variants including Beast 2.00e and 2.01c were not detected.

b) Detection speed

Usually, BOClean will examine every application which is started. It will be immediately terminated if BOClean recognizes it as malware (i.e., the trojan will generally be unable to do any harm).

However, sometimes BOClean is not quick enough and malware slips through. In such case BOClean will try to detect and terminate the malicious program while it is running in memory. This does not work if malware camouflages itself by a technique called "process cloaking". For example, we occasionally managed to start a Hacker Defender 1.00 rootkit. After the rootkit had been installed BOClean could not detect it anymore.

c) Termination protection

It was easily possible to terminate BOClean with the help of a malicious AV/AT/FW Killer called Optix Killer 3 (configuration settings: kill "bocsec.exe" & "boclean.exe"). BOClean was neither be able to detect this well-known tool nor could it protect itself in an efficient manner. Sometimes marketing and reality seem to be two different things ...

(Note: We do not consider termination protection a mandatory requirement. An experienced hacker will be reluctant to terminate an AV/AT scanner since this will alert the victim sooner or later. Also keep in mind that there are far more dangerous attacks available like stealthy DLL injections, code injections etc. You will need a kernel-mode system firewall if you want to reliably protect your system from injection or termination attacks.)

d) Cleaning w/o reboot?

Occasionally, we experienced a situation where BOClean asked us to reboot the computer although it says in the documentation: "No trojans we're aware of as of this writing are so severe as to require this drastic a step, but provisions have been made should it become necessary in the future." In principle, BOClean suggests to reboot the computer every time it is unable to delete an infected file. (This does not make sense if a trojan is started from a CD or an .iso image.)

With respect to the Beast 2.05 DLL reverse trojan we experienced a sudden (forced) reboot of the system which could lead to data loss. The forced reboot occurred since BOClean terminated the system process winlogon.exe instead of unloading the trojan DLL which was injected into this process. (Sometimes, BOClean was quick enough and managed to terminate the Beast injector before the winlogon process could be compromised. In such case a forced reboot was not required.) According to the developer this issue will be addressed by the upcoming version 4.12.




With respect to Anal FTP, BOClean identified a "Rooter": Windows explorer was terminated and restarted in order to get rid of the trojan. Occasionally, this did not work and the system went into an infinite loop: explorer.exe was terminated and restarted over and over again.

e) Problems /w AC Protect, Obsidium, SVK Protect & Xtreme Protector

BOClean may have a minor problem to detect samples which are protected with certain versions of AC Protect. The situation is not entirely clear. We have performed tests with many different versions of this commercial protector. Sometimes, our "AC Protected" malware samples were detected. Sometimes not. Sometimes, BOClean detected them quite a while after they were started. In summary, detection was not 100% reliable. The detection rate was best when we shut down BOClean and restarted it while the malware was already running in memory. Please note, however, that the non-detected samples were protected with a trial version of ACProtect which displays a nag screen each time the trojan server is started. Possibly, the nag screen itself prevents BOClean from detecting a sample. In summary, the situation is is a little bit strange but we do not believe that there is a material risk with respect to malware which is treated with this commercial protector. (A hacker will not use a trial version of ACProtect which displays a nag screen.)

Similar problems occurred in respect of Obsidium and SVK Protect. Some samples were detected, some samples were not. Sometimes, even the restart of BOClean did not help to detect the samples. Therefore, we believe that the detection rate in respect of these two commercial protectors still needs to be improved.

Malware samples protected by Xtreme Protector could not be detected at all.




As of the date of this report we believe that Obsidium, SVK Protect and Xtreme Protector are not frequently used by attackers.


f) Problems with rebased malware.

BOClean is partly affected by the rebasing vulnerability (see here for further details). We understand that this issue will be addressed by the upcoming version 4.12.


g) General reliability

Sometimes we occured a situation where a trojan was running and BOClean did not detect it for an extended period of time (several minutes). However, when we terminated the trojan and restarted it we were frequently unable to reproduce the problem.




In many cases, it was helpful to shut down and restart BOClean.




In principle, the above "reliability issues" were limited to exceptional situations which are unlikely to happen "in the wild":

For example, we consider it extremely unlikely that the same trojan is started over and over again by the user: this cannot happen if the user allows BOClean to terminate the trojan or the option "Force automatic cleanup and safety" is selected. (Such option will generally prevent employees from arbitrarily infecting their employer's machine. Note, however, that a false positive could be fatal if this option is selected. We did not occur any false positives during our tests.)

Virtually the same applies to a second scenario where a multitude of trojans was executed within a short time frame. We do not consider it likely that a user will receive a bundle of trojans being simultaneously started by a loader application.

Nevertheless, we would like to see BOClean to automatically restart itself every few minutes since this should increase the detection rate in respect of certain threats caused by commercial protectors (see above) and DLL trojans (see below). According to the developer BOClean 4.12 will use a more sophisticated method in order to obviate the need for a restart. Moreover, BOClean can be expected to "recalibrate" more quickly in the future.


i) Module scanner

We are happy to confirm that BOClean does support module scanning. We injected several DLL trojans with the APM tool (from DiamondCS) or directly via the registry. BOClean detected a few of them: the following screenshot demonstrates that BOClean can detect a renamed MyDoom.A backdoor shomgopi.dll (original name: shimgapi.dll) which was loaded as an in-process server.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
@="WebCheck"

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@="C:\\WINDOWS\\System32\\shomgopi.dll"
"ThreadingModel"="Apartment"




Moreover, BOClean was able to detect Beast 2.01b, 2.05 std. & rev. DLLs which were injected into the Internet Explorer (with the help of of a tool called APM). In order to clean the trojan Internet Explorer had to be terminated.

In principle, BOClean will not detect a DLL trojan which is injected (with the help of an unknown injector) into a host application that is already running. This is because BOClean scans an application only once (i.e., when it is started). However, if you shut down and restart BOClean all running applications will be scanned again. We recommend to perform this "trick" from time to time. According to the developer this issue will be fixed in the next version of BOClean.

BOClean failed to detect Aphex FTP, Aphex Rootkit, Assasin 2, ColdFusion 1.08 & 1.10, Optix Pager, Optix Pro Cloaker DLL, Sinique and other DLLs. Based upon our similar experiences with Trojan Hunter in a recent non-public test we assume that BOClean does not have enough signatures for trojan DLLs. (BOClean still has a chance to detect an unkown trojan DLL if it is injected with the help of a standard injector like Nuclear Inject.)

In addition, BOClean failed to detect many compressed DLL trojans. Our explanation is as follows: We believe that BOClean generally uses module file scanning (i.e., any loaded modules will be scanned with a file scanner instead of BOClean's memory scanner). We assume that the file scanner does not support unpacking and, therefore, is unable to detect compressed modules. Our conclusion might be considered astonishing because many people believe that BOClean does not support file scanning at all. However, we believe that our findings are backed by the following screenshot:

.

The screenshot shows two DLL trojans which were injected with the help of APM into a host application. BOClean fails to detect not only the compressed but also the uncompressed trojan DLL if (and only if) we prevent it from accessing the directory in which the trojan DLLs are located. The alert windows of a system firewall called Tiny Personal Firewall clearly illustrate that BOClean tries to get access to these files (before the detection of the trojan takes place). Therefore, we are of the opinion that BOClean does not generally support module memory scanning but merely basic module file scanning.

According to the developer BOClean indeed supports file scanning techniques. However, the developer claims that BOClean also supports module memory scanning (although this technique is not frequently used so far). We have not been able to verify these statements yet.

BOClean does not seem to have difficulties to detect DLLs which are reallocated to an alternative ImageBase (in memory). This does not surprise to the extent that a module file scanner is used.


j) Signature quality

Fasten your seatbelts. BOClean failed to detect many samples from our HEXEDITED section. The reason is that BOClean exclusively used text strings (the trojan's name) as signatures. A text string containing the trojan's name is one the weakest signatures you can possibly imagine since it is an obvious signature that is easy to guess and even more easy to change.

On January 23, 2004 we contacted the developer and explained the problem. According to the developer's reply the weak signatures are to be replaced by stronger ones. (We understand that there are only about 50 trojans for which weak signatures were created.)

On February 28, 2004 we performed another test with the Roach 1.0 trojan. First, we loaded BOClean with signatures dated 7 February 2004. The following screenshot demonstrates that the vulnerability still existed at that date.



The first window shows BOClean running in memory. You can easily search for a trojan's signature with the help of a RAM editor since BOClean does not encrypt it's signature database at all. This is a weakness per se since it has to be understood as an invitation to modify malware so that BOClean cannot not detect it anymore.

We accepted this invitation. The second window shows the file structure of the modified Roach server. Since BOClean kindly informed us that it will search for the string "Roach" (the name of the trojan) at offset 4088F8 we replaced this string with "Ruuch". The third window shows the hexed Ruuch server while it is running in memory. (You can also watch the visible Ruuch server running on top of the first window.) BOClean does not detect it since it cannot find the string "Roach" at offset 4088F8.

Thereafter, we loaded BOClean with signatures dated February 28, 2004. Unfortunately, the vulnerability still existed. We are unable to say how many weak signatures BOClean continues to use. On March 1, 2004, the developer said that he has already replaced many weak signatures and continues to work hard in order to find the rest. The modified Ruuch server could be detected now. However, the new signature is a weak one again (i.e., a text string). At least it can't be easily guessed anymore.

In all fairness we would like to mention that BOClean uses some strong signatures as well which make it more difficult to patch a trojan. Unfortunately, an experienced hacker can circumvent almost every signature once s/he know it. Therefore, BOClean should better protect them. The vulnerability resulting from the non-encrypted signature database is mitigated to some extent by the fact that there is no BOClean trial version available. Moreover, we understand that the developer wants to change the format of the database so that it can be less easily deciphered.



6. Summary


Pro:

- Super-easy to use. Intuitive.

- Low on resources (uses about 3 megs of RAM, does not need much CPU-time).

- Resident memory scanner catches almost every compressed or encrypted trojan. Many modified variants were detected, too.

- Good support.

- No annual update charges.


Con:

- Used to use extremely weak signatures (--> could be easily outfoxed by hexediting). This may have changed now.

- Signature database not (yet) encrypted (--> facilitates the patching/hexediting of trojans).

- Moderate performance of module scanner (--> unable to detect many trojan DLLs).

- Forced reboots.

- Detection sometimes too slow (--> fatal in connection /w rootkits).

- Problems with certain commercial protectors.



Verdict: Recommended with (many) Reservations. *

Please note that we found it pretty difficult to decide whether BOClean deserves the award "Recommended with Reservations". Ultimately, we asked ourselves the question whether we would use it or not. We would. This is because BOClean's main competitors, Trojan Hunter and TDS-3, used to have problems as well: According to our last report series, Trojan Hunter's performance was affected by it's extremely weak, non-encrypted signatures. To our knowledge this security issue has not been completely resolved yet. TDS-3 did and does not offer a real-time memory scanner (not to mention a real-time module scanner) and, moreover, an important part of it's signature database has been cracked in the meantime. Ordinary AV scanners do not support memory scanning at all. Therefore, we believe that BOClean does provide "added value" despite the many issues we have found. Moreover, we would like to mention that the developer apparently tries hard to resolve the issues which came up during this test.



forge & ntl, 27 March 2004





* How do we rate AV/AT scanners?

Please note that this report does not purport to be an AV/AT review in the ordinary sense. In particular, we do not examine whether a scanner comes with a comprehensive signature database or not. Therefore, you are encouraged to have a look at ordinary AV/AT reviews as well.

Our ratings under the new test regime will show whether an AV/AT scanner is generally qualified to detect non-replicating malware (in particular trojans). A scanner which is not qualified to detect non-replicating malware may still be a good anti-virus scanner.

The following ratings are available:

Highly Recommended

This would be the perfect scanner ...

Recommended with Confidence

Only an outstanding scanner has a chance to get this award. As of the date of this report, we have not recommended any scanner with confidence.

Recommended with Reservations

Only those scanners which we actually recommend to use will get this award. Our reservations will be noted in the report.

Not Recommended

We do not recommend average scanners. Sometimes an average scanner may have certain features which will qualify it as a backup scanner. We will mention this in our report.

Definitely Not Recommended

This rating replaces our ... We do not want to get sued ;-)