This blog post is a follow-up post on our quarterly Online Banking Certification project.
During our Q3 tests – especially the Botnet test – we have witnessed many problems with the Internet Security Suites, and in this blog post we share our experiences regarding these problems. This Botnet test is about remediation capabilities of Internet Security Suites. First, we infect a clean unprotected system with a common banking trojan (e.g. Zeus, Citadel, SpyEye), and after that we install the Internet Security Suite. Because the botnet C&C is fully operated by MRG Effitas, we are able to monitor the information stealing capabilities of the banking trojans with 100% certainty, by navigating to an online banking site, logging in, and checking the malware C&C panel for the extracted credentials. The C&C server is firewalled, so that only our lab can connect to the C&C server.
During the test, we witnessed the following problems.
Botnet files not detected
In our test we use rather old samples (but we will improve this in our next test), and yet, some of the Internet Security Suites (ISS) are not capable of detecting the banking trojans. E.g. some of the vendors do not initiate mandatory quick scan during or after the installation, and neither schedule any quick scans. This is a really bad practice.
Some vendors failed to protect the user in the first test, but protected the user after the first test. During the first test, the protected browser usually crashed and was restarted automatically. We believe this has been caused by some key components not loaded into the browser consistently. This problem can result in stolen banking credentials.
Missing alert during initial scan
Some vendors detected the banking trojans during the security product installation, but failed to warn the user about the detected and removed threat. However, the detailed AV log revealed the threat detection and removal. In the case of any malware, it is important to notify the user what has been detected, so the user can take precautionary measures (e.g. change passwords, notify bank, etc.). Especially if it is a banking trojan, it is non-optional to inform the user what has been detected on the computer. We also believe that some high level instructions should be displayed to the user, like it is advisable to change passwords, and contact the financial institution (e.g. to change credit cards, check transactions, etc.).
Missing log and alert
Some vendors detected the threat during the security product installation, but failed to warn the user about the detected and removed threat, and even failed to log the action in the detailed AV log. As it was already detailed in the previous paragraph, it is important to notify the users about detected and removed threats.
Missing mandatory reboot after remediation
Some vendors detected the banking trojan (SpyEye) on the disk, successfully removed it, but failed to detect the malware in memory. And in top of that, these ISS’s did not enforce (or even suggested) a reboot, thus the malware stayed fully operational in memory until the next restart. Nowadays, most people don’t restart their systems very often, so the threat could stay in memory for weeks.
One vendor categorized SpyEye as Citadel. Although this is not a big issue, but we believe proper categorization could help users. In another case, SpyEye has been categorized as a low risk threat. A banking trojan is anything but a low risk threat.
Fail to block
And last but not least, there was one product, which detected the threats in all three cases, and gave the user the option to block the threats. After clicking on block, we tested the password stealing capability of the trojan, and all three trojan were able to steal the passwords from the browser. In this case, the product gave the false sense of security to the user, as the user would have thought the browser is protected, although it was not.
These problems highlight the problem of Internet Security Suites. We believe these products should have been tested either internally or by independent test companies better. Vendors can find contact information on the following URL in case they want to test their product with MRG Effitas: https://www.mrg-effitas.com/contact/