Research: 80% of Carberp infected computers had antivirus software installed

Research: 80% of Carberp infected computers had antivirus software installed

Summary: Just how useful is antivirus software in general? According to a recently published study by security researcher Jim McKenney, based on his analysis 80% of Carberp infected computers had antivirus software installed.

SHARE:
TOPICS: Security
24

 

Carberp_botnet_antivirus_disabled_cripled

Just how useful is antivirus software in general? According to a recently published study by security researcher Jim McKenney, based on his analysis 80% of Carberp infected computers had antivirus software installed, which was either disabled, or cripped by the Carberp malware leaving antivirus users with a 'false feeling of security'.

The forensic investigation included 603 computers located in Kansas, Missouri, Oklahoma and Nebraska. What he found was pretty interesting. The majority of users relying on Symantec's Norton 360 antivirus had their protection either crippled or completely disabled. The same happened to AVG, Microsoft's Security Essentials, McAfee, Avast, ESET, Sophos, Avira, Kaspersky and BitDefender users.

Are the findings of this study a trend or a fad? Sadly, the cybercriminals' ability to bypass antivirus protection is an emerging trend within the cybercrime ecosystem, rendering popular antivirus solutions completely useless.

This isn't the first study confirming that sophisticated crimeware releases completely bypass antivirus solutions, by either disabling them, or by ensuring that their malicious releases would remain undetected even if executed on a host running an antivirus solution.

In 2009, Trusteer published an advisory that measured the in-the-wild effectiveness of antivirus solutions against the most popular crimeware, the ZeuS crimeware. Their advisory concluded that "The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%."and indicated that 55% of users infected with the ZeuS crimeware were running an up-to-date antivirus solution.

Prevention is always better than the cure. Ensure that you're always running and up-to-date third-party software and browser plugins as on the majority of occasions cybercriminals will attempt to exploit outdated and already patched vulnerabilities, next to coming up with creative ways to socially engineer you to execute a malicious executable.

Find out more about Dancho Danchev at his LinkedIn profile.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • For years I've been saying Antivirus software is next to useless.

    Yes those is "the know" continue to champion it as an effective means of malware prevention.
    ye
    • Not arguing, but what do you recommend for Windows hardening?

      Please be specific.
      Rabid Howler Monkey
      • Nothing specific to Windows

        You would use the exact same techniques to harden Windows that you would use to harden OS X and Linux. So what would you recommend for OS X / Linux hardening? Take those and apply to Windows.
        toddbottom3
        • Search is your friend.....

          “So what would you recommend for OS X / Linux hardening?”

          Select your browser/search engine of choice and enter OS X hardening,
          next search Linux hardening, the world is now open to you.....
          RickLively
      • The highlights

        1. Keep up to date on patches.
        2. Do not run as a privileged user for day to day tasks.
        3. Keep the built in firewall enabled.
        4. When installing software know the source.

        Basically leave Windows in its default configuration. There are more advanced techniques but these are the basics which the average user can apply (because they're the default, save for four).
        ye
      • Windows hardening

        Where I work we use Deep Freeze on all our workstations. it does become a pita when it is time to install system updates and such but the computers have never been infected!
        Jaytmoon
        • RE: Windows hardening

          Toss in Anti-Executable and you've got something.
          Rabid Howler Monkey
  • Not a real big surprise

    AV in general has been basic protection from the older smaller stuff.
    The newest latest greatest relies more on SE and system hardening (had to dust that term off).
    rhonin
  • Disabled AV

    Malware installed in a limited account cannot disable or cripple an AV. Users can even lock the config of AV by using a password. Most AV's these days can be password protected and cannot be modified or disabled unless the password is supplied or unless the malware has gained root and knows where the password file of your AV is located and modifies that passwd file.

    I think the AV was disabled by this malware according to the above report, because they are using admin accounts. Also, if the said malware hides its supporting files using an API and injects itself to explorer.exe then a simple check in %userprofile%\Start Menu\Programs\Startup folder using a different account will still display the supporting files of this malware.

    Normal users depend on AV to clean malwares, power users will build their own cure using a script to clean and remove any types of malware. Ye being known to ZDNetters as a non-AV user is obviously considered the latter.
    Martmarty
    • No, but ...

      Martmarty wrote:
      "Malware installed in a limited account cannot disable or cripple an AV.

      ... Carberp, if undetected by one's antivirus software, can still steal ones banking credentials. This is the point of the article: "the cybercriminals' ability to bypass antivirus protection is an emerging trend within the cybercrime ecosystem, rendering popular antivirus solutions completely useless".

      As for a "limited account" or a standard user account on Windows Vista or 7, a restricted account is not the default provided by Microsoft. And even if a user creates a restricted account for day-to-day use, banking trojans like Carberp and Zeus run just fine in such accounts. Least privilege, while necessary IMO, is no longer sufficient for today's malware.

      Finally, with regard to malware cleanup, many of the anti-virus companies provide malware removal tools that users can either download or receive from the vendor via email. As an example, here's a link to Symantec's Norton Power Eraser:

      http://security.symantec.com/nbrt/npe.aspx?lcid=1033

      Microsoft's Malicious Software Removal Tool (MSRT) is another well-known example.
      Rabid Howler Monkey
      • That's not quite correct

        [i]As for a "limited account" or a standard user account on Windows Vista or 7, a restricted account is not the default provided by Microsoft.[/i]

        Yes, the default account in Windows Vista and 7 is a "restricted" (i.e. non-privileged) account. Until you elevate privileges through the UAC prompt the account does not contain an administrative SID, it only contains a standard user SID.

        This is unlike OS X where an administrative account has more privileges than a non-administrative account and can exercise some of these privileges without being prompted for a password. For example an administrative user can delete/modify files in the /Applications directory without being prompted for a password. A non-administrative user has no such rights.
        ye
        • ZDNet...will you PLEASE get some decent forum software?

          Now I can no longer use HTML tags? And I cannot edit my post? Seriously?
          ye
        • RE: That's not quite correct

          I use the word "restricted" to generalize a "limited" account on XP and a "standard" account on Vista/7. These accounts must be expressly created by a user or administrator and are distinct from the "default" account (which runs as the administrator on XP or at medium integrity level on Vista/7).

          The "default" account presents a user with a UAC prompt and does not require authentication in the form of an administrator password. Whereas a "standard" account does require authentication in the form of an administrator password. Here's what Microsoft has to say for Vista:

          http://windows.microsoft.com/en-US/windows-vista/What-is-a-standard-user-account

          http://windows.microsoft.com/en-US/windows-vista/Why-use-a-standard-user-account-instead-of-an-administrator-account

          It's noteworthy that most enterprises require their end users to run Vista/7 in a "standard" account. In addition, they disable the UAC prompt for the local administrator password (note that this is not the same as disabling UAC) as end users are not generally permitted to be the local administrators of their PCs.
          Rabid Howler Monkey
          • Again: An administrative account in Windows Vista and Windows 7...

            ...is a standard account until elevated through UAC. Until such time it has all the security restrictions a "restricted" (i.e. standard user) account has. It cannot do anything more than a standard user account until elevated through UAC.

            If you're using asking for a password to make the distinction you can enable password prompting for an administrative account through group policy (non-home versions of Windows) or with a change in the registry (all versions).

            The preferred method is to run as a non-administrative account and provide administrative credentials when prompted.
            ye
        • RE: That's not quite correct 2

          In addition, here's what Microsoft has to say about administrator accounts on Windows Vista:

          http://windows.microsoft.com/en-US/windows-vista/What-is-an-administrator-account

          The default account on Windows Vista (and 7), even though it runs at medium integrity level, is considered by Microsoft to be an administrator account. Again, Microsoft recommends setting up and using a "standard" account for day-to-day computing.
          Rabid Howler Monkey
          • This forum software SUCKS

            Jesus ZDNet...get some real forum software. I attempted to post and this is what I received:

            Your comment contains words or phrases associated with spam and will not appear on the site until it has been checked by a moderator.

            What a piece of crap this software is.
            ye
          • Easy question to answer: yes or no

            "is considered by Microsoft to be an administrator account."

            Do you consider all "administrator accounts" to be equal or are you willing to entertain the possibility that different OSs may have different settings for an account that is called "administrator"?

            Oh, you mean a word is just a word and only a simpleton would expect that the words mean EXACTLY the same thing in 2 different OSs? Right.

            No one is arguing that the default accounts are considered "administrator" accounts in desktop Windows. It is only too bad that certain people (you) are so ill-informed about how Windows works that they read "administrator" and without knowing a single thing about the OS, simply make up a definition based on 30 year old knowledge.

            Hey, it is okay if you haven't kept up to date with modern technology and modern OSs like Windows Vista and Windows 7. No one is forcing you beyond what is comfortable (30 year old definitions and concepts). I would think however that you would be ashamed to constantly prove that you haven't kept up but hey, that's just me. Go ahead, keep advertising how little you know. Don't mind the snickering. It isn't directed at you. Honest.

            Oh wait. It is.
            toddbottom3
          • You totally missed the point, as usual

            Microsoft recommends that Windows Vista (and 7) users not use the default account for their day-to-day computing. Most Vista and 7 users, save for those in enterprises with savvy Windows admins (not you), run in the default account.

            While the Windows Vista (and 7) default account is more secure than the Windows XP default account, Microsoft continues to recommend that Windows users create standard user accounts and run in them for their day-to-day computing.

            As for other OSs, they're simply not relevant because this article is about Windows, anti-virus software and Carberb and Zeus are Windows malware. Carberb and Zeus are Windows banking trojans and banking trojans have yet to find their way to OS X, desktop Linux and desktop BSD. Deal with it.
            Rabid Howler Monkey
          • Just one more thing ...

            Here is a link to an article describing Zeus malware (ZitMo, Zeus in the Mobile) which has found its way to Android-based mobile devices:

            http://www.computerworld.com/s/article/9228236/Fake_Android_antivirus_app_likely_linked_to_Zeus_banking_Trojan_researchers_say

            Thus, *Nix is not immune to malware, even banking malware. And neither Windows nor Android are recommended any longer for online banking, unless they are dedicated devices.

            Don't try to turn this into an OS war as you always manage to do (at least you always try). And Android, while Linux, is not desktop Linux. Where do you think Apple got the idea for their online app stores? Desktop GNU/Linux repositories, of course. And Android could choose to learn something from GNU/Linux repositories as well.
            Rabid Howler Monkey
  • Misinformative

    Dancho just omitted the fact that the majority of infected PCs in which the pseudo-study was based upon were running the very outdated Windows XP *SP2*. No anti-virus will have defenses against a weak OS.

    Moreover, the "study" said that the "median lifespan of the infection for the computers was 243 days, or 8 months". It means abandoned computers or those of people who don't have any clue on what is running inside of the PC.

    My verdict: untruthful study, proving nothing.
    Rikkrdo