Drive-by Antivirus Test — Preparation / Part 1

VM Virtualbox from OracleI’m going to perform a test of Antivirus programs in the drive-by mode. That means I will consider I think the most frequent way of getting malware for a home user — via casual browsing in the internet. In my lab I will use a freshly installed system (not decided yet which one, most probably Windows XP or Windows 7 Windows Vista) without updates and some buggy software from Adobe (Acrobat Reader, Flash) and Java without latest patches of course. I will use Internet Explorer 7 (standard for Windows Vista) also popular browsers, but not too new again — FireFox 3x, etc. Where do I get old versions of software? Old Applications for Windows is a good site. To stay safe in any case, I will use VM VirtualBox v.3.2.8 from Oracle. VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software, i.e. also free to use.

Where am I going to get infected web-sites? Good question. I will use Malware Domain List (www.malwaredomainlist.com) for that purpose. [WARNING: All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.] No one wants to pay 1500$ (!) for the Eleonore Exploits pack. But I see now that the current listing is full of zeus v2 trojan variants!

IMPORTANT DRIVE-BY ANTIVIRUS TEST CONDITION

Important to mention that I will check only the first protection barriers, because there are few of them to identify:

1. web site blocking based on IP, from the list of known domains containing malware
2. detection of malicious scripts while browsing
3. detection of exploit code before a web browser triggers it
4. shell-code detection
5. detection of downloaded installer (based on virus signatures or heuristics analysis)

Given limited time, as detection of sploit portion fully installed and functioning may take lots of man hours, I will say an antivirus fails if it does not react up to 4th barrier.

 Link to part 2

Exploit blocked by Avast 5

Leave a Reply