OK, let’s prepare the test platform. As I explained in the part 1, I use Oracle VM VirtualBox (recently updated to version 3.2.10) as a host sandbox. This sandbox I can use as a virtual computer to install basically any operating system. For the drive-by antivirus test I choose Windows Vista Home Premium SP2 32-bit. The idea is to make my system vulnerable, so it could be poisoned. Therefore, I intentially do not install any updates. Additionally, I install Adobe Reader 8.1.1 and Java Runtime 220.127.116.11 — both have known security holes. At that point the test OS is finished and I create a copy of it, because once it is infected (I’m sure it will be), I will need a clean one.
Here’s more screenshots of preparation stages (click to enlarge):
The test will be run in steps. First I install an antivirus, update it, and test it against malicious websites. Once it is done, I delete the instance of the virtual machine, copy the clean one, run it, and install next antivirus. So it starts over again. I’m not sure now which exactly and how many antiviruses I will check. I know I will start with Avira.
Where do I get the malicious websites? There are few “popular” commercially available exploits packs:
Eleonore exploits pack
Phoenix exploit kit
YES Exploit kit
Siberia Exploits kit
Seo Sploit pack
Crimepack exploit system
What do they target? Each exploit pack contains a different set of “tools” aiming in general at Adobe Acrobat Reader, Flash, MS Office, Java and other stuff for masses.
As I’m not going to buy them (cost of each is half a thousand USD easily), I will trace the latest websites with the instances thru malwaredomainlist.com.
IMPORTANT DRIVE-BY ANTIVIRUS TEST CONDITION
Important to mention that I will check only the first protection barriers, because there are few of them to identify:
1. web site blocking based on IP, from the list of known domains containing malware
2. detection of malicious scripts while browsing
3. detection of exploit code before a web browser triggers it
4. shell-code detection
5. detection of downloaded installer (based on virus signatures or heuristics analysis)
Given limited time, as detection of sploit portion fully installed and functioning may take lots of man hours, I will say an antivirus fails if it does not react up to 4th barrier.