contacts@security-ukraine.com
Original version

Cybercrime is growing rapidly, and now the crucial question is whether anti-spyware and anti-viruses are capable of protecting users' confidential information from programs, specially created for stealing it?

It is the efficiency of this protection that determines whether e-commerce and online financial transactions will thrive in future. In fact, their very existence could be put at risk by cybercrime.

Identity theft Internet makes online buyers more cautious and less active, security experts say. In other words, spyware harms consumers' trust to the Web.

For example, Webroot's report "State of Spyware" for Q3 2005 (http://www.webroot.com/resources/archive/pr/0511-SoSq3top10.html), states that the number of information-stealing programs is growing, and so is the threat for the Internet users.

Consumer Reports research for Q3 2005 shows that 86% of users have made at least one change in their online behavior in fear of losing information about their identities, 30% spend less time in the Internet, 53% ceased to provide their personal information in the Web, 25% don't buy online anymore and 29% of those who still buy, do it more rarely.

It is efficiency of data protection that we made the only criterion in our comparative study. Moreover, we tested how anti-spyware and anti-viruses perform against the most dangerous information-stealing software, i.e. the very kind of programs which cybercriminals use to steal confidential information.

The method we used for the testing is simple enough to apply. Even a user not very experienced in programming can do this testing himself - and the results will be the same.

Having studied the situation at the security software market for years, we came to the conclusion that it is necessary to perform our own testing of anti-spyware and make the results public. The reasons for doing so were the following:

1. Though various anti-spyware reviews constantly appear in the Internet, criteria of these testings vary, and so do methods of their results' evaluation. That is why top position in such lists doesn't guarantee that these products are the most efficient in protecting sensitive information from theft. For example, the basic criterion for most testings usually is the number of spyware signatures in a product's database. The problem is that there exist lots of products which signatures are not there - and sometimes will never be in any signature base. (These programs are described below in more detail.)
2. Even if during a test one program has detected and blocked 10 pieces of spyware out of 10, and another one has managed only 7 out of 10, it doesn't mean the first program will 100% protect users' private information.
   
   

   Most of experts consider spyware any program that transmits information from a user's PC to the third party without the user's knowledge or consent, whatever the information. There is no way of finding out what a piece of "spyware" detected during the test was: relatively innocuous code for gathering users' browsing habits - or extremely dangerous software created specially for identity theft or espionage.

3. It is criteria of evaluation that determine the result of some testings. Among these criteria can be programs' capability of closing popup ads, design of interface.
4. As any marketing specialist knows, the most widespread product is not always the best one. Much depends on advertising, particularly on the money spent on the product's promotion.

The aim of the testing was:

• To evaluate software which is supposed to protect critical information from stealing, using real efficiency of this protection as the main criterion. The testing simulates the situation when a computer is infested with the most dangerous kind of spyware - custom-made keyloggers, which cybercriminals use to steal information. Everybody can take source code of keylogging programs from the Internet and compile an entirely new "spy" which no product based on signature analysis will detect.
• To check efficiency of heuristic algorithms, which most anti-virus and anti-spyware vendors proclaim they apply for detecting spyware.

The grounds for developing our testing method were the following:

The number of publications about such kind of cybercrime as stealing confidential information by means of spy software and means of protection against them has skyrocketed in the last couple of years.

In the report "The proactive approach to data protection against modern spy software" (http://bezpeka.com/en/lib/antispy/anot2868.html) we already stressed that the type of programs called System Monitors (according to the classification from SpyAudit) are especially dangerous. To System Monitors belong such programs as keyloggers and more advanced keylogger-based programs, which can intercept not only keystrokes (in user mode and in kernel mode), but also capture text from application windows and clipboard contents, make screenshots, etc.

It is the very kind of software we call "spy programs"; we do not include here any kind of adware. The reason is that the consequences of a keylogger attack and those of a piece of adware are incommensurable.

System Monitors become more and more dangerous, becoming the main threat. It is confirmed by numerous articles, surveys by Webroot, Earthlink SpyAudit, documents of Anti-Spyware Coalition (http://www.antispywarecoalition.org) and other organizations which deal with this matter.

To read more about our classification of spy programs, see "The proactive approach to data protection against modern spy software"
(http://bezpeka.com/en/lib/antispy/anot2868.html).

Anti-Spyware Coalition recently released the document named Risk Model Description (http://www.antispywarecoalition.org/documents/RiskModelDescription.htm), based on behavioral patterns of a program. Among other risk factors, the following ones are considered "high risk": Replication behavior (mass-mailing, worming, or viral); Installation without users' explicit permission or knowledge, drive-by installation, use of a security exploit; storage and transmission of personally identifiable data without notice and consent. Moreover, a program's behavior is of high risk, if it disables security software and lowers security settings in the browser, application, or operating system. Anti-Spyware Coalition hopes that its classification will yield in development of anti-spyware products of higher quality.

How a user can really protect his PC against spy programs?

It is possible only by means of a combination of software products which consists of:

• Software Product #1 - this is a dedicated product focused on protection against information-stealing programs, based on heuristic mechanisms. It provides constant protection and does not use a signature base, which means it will protect against custom-made spy programs.
• Software Product #2 - this is anti-virus software product to protect against a wide range of adware and spyware; its signature base should be regularly updated.
• Software Product #3 - a personal firewall controlling access to the Internet from the personal computer on the basis of policies set by the user himself.

These products should be used together, because:

Antivirus product responds to the penetration of a keylogger-containing virus when the information has already been captured since the anti-virus base has not been enlarged by new information yet and correspondingly was not updated in the user's computer.

Personal Firewall asks too many questions - even a well-trained user can answer them incorrectly and ill-configure it. For example, some commercial monitoring programs use processes of program products with knowingly permitted access to the Internet (browsers, mail clients, etc.) As a rule the user must permit them accessing the Internet. And as the result: the information stolen, because the anti-virus program failed to prevent it, and will be sent to the Internet to the address preliminary specified by the hacker (or some other person).

And only the product of the first type works silently, asking the user no needless questions and performs its task constantly in the background.

But do all users install at least existing products to protect their computers? Not everybody, experts say. According to the survey by AOL and National Cyber Security Alliance (NCSA), 81% of PCs lacks at least one of the recommended means of defense, namely a firewall, an anti-virus product and an anti-spyware application. 56% of consumers' PCs have no antivirus at all or haven't updated it for more than a week. Misconfigured firewalls were found on 44% PCs. The same 44% have no anti-spyware product installed. (http://bezpeka.com/ru/news/2005/12/08/5221.html).

How efficient the existing anti-spyware applications are and whether a top-rated product will protect information against theft - these questions are of crucial importance now. The existing methods of testing most of the ratings are based on, do not take into account the very possibility of protection against programs, which are yet unknown to anti-spyware developers, particularly custom-made spyware. The most important criterion in such studies is usually the number of signatures in the signature database. This number means the number of variants of spyware which the product with this signature base can detect. Only programs from the signature base are recognized; all other spy programs will be running unnoticed and unstopped.

The problem is that there is good deal of people capable of creating something brand-new spy, which will not appear in any signature base. It takes about several days to write a simple keylogger, and even a novice in programming can manage it. Those who can't write a program himself can download source code from the Internet and change it a bit, making a new spy program.

The method of testing

Considering the points mentioned above, we applied different approach to comparative testing of spyware. On the one hand, it is so simple that one needn't be an expert to do this testing himself - and make sure the results are the same.

On the other hand, this method clearly shows whether popular anti-spyware products can really protect users' critical information from theft.

The testing was performed as follows:

1. Key Logger by Jerome Scott II (K1)
   http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId
   =1645&lngWId=7
2. KeyLoggerMore_Sample (K2)
   http://www.codeguru.com/code/legacy/system/KeyLoggerMore_Sample.zip
3. try_wnd1 (K3)
   http://www.ladia.ru/cpp/appli/files/log.zip
4. KEYLOGGER (K4)
   http://www.delphifr.com/gma/Keyloggers
5. KEY LOGGER, ENREGISTREMENT CRYPTÉ + DÉCODEUR (K5)
   http://www.delphifr.com/code.aspx?id=12616
6. SIMPLE PETIT KEYLOGGER (K6)
   http://www.delphifr.com/code.aspx?id=12279
7. TOUCHES DE CLAVIER EN SIMULTANNÉ (HOOK) (K7)
   http://www.delphifr.com/code.aspx?id=12276
8. Best Free Keylogger (BFK) (K8)
   http://sourceforge.net/projects/bfk
9. Simple Python Keylogger for Windows (K9)
   http://sourceforge.net/projects/pykeylogger

Then we compiled source code of these keyloggers and got keyloggers which were used as test-spies for testing popular anti-spyware and anti-virus programs.

The testing was performed on computers with fully updated operating systems Windows XP Professional SP2 and Windows 2000 SP4, based on 32-bit Intel architecture.

For the testing we chose 22 world-known anti-spyware products which are included in most Internet ratings of this kind:

Product name	Version	Developer's URL	Developer
Ad-aware SE Pro	Build 1.06r1	http://www.lavasoft.de/	Lavasoft
AntiSpy	2.13	http://www.softvers.com/antispy/	Softvers
BPS Spyware Remover	9.2.0.9	http://www.bulletproofsoft.com/	Bullet Proof Soft, Inc.
CounterSpy	1.5.82	http://www.sunbelt-software.com/	Sunbelt Software
Maxion Spy Killer	5	http://www.maxionsoftware.com/	Maxion Software
McAfee Anti-Spyware	2.0.0.167	http://www.mcafeestore.com/	McAfee, Inc.
Microsoft AntiSpyware	1.0.701	http://www.microsoft.com/	Microsoft Corporation.
PestPatrol	5.0.2.3	http://pestpatrol.com/	Computer Associates International, Inc.
PrivacyKeyboard	7.1	http://www.bezpeka.biz/	Information Security Center Ltd
Spy Cleaner Gold	3.6	http://www.spycleaner-gold.com/	Topdownloads Networks
Spy Sweeper	4.5.7.756	http://www.webroot.com/	Webroot Software, Inc.
Spybot Search & Destroy	1.4	http://www.spybot.info/	Patrick M. Kolla / Safer Networking Limited.
SpyHunter	2.0.1086	http://www.enigmasoftwaregroup.com/	Enigma Software Group, Inc.
SpyRemover	2.46	http://www.itcompany.com/	InfoWorks Technology Company.
SpySubtrac	3.11	http://www.trendmicro.com/	Trend Micro Incorporated.
Spyware Be Gone	7	http://www.spywarebegone.com/	MicroSmarts LLC
Spyware Blaster	3.4	http://www.javacoolsoftware.info/	Javacool Software LLC.
Spyware Crusher	1.0.9	http://www.spywarecrusher.com/	Spyware Crusher
Spyware Doctor	3.2	http://www.pctools.com/spyware-doctor/	PC Tools.
Spyware Stormer	1.4.7	http://www.spywarestormer.com/	Spyware Stormer, Inc.
TrueWatch	1.2.0.0	http://www.truesuite.com/	Esaya, Inc.
XoftSpy	4.19	http://www.paretologic.com/products.aspx	ParetoLogic Inc.

We tested anti-viruses as well as anti-spyware, because most anti-virus vendors declare that their products fight spyware as well. That is why the separate test of anti-virus products was carried out - by means of the same test-spies.

For the testing we chose 22 world-known anti-virus products which appear in most Internet ratings (we used http://www.virustotal.com for our testing):

Product name	Developer's URL	Developer	Version	Update
AntiVir	http://www.hbedv.com/en/	H+BEDV (AntiVir)	6.33.0.70	12.23.2005
Avast	http://www.avast.com/	ALWIL (Avast! Antivirus)	4.6.695.0	12.22.2005
AVG	http://www.grisoft.com/	Grisoft (AVG)	718	12.23.2005
Avira	http://www.avira.com/	AVIRA (AVIRA Desktop)	6.33.0.70	12.23.2005
BitDefender	http://www.bitdefender.com/	Softwin (BitDefender)	7.2	12.23.2005
CAT-QuickHeal	http://www.quickheal.co.in/	Cat Computer Services (Quick Heal)	8	12.21.2005
ClamAV	http://www.clamwin.com/	ClamAV (ClamWin)	devel-20051108	12.19.2005
DrWeb	http://www.drweb.com/	Doctor Web, Ltd. (DrWeb)	4.33	12.23.2005
eTrust-Iris	http://www.ca.com/	Computer Associates (Iris, Vet)	7.1.194.0	12.23.2005
eTrust-Vet	http://www.ca.com/	Computer Associates (Iris, Vet)	12.4.1.0	12.23.2005
Fortinet	http://www.fortinet.com/	Fortinet (Fortinet)	2.54.0.0	12.23.2005
F-Prot	http://www.f-prot.com/	FRISK Software (F-Prot)	3.16c	12.22.2005
Ikarus	http://www.ikarus.at/	Ikarus Software (Ikarus)	0.2.59.0	12.23.2005
Kaspersky	http://www.kaspersky.com/	Kaspersky Lab (AVP)	4.0.2.24	12.23.2005
McAfee	http://www.mcafee.com/	McAfee (VirusScan)	4657	12.23.2005
NOD32v2	http://www.nod32.com/	Eset Software (NOD32)	1.1335	12.22.2005
Norman	http://www.norman.com/	Norman (Norman Antivirus)	5.70.10	12.23.2005
Panda	http://www.pandasoftware.com/	Panda Software (Panda Platinum)	8.02.00	12.22.2005
Sophos	http://www.sophos.com/	Sophos (SAV)	4.01.0	12.23.2005
Symantec	http://www.symantec.com/	Symantec (Norton Antivirus)	8	12.23.2005
TheHacker	http://www.hacksoft.com.pe/	Hacksoft (The Hacker)	5.9.1.060	12.21.2005
VBA32	http://www.anti-virus.by/	VirusBlokAda (VBA32)	3.10.5	12.22.2005

The results of the testing

The testing results for anti-spyware:

AntiSpy Product \Test Spy	K1	K2	K3	K4	K5	K6	K7	K8	K9
Ad-aware SE Pro	-	-	-	-	-	-	-	-	-
AntiSpy	-	-	-	-	-	-	-	-	-
BPS Spyware Remover	-	-	-	-	-	-	-	-	+
CounterSpy	-	-	-	-	-	-	-	-	-
Maxion Spy Killer	-	-	-	-	-	-	-	-	-
McAfee Anti-Spyware	-	-	-	-	-	-	-	+	-
Microsoft AntiSpyware	-	-	-	-	-	-	-	-	-
PestPatrol	-	-	-	-	-	-	-	-	-
PrivacyKeyboard	+	+	+	+	+	+	+	+	+
Spy Cleaner Gold	-	-	-	-	-	-	-	-	-
Spy Sweeper	-	-	-	-	-	-	-	+	-
Spybot Search & Destroy	-	-	-	-	-	-	-	-	-
SpyHunter	-	-	-	-	-	-	-	-	-
SpyRemover	-	-	-	-	-	-	-	-	-
SpySubtrac	-	-	-	-	-	-	-	+	-
Spyware Be Gone	-	-	-	-	-	-	-	-	-
Spyware Blaster	-	-	-	-	-	-	-	-	-
Spyware Crusher	-	-	-	-	-	-	-	-	-
Spyware Doctor	-	-	-	-	-	-	-	-	-
Spyware Stormer	-	-	-	-	-	-	-	-	-
TrueWatch	-	-	-	-	-	-	-	+	+
XoftSpy	-	-	-	-	-	-	-	-	-

The testing results for anti-viruses:

AntiVirus Product \ Test Spy	K1	K2	K3	K4	K5	K6	K7	K8	K9
AntiVir	no	no	no	Heuristic / Trojan. Keylogger	no	Heuristic /Trojan. Keylogger	no	no	no
Avast	no	no	no	no	no	no	no	no	no
AVG	no	no	no	no	no	no	no	no	no
Avira	no	no	no	Heuristic /Trojan. Keylogger	no	Heuristic /Trojan. Keylogger	no	no	no
BitDefender	no	no	no	no	no	no	no	Generic .Malware. SLM. 10535C5E	no
CAT-QuickHeal	no	no	no	Monitor. KeyLogger. i (Not a Virus)	no	no	no	Monitor. BFK. 11 (Not a Virus)	no
ClamAV	no	no	no	no	no	no	no	no	no
DrWeb	Trojan .KeyLogger. 342	no	no	no	no	no	no	no	no
eTrust-Iris	no	no	no	no	no	no	no	no	no
eTrust-Vet	no	no	no	no	no	no	no	no	no
Fortinet	no	no	no	no	no	no	no	Keylog!tr	no
F-Prot	no	no	no	no	no	no	no	no	no
Ikarus	no	no	no	no	no	no	no	no	no
Kaspersky	no	no	no	not-a-virus: Monitor. Win32. KeyLogger.i	no	no	no	not-a-virus: Monitor. Win32. BFK.11	no
McAfee	no	no	no	no	no	no	no	Keylog.gen	no
NOD32v2	no	no	no	no	no	no	no	probably unknown NewHeur_PE virus	no
Norman	no	no	no	no	no	no	no	no	no
Panda	no	no	no	no	no	no	no	no	no
Sophos	no	no	no	no	no	no	no	no	no
Symantec	no	no	no	no	no	no	no	no	no
TheHacker	no	no	no	no	no	no	no	no	no
VBA32	Trojan. KeyLogger. 342	no	no	no	no	no	no	no	no

Summary table

The products' performance against custom-mage spy programs:

NN	Product	Spyware detected, %
1	PrivacyKeyboard	100,00
2	AntiVir Avira CAT-QuickHeal Kaspersky TrueWatch	22,22
3	BitDefender BPS Spyware Remover DrWeb Fortinet McAfee McAfee Anti-Spyware NOD32v2 Spy Sweeper SpySubtrac VBA32	11,11
4	Ad-aware SE Pro AntiSpy Avast AVG ClamAV CounterSpy eTrust-Iris eTrust-Vet F-Prot Ikarus Maxion Spy Killer Microsoft AntiSpyware Norman Panda PestPatrol Sophos Spy Cleaner Gold Spybot Search & Destroy SpyHunter SpyRemover Spyware Be Gone Spyware Blaster Spyware Crusher Spyware Doctor Spyware Stormer Symantec TheHacker XoftSpy	0,00

Key Findings

The results of the test surprised even the testers themselves, because:

• The test-spies were made of the source code of keyloggers which are freely available from the Internet. Compiling such a spy requires only basic knowledge in programming; so many people are capable of making it.
• The testing results clearly showed that, generally, anti-viruses and anti-spyware cannot counteract stealing confidential information if information-stealing programs are included into viruses. Unfortunately, the number of them is constantly rising.

PrivacyKeyboard, product from Information Security Center Ltd. (http://www.security-ukraine.com), got the first place, which can be due to the fact that it doesn't apply signature analysis at all. This is a dedicated product for blocking information-stealing software programs and modules, both known and unknown. It is focused at preventing information capturing, so it overlooks adware and other not so dangerous but irritating programs.

The second place shared 5 programs, which managed to block 2 out of 9 test spies: TrueWatch (Esaya, Inc.), AntiVir (H+BEDV), Avira (AVIRA Desktop), CAT-QuickHeal (Cat Computer Services), Kaspersky Anti-Virus Personal Pro (Kaspersky Lab).

10 products which detected only 1 test-spy out of 10 got the third place.

Other 28 products detected none (!).

Everybody is welcome to do the same testing; we are sure the result will be similar. Source code of numerous keyloggers is available from the Internet, and compiling a custom-made test spy isn't too difficult even for a novice in programming. Everybody is welcome to check the accuracy of the testing with other test spies. It will be also very useful if somebody performs such a testing using computers with other operating systems and architecture.

Original version

Download PrivacyKeyboard soft from Elias Soft Download