October 04, 2023 | Text: Markus Selinger | Antivirus for Windows

27 Protection Solutions Pitted against Data Stealers and Ransomware

Cyber attackers are constantly refining their malware and methods of attack. It raises the question whether the products of security software suppliers are capable of keeping up with and fending off the very latest attacks. In the recent Advanced Threat Protection test, AV-TEST evaluated how well the protection solutions stand up against data stealers and ransomware, which deploy insidious methods of attack such as InlineExecute-Assembly, SetWindowsHookEx DLL Injection, Mavinject LOLBin or Binary Padding. The result conjures a certain "wow" effect.

Advanced Threat Protection test –

27 products defending against data stealers and ransomware

Developers of malware and cyber attackers don't sit in dark cellars, launching attacks haphazardly. Rather, the perpetrators behind the attack groups are partly well-organized companies that continuously invest in the further development of their malware and steer the attacks. On the opposing side – among the security suppliers – people are working just as feverishly on the detection of and defense against the insidious attack techniques of the cybercriminals. But who has the upper hand in this competition? Can the security suppliers react quickly enough, and do they actually detect all methods of attack? This test provides at least a significant partial answer from the series of Advanced Threat Protection tests. Yes: The security manufacturers deliver the performance customers can count on.

Data stealers, ransomware and many dangerous methods

In its May-June test, AV-TEST examined 27 products under laboratory conditions in its Advanced Threat Protection test. In doing so, the experts went far beyond the classic detection test – just as a protection solution does as well. For in addition to basic detection, the products use sophisticated techniques for detection and defense, such as EDR, Endpoint Detection and Response, for example. That is why an attack may be fended off in later steps, although the detection did not trigger in the initial step.

The lab evaluated each of the 27 products for consumer users and corporate users in 10 special scenarios. In the May-June test under Windows 10, this amounted to 5 scenarios with data stealers and 5 with ransomware. But the lab does not simply go through the motions. The attackers utilize various attack techniques, which are introduced here.

The scenario illustrations further below indicate precisely which of the specified techniques are used with ransomware or with a data stealer for the attack in the lab.

Security software in an advanced test

11 of the 12 protection packages evaluated were able to thwart the attacking ransomware or data stealers error-free in all 10 test scenarios, thus receiving the maximum 35 points for the protection score

Company security against ransomware and data stealers

The current Advanced Threat Protection test resulted in consistently perfect test results for all candidates. All 15 products received the maximum 35 points for the protection score

Security software in an advanced test

Company security against ransomware and data stealers

Attack technique 1: Inline Execute-Assembly

In very simple terms, what is otherwise a very innocuous Windows process is abused in a .NET runtime environment when it comes to “Inline Execute-Assembly”. A process is singled out, infected with malware code, then launched. In addition, the Antimalware Scan Interface (AMSI) is circumvented using an AMSI bypass. That is the scan API provided by Microsoft, which is used by antivirus solutions. Furthermore, the Event Tracing for Windows function is disabled so that the process routine cannot be traced any further. Once all of that is successful, the malware has free rein. A good security solution can still prevent further damage, however, such as the siphoning off or encryption of data.

Attack technique 2: SetWindowsHookEx DLL Injection

DLL injection is used by attackers to elude discovery. It involves executing a malware code in the context of another legitimate Windows process. There are various options for achieving this. A somewhat unobtrusive technique is the installation of a system-wide, injected process (hook) with a hook procedure contained in a malicious DLL. Each attached process running the specified event also loads the malicious DLL and enables the attacker to execute their own code within the affected process. In our examples, this is used to carry out information theft or launch ransomware in explorer.exe.

Attack technique 3: Mavinject LOLBin

The "Microsoft Application Virtualization Injector" (mavinject.exe) is a utility from Microsoft which is delivered as standard with newer versions (updates) by Windows. It can be used to inject DLLs into external processes. This binary file is a legitimate and digitally signed Windows application through which process injections via this application are more inconspicuous than other techniques. In our examples, this is used to carry out information theft or ransomware in explorer.exe or in a newly launched notepad.exe.

Attack technique 4: Binary Padding

Attackers use a technique known as binary padding to alter the malware. It inflates the file with junk data to deceive the malware scanner. Sometimes the file is padded so heavily that the file size is too large for many scanners. Due to the continuously changed content, the malware also has constantly altered hash values. As a result, it is also not detected by hash-based block lists and static antivirus signatures. In our attack scenarios, a DLL file is written to a hard drive and padded with a conspicuous number of 0 bytes (30 to 60 MB), before it is used in further steps.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example "T1566.001", are listed in the MITRE database for "Techniques" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

How data stealers and ransomware work

The lab proceeds in the Advanced Threat Protection test exactly as in an actual attack: via spearphishing e-mail, the attackers land on the Windows system. Either the protection systems detect the attacker immediately or as soon as it starts running. If that is the case, then the attack is already thwarted. In the results chart, this is confirmed with the green field under "Initial Access“ or under "Execution". If this does not occur, the attackers go to work: The data stealers gather information on existing data in order to "exfiltrate" it to a C2 server afterwards. The ransomware does also collect information, but generally only sends a file list to the C2 server. Afterwards, the encryption of the data begins. As soon as everything is encrypted, a text file is displayed on the screen in order to initiate the blackmailing of the user.

A special feature in this test: the lab awarded points for detecting significant attack steps. This meant up to 4 points for every data stealer and up to 3 points for ransomware. Thus, the best possible protection score in this test was 35 points: (5 x 4 points + 5 x 3 points).

In order to find a more detailed explanation of the evaluation tables and the individual color codes in the traffic light system please see also the article “Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?“.

Advanced protection for consumer users

The 12 products in the Advanced Threat Protection test came from AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Microworld and PC Matic.

Nearly all protection packages for consumer users yielded a perfect result in the advanced test against data stealers and ransomware, achieving the maximum 35 points in the protection score.

Only Avira had to concede to ransomware in one out of 10 scenarios. The protection tool did not detect it upon arrival in the system, much less when it executed. The result was encryption of the entire system and the display of the ransom note on the screen. Thus, Avira only received 32 out of 35 points.

All products for consumer users received the certificate "Advanced Certified", as they achieved a protection score of 75% out of the 35 points (i.e. 26.3 points).

Advanced protection for corporate users

The 15 security solutions for corporate users came from Acronis, AhnLab, Avast, Bitdefender (with 2 versions), Check Point, Kaspersky (with 2 versions), Malwarebytes, Microsoft, Seqrite, Symantec, VMware, WithSecure and Xcitium

The result for the products created a minor sensation: All the products passed the tests error-free in the 10 attack scenarios with the data stealers and the ransomware!

Thus, all the products received not only the maximum 35 points for their protection score but also the certificate "Advanced Approved Endpoint Protection". The only exception here is Acronis. The product passed the test error-free, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfillment of all their criteria.

Reliable protection products – also against new attack techniques

The attackers allow a protection solution no margin for error. But even when the methods of attack are devious and the malware brand new, the products in this test were not caught off guard. On the contrary, they quashed every attack in the entire test – with a single exception.

Bottom line, 26 out of 27 products in the Advanced Threat Protection test in May-June 2023 finished up with maximum number of 35 points in the protection score. That is actually a small "wow" outcome that you can't always anticipate in a test.