ATP Test: Defending Against Data Stealers and Ransomware
Tests in the lab at AV-TEST quickly show that although data stealers and ransomware always pursue the same end goal, they use very different approaches in their attempts to attack successfully. For each type of malware, a variety of attacking techniques used by attackers can be identified. In the latest Advanced Threat Protection test, ten different malware samples attacked the test systems in ten real-life scenarios. In response, the 22 security solutions for corporate users and consumer users were required to also identify the “self-signing of binary files”, “stolen signature identity”, and “misuse of the Microsoft Software Installer” techniques. The test results rapidly show that the security solutions examined are usually extremely well-trained and are therefore able to recognize all attacking techniques and protect the access points under Windows.
When malware strikes a system, it uses a tactic of disguise, deception and attack. Based on this tactic, cyber gangsters have now developed and perfected a variety of different approaches to attacking Windows systems. Some of these special attacking techniques include self-signing binary files and using stolen signature identities. Another sneaky approach involves misusing the Microsoft Software Installer to execute malware. In the latest Advanced Threat Protection test, the experts in the laboratory ran ten real-life scenarios in which the test systems were attacked by five data stealer samples and five ransomware samples.
The 22 security products for corporate users and consumer users were set the task of demonstrating how well they could fend off the ten ransomware and data stealer samples in the test conducted in September and October 2023. For each attack, the lab awarded a maximum of 3 points for the threat prevention of the tested solutions, and the points were added together after all ten scenarios. In the test table, the highest value in the protection score was therefore 30 points. The test on company products examined the solutions by Acronis, AhnLab, Avast, Check Point, Kaspersky (with two versions), Malwarebytes, Microsoft, Seqrite, Symantec, WithSecure and VMware.
The security products examined for home users came from AhnLab, Avast, AVG, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Norton and PC Matic.
22 security products for fending off sophisticated attacking techniques
All of the products tested were required to identify the attackers in the ten different scenarios. When launching their attacks, many of the ransomware and data stealer samples used the following additional techniques, which the protection programs were also expected to detect.
Self-signing of binary files
Developers normally use code signing for a binary file to ensure a certain degree of authenticity, which indicates that the binary file has not been manipulated. Although developers often use the option of self-signing in their own test environments, they do not distribute it further. Cyber attackers exploit the self-signing technique for their malware to make it seem more authentic at first glance, thus enabling them to potentially trick defense systems.
Stolen signature identity
Many applications and files produced by developers have valid and verifiable signatures. Attackers are well aware of this and attempt to misuse such circumstances for their malware: Cyber gangsters, for example, can copy the metadata and signature information of a signed program and use it as a template for their malware. Although files with invalid code signatures are caught out by digital signature checks, they may seem more legitimate to users, and security tools may well handle such files incorrectly.
Misuse of the Microsoft Software Installer
Msiexec.exe is the command line service program for the Windows Installer and is usually tasked with launching installation packages (.msi) but can also execute DLL files. The tool has a solid reputation in the system and is also signed. Against this background, attackers attempt to misuse msiexec.exe to execute malware. Solutions designed to monitor applications can be avoided if they do not consider the potential misuse of msiexec.exe.
The sequence of an attack in the Advanced Threat Protection test usually follows this pattern: a spearphishing e-mail, containing a malware attachment, ends up in a Windows system. Here, the protection systems detect the attacker immediately or as soon as it starts running. In the results chart, this is confirmed with the green field under "Initial Access“ or under "Execution", which indicates that the attack has already been thwarted.
If this does not occur, the attackers get to work: The data stealers gather information on existing data before ‘exfiltrating’ them to a C2 server. Ransomware also collects information, but generally only sends a file list of all drives to the C2 server. Next, the data encryption and renaming of data begins. Once this stage is complete, a text file is displayed on the desktop, informing the user about the attack and demanding ransom.
You can find a more detailed explanation of the evaluation charts and the individual color codes in the traffic light system in the article “Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?”.
The 10 test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
ATP product tests for consumer users
In the latest Advanced Threat Protection (ATP) test conducted in September and October 2023, ten security products demonstrated their defense capabilities when confronted with ransomware and data stealers. The packages came from the following vendors: AhnLab, Avast, AVG, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Norton and PC Matic.
All of the security packages performed outstandingly in the test, with the ransomware and data stealer samples failing to get past their protective walls in all scenarios. Special attacking techniques such as the self-signing of binary files, the use of stolen signature identities and misuse of the Microsoft Software Installer were also unsuccessful in their attempts to steal or encrypt data.
All products for consumer users received the certificate "Advanced Certified", as they achieved a protection score of 75% out of the 30 points (i.e. 22.5 points).
ATP product tests for corporate users
The following 12 security solutions for companies were also set the challenge of withstanding the special attacking techniques used by data stealers and ransomware in the Advanced Threat Protection test: Acronis, AhnLab, Avast, Check Point, Kaspersky (with two versions), Malwarebytes, Microsoft, Seqrite, Symantec, WithSecure and VMware.
11 of these corporate user solutions achieved perfect results and were awarded the maximum total of 30 points as their protection score. They were also able to fend off the special attacking techniques without any problems.
Only VMware Carbon Black Cloud completely missed out on points in one scenario, failing to detect the data stealer during both “Initial Access” and “Execution”. As a result, the malware was able to spread throughout the system, collect data, extract them and start its extortion without any restrictions. In this case, the security product failed to score any of the three points available.
The company solutions also achieved “Advanced Approved Endpoint Protection” certification for their protection score of 75 percent or more (22.5 points or more) of the total of 30 points available. The only exception here was Acronis: Although the product passed the test without any errors, AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfil all their criteria.
Solid protection against data stealers and ransomware
The Advanced Threat Protection test conducted in September and October 2023 revealed that the security software of nearly all vendors performed flawlessly. All of the security packages for consumer users were able to achieve the maximum total of protection points available.
Eleven of the 12 solutions for corporate users made no errors whatsoever and were therefore also awarded the full total of 30 points as their protection score. Only one product experienced problems in one of the ten test scenarios.
With these solutions, even the special attacking techniques used by attackers, for example the self-signing of binary files, stolen signature identities and the misuse of the Microsoft Software Installer, came up short. The security products detect these techniques and make malware attacks a hopeless cause.