research paper on antivirus software

antivirus software Recently Published Documents

Total documents.

• Latest Documents
• Most Cited Documents
• Contributed Authors
• Related Sources
• Related Keywords

A Universal Malicious Documents Static Detection Framework Based on Feature Generalization

In this study, Portable Document Format (PDF), Word, Excel, Rich Test format (RTF) and image documents are taken as the research objects to study a static and fast method by which to detect malicious documents. Malicious PDF and Word document features are abstracted and extended, which can be used to detect other types of documents. A universal static detection framework for malicious documents based on feature generalization is then proposed. The generalized features include specification check errors, the structure path, code keywords, and the number of objects. The proposed method is verified on two datasets, and is compared with Kaspersky, NOD32, and McAfee antivirus software. The experimental results demonstrate that the proposed method achieves good performance in terms of the detection accuracy, runtime, and scalability. The average F1-score of all types of documents is found to be 0.99, and the average detection time of a document is 0.5926 s, which is at the same level as the compared antivirus software.

Lessons of Centralized Procurement of Domestic Office and Antivirus Software in 2019–2020 Years

The article shows effects assessment of procurement process centralisation and centralized purchasing; describes case of centralized procurement of domestic office and antivirus software for federal government bodies; explain advantages and disadvantages; forms recommendations for future centralized procurement.

DOCKING MOLEKULER SENYAWA AKTIF BUAH DAN DAUN JAMBU BIJI (Psidium guajava L.) TERHADAP PROTEIN SARS-CoV-2

Pada akhir 2019, terjadi wabah pneumonia baru berasal dari Wuhan, Provinsi Hubei yang disebabkan oleh virus SARS-CoV-2. Sehingga perlu dilakukan penghambatan protein virus tersebut sebagai salah satu penemuan kandidat obat baru. Tujuan penelitian untuk mencari bahwa senyawa metabolit sekunder yang terdapat dalam pada buah dan daun jambu biji (Psidium guajava L) mempunyai aktivitas sebagai antivirus dengan cara menghambat protein SARS-CoV-2. Metode penambatan molekul (docking molecular) untuk prediksi struktur kompleks senyawa-protein yang dinamakan docking ligan-protein. Penelitian dilakukan dengan cara analisis secara In Silico senyawa metabolit sekunder tanaman jambu biji dan memodelkan interaksi senyawa pada protein SARS-CoV-2 yang berperan sebagai antivirus. Software yang digunakan adalah PLANTS, YASARA, ChemSketch, dan Ligplus. Penelitian diawali dengan validasi internal pada salah satu reseptor SARS-CoV-2 dengan kode protein PDB.ID 6LU7. Proses docking dilakukan terhadap native ligand, senyawa kimia pada tanaman jambu biji, dan senyawa pembanding sebagai kontrol positif. Hasil penelitian menunjukkan bahwa score docking dari tiga senyawa metabolit sekunder terbaik masih lebih tinggi dibandingkan dengan ligan native-nya. Score docking kaemferol, kuersetin dan hyperin adalah -90.399, -92.012 dan -92.231 kkal/mol. Ikatan kompleks dengan ligan native masih lebih stabil (kuat) dibandingkan dengan kompleks antara protein dan senyawa aktif dari Jambu Biji.

Antivirus Software, its Working Techniques, Drawbacks and an Account on Fake Antivirus Programs

Awareness, adoption, and misconceptions of web privacy tools.

Abstract Privacy and security tools can help users protect themselves online. Unfortunately, people are often unaware of such tools, and have potentially harmful misconceptions about the protections provided by the tools they know about. Effectively encouraging the adoption of privacy tools requires insights into people’s tool awareness and understanding. Towards that end, we conducted a demographically-stratified survey of 500 US participants to measure their use of and perceptions about five web browsing-related tools: private browsing, VPNs, Tor Browser, ad blockers, and antivirus software. We asked about participants’ perceptions of the protections provided by these tools across twelve realistic scenarios. Our thematic analysis of participants’ responses revealed diverse forms of misconceptions. Some types of misconceptions were common across tools and scenarios, while others were associated with particular combinations of tools and scenarios. For example, some participants suggested that the privacy protections offered by private browsing, VPNs, and Tor Browser would also protect them from security threats – a misconception that might expose them to preventable risks. We anticipate that our findings will help researchers, tool designers, and privacy advocates educate the public about privacy- and security-enhancing technologies.

Macro Based Malware Detection System

Macro based Malware has taken a great rise is these recent years, Attackers are now using this malware for hacking purposes. This virus is embedded inside the macro of a word document and can be used to infect the victim’s machine. These infected files are usually sent through emails and all antivirus software are unable to detect the virus due to the format of the file. Due to the format being a rich text file and not an executable file, the infected file is able to bypass all security. Hence it is necessary to develop a detection system for such attacks to help reduce the threat. Technical research is carried out to identify the tools and techniques essential in the completion of this system. Research on methodology is done to finalise which development cycle will be used and how functions will be carried out at each phase of the development cycle. This paper outlines the problems that people face once they are attacked through macro malwares and the way it can be mitigated. Lastly, all information necessary to start the implementation has been gathered and analysed

Malware Detection Based on Code Visualization and Two-Level Classification

Malware creators generate new malicious software samples by making minor changes in previously generated code, in order to reuse malicious code, as well as to go unnoticed from signature-based antivirus software. As a result, various families of variations of the same initial code exist today. Visualization of compiled executables for malware analysis has been proposed several years ago. Visualization can greatly assist malware classification and requires neither disassembly nor code execution. Moreover, new variations of known malware families are instantly detected, in contrast to traditional signature-based antivirus software. This paper addresses the problem of identifying variations of existing malware visualized as images. A new malware detection system based on a two-level Artificial Neural Network (ANN) is proposed. The classification is based on file and image features. The proposed system is tested on the ‘Malimg’ dataset consisting of the visual representation of well-known malware families. From this set some important image features are extracted. Based on these features, the ANN is trained. Then, this ANN is used to detect and classify other samples of the dataset. Malware families creating a confusion are classified by a second level of ANNs. The proposed two-level ANN method excels in simplicity, accuracy, and speed; it is easy to implement and fast to run, thus it can be applied to antivirus software, smart firewalls, web applications, etc.

Evading Signature-Based Antivirus Software Using Custom Reverse Shell Exploit

The case against commercial antivirus software: risk homeostasis and information problems in cybersecurity, analisis performa perangkat lunak antivirus dengan menggunakan metodologi pengukuran performance.

This research aims to observe the performance of licensed enterprise antivirus software. The company Antivirus researched is Trend Micro Worry-Free Service and Kaspersky Endpoint Security. To get the data done testing on the specified antivirus parameters using the help of tools like Rebooter, BootRacer, Teracopy, Process Explorer and IP Messenger. Testing both antivirus software did as many as 8 parameters are boot time, restart, full scan, copy-paste files and use memory capacity during a full scan or when idle. The results of the data found at random are analyzed with statistical tests using Test T and test F. Tests conducted to indicate there is no significant average score difference from the test result value of 8 antivirus parameters. The result of the T-Test statistical analysis and F-test is that both anti-virus product has the advantages and disadvantages in each of the parameters with the speed of time and memory capacity used. But when calculated as a whole, antivirus Kaspersky Endpoint Security becomes the best antivirus performance.

Export Citation Format

Share document.

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

Determination of Antivirus Software Selection Criteria and Ranking of Programs

Related Papers

MATEC Web of Conferences

Aditya gautama

Virus spread increase significantly through the internet in 2017. One of the protection method is using antivirus software. The wide variety of antivirus software in the market tends to creating confusion among consumer. Selecting the right antivirus according to their needs has become difficult. This is the reason we conduct our research. We formulate a decision making model for antivirus software consumer. The model is constructed by using factor analysis and AHP method. First we spread questionnaires to consumer, then from those questionnaires we identified 16 variables that needs to be considered on selecting antivirus software. This 16 variables then divided into 5 factors by using factor analysis method in SPSS software. These five factors are security, performance, internal, time and capacity. To rank those factors we spread questionnaires to 6 IT expert then the data is analyzed using AHP method. The result is that performance factors gained the highest rank from all of the ...

Computación Y Sistemas

Yoan Pacheco

IRJCS: : International Research Journal of Computer Science , Elizzy Odoks , Asagba Prince

Three different sets of software selection data were applied to the three Multi Criteria Decision Making (MCDM) methods: Weighted Sum Average (WSA), Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) and Multi-Criteria Optimization and Compromise Solution (VIKOR), with the objective of knowing if they will all recommend the same software product and produce the same ranking schemes. Results show that their ranking schemes are only 65% similar indicating that relying on only one MCDM method may lead to choosing the wrong software product which may have detrimental consequences.

REST Publisher

Chinnasami S , chandrasekar raja

The operating system is computer software. User communication between the computer and the operating system takes place with the help of Windows, Linux, and Android, which are examples of operating systems that manage all other applications on a computer boot program. Application programs make limited application requests for services through the program interface using the operating system's API. The ROMETHEE method assumes that the weights of the criteria are already known, and this is a rigorous assumption. Furthermore, with the increase in the number of criteria, the complexity of the problem increases exponentially. We used ROMETHEE for ranking the priority of the ranking system for enrichment estimation. The ROMETHEE method is the most ideal solution for shortdistance and alternative solutions, but the comparison of these distances does not consider importance. We evaluated Operating system 1, Operating system 2, Operating system 3, Operating system 4, and Operating system 5 based on memory management, process management, storage management, protection and security, and software features. After analyzing the results, it was found that Operating system 4 obtained the first rank, whereas Operating system 1 had the lowest rank.

Ijca Special Issue on Computational Intelligence Information Security

Siiahram Sarkani Ph D P E

Informatica

Sema Kayapinar , Ejder Ayçin

During the COVID-19 pandemic, masks have become essential items for all people to protect themselves from the virus. Because of considering multiple factors when selecting an antivirus mask, the decision-making process has become more complicated. This paper proposes an integrated approach that uses F-BWM-RAFSI methods for antivirus mask selection process with respect to the COVID-19 pandemic. Finally, sensitivity analysis was demonstrated by evaluating the effects of changing the weight coefficients of the criterion on the ranking results, simulating changes in Heronian operator parameters, and comparing the obtained solution to other MCDM approaches to ensure its robustness.

Catalin Boja

Dr. Tami Alzabi

Nowadays, there is wide range of alternatives for hardware and software available in the market; this would create a complex problem for agencies decision makers to select the best tools, software and hardware. When it comes to the information security, alternatives selection is become one of the most important issues. During the network security design, a number of hardware, software, need to be selected in order to make the required design. This design would increase the security and the acceptance of the decision makers. Selection of software and hardware are classified as a daily multi-attribute problem with conflicting criteria. Performance, reliability, usability and other features would play important roles in the selection process. In this paper, we proposed a framework for security tools selection using hybrid of TOPSIS and AHP; AHP is used to calculate the criteria weight while TOPSIS is used with the calculated weight to rank the available security hardware and/or softwar...

Bilal Bahaa Zaidan , Ahmed Al-Haiqi

Various software packages offer a large number of customizable features to meet the specific needs of organizations. Improper selection of a software package may result in incorrect strategic decisions and subsequent economic loss of organizations. This paper presents a comparative study that aims to evaluate and select opensource electronic medical record (OS-EMR) software based on multiple-criteria decision-making (MCDM) techniques. A hands-on study is performed, and a set of OS-EMR software are implemented locally in separate virtual machines to closely examine the systems. Several measures as evaluation bases are specified, and systems are selected based on a set of metric outcomes by using AHP integrated with different MCDM techniques, namely, WPM, WSM, SAW, HAW, and TOPSIS. Paired sample t-test is then utilized to measure the correlations among different techniques on ranking scores and orders. Findings are as follows. (1) Significant differences exist among MCDM techniques on the basis of different integrations on ranking scores, whereas no significant differences exist among them when representing the ranking scores to the ranking orders in place of the technique scale. (2) The software GNUmed, OpenEMR, OpenMRS, and ZEPRS do not differ in ranking scores/orders of experiments for all MCDM techniques presented. On the contrary, discrepancies among the ranking scores/orders are more noticeable in other software. (3) GNUmed, OpenEMR, and OpenMRS software are the most promising candidates for providing a good basis on ranking scores/orders, whereas ZEPRS is not recommended because it records the worst ranking score/order in comparison with other OS-EMR software.

Studies in Informatics and Control

Victor Vevera

RELATED PAPERS

Call/WA : 0812 1776 0588 | Ditributor Safetybox Biohazard Banten

Distributor Safety Box

Cucu Cahyati

Nicoletta Bazzano

Guido Barbujani

Claudia MOISA

Molecular Neurobiology

Marília Móvio

International Journal of Wireless Communications and Mobile Computing

Research, Society and Development

Felipe Rodrigues

Jurnal Kedokteran dan Kesehatan

Nur Sofianita

Annalen der …

Krzysztof Fortuniak

romanian journal of ophthalmology

Anca Haisan

Journal of Clinical Microbiology

Mohammed Shemsu

Cancer research

JOSE MATOS SILVA

Abdominal Imaging

Sherelle Laifer-Narin

Journal of Biological Chemistry

Sasithorn Wanna-udom

Volume 19 Issue 1

Revista Ciencias

Eliane Ceccon

Journal of the American Heart Association

Uli Chettipally

Chapters in SUERF Studies

Que tempos são esses que temos que defender o óbvio?” Dimensão Política na Formação em Psicologia: Pleonasmo ou Horizonte

Beatriz B O R G E S Brambilla

Pavel Skribtsov

Circulation

Joseph Shalhoub

Stefano Scandella

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024

The Design and Implementation of an Antivirus Software Advising System

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Oriental Journal of Computer Science and Technology An International research journal of Computer Science and Technology

Performance Investigation of Antivirus – A Comparative Analysis

Performance investigation of antivirus- a comparative analysis.

Remya Thomas and M. Nachamai *

Department of Computer science, Christ University, Bangalore, India

Corresponding author Email:  [email protected]

DOI : http://dx.doi.org/10.13005/ojcst/10.01.27

Antivirus as name implies prevent the devices such as computers, mobiles and pen-drive from viruses. All gadgets which interact with open network are prone to virus. Virus is a malicious software program which replicates by copying its code multiple times or by infecting any computer program (like modifying the existing program) which can affect its process. Virus perform harmful task on affected host computer such as possessing on hard disk, CPU time, accessing private information etc. This paper specifies the performance of (McAFee, Avast, Avira, Bitdefender, Norton) antivirus and its effectiveness on the computer. The performance is tested based on the time acquired by each antivirus to act on a computer. The parameters used to analyze the performance are quick scan, full scan and custom scan with respect to time. Through the analysis Bitdefender performance is better than other selected antivirus.

Introduction

The explosion with World Wide Web is always prone to the interaction of unknown threat which can ruin the computer. Antivirus software plays an active role towards the prevention of hidden threats in web which can affect the computer. The infection can be of different types such as Droppers, Trojans, root-kits, worms, viruses, and so on. Antivirus is security software that focuses on providing better protection. The physical view of an antivirus is shown in fig1. Antivirus software is used to disinfect the infected program or to completely immaculate malicious software from the system. Antivirus software uses different techniques to identify malicious software, which often self-protect and mask deep in an operating system. Advanced virus may use undocumented operating system functionality and hidden techniques in order to prevail and avoid being detected. Because of the huge malware attack these days, Antivirus software is designed to handle all kinds of malignant payloads attacking from both trusted and un-trusted sources.

Antivirus software consists of different types of scan like full scan, quick scan and custom scan.

Full scan [1] is performed to ensure that the computer is free from viruses. It helps to scan files, local drive, folders on the system. Full scan can be performed on external devices like digital camera, USB drivers and many others.

Quick scan is used to scan the most infected area in a computer. A quick scan checks only the common areas for viruses available in a computer. Scanned areas include common areas of the hard drive, including the temporary files, computer memory and the operating system directory. Basically quick scan take less than 20-30 minutes to complete. Full scan checks every folder available, and hence takes longer time to perform the scan. Depending on the hard drive and memory space a computer, it could take 40 minutes to several hours to accomplish a full scan. 

Custom Scan

Custom scan as name implies allows the user to customize which files and folders are to be scanned. This scan is useful when the user likes to perform a scan for a particular folder, or if the user likes to scan an entire drive. Custom scan helps to remove unknown viruses, spyware, tracking cookies, potential threats and stealth programs, which can exploit and alter Windows system files. For the performance study of different antivirus, parameters like full, custom and quick scan are performed on the basis of time.

Literature Review

In research paper” A Comparative Study of Virus Detection Techniques” [2] determines that, to model the behavior of virus the use of “logic formulae” is one of the most recent developments in computer virus research. Logic formulae are an alternative to basic virus detection technique. Behavior based virus detection is used to overcome the issues related with traditional signature based virus identification. Signature based virus detection is explained with pros and cons.

In research paper” Study and Comparison of Virus Detection Techniques “[3] determines that, as the characteristics of different viruses are different, the detection approaches should be different. Viruses of the different types cannot be detected by single method. Viruses are classified as simple virus, Encrypted Viruses, Polymorphic Viruses, Oligomorphic virus, Metamorphic Viruses. The virus detection methods specified are Signature based virus detection, Anomaly Based Detection, Code Emulation. Signature scanning is concluded as the easy and economical method for detecting majority of current available viruses and it causes less impact on existing hardware and codes.

In research paper” Antivirus Software Testing for the New Millenium” [4] determines about the antivirus system of next generation are discussed. The organization testing the antivirus is ICSA Certification, Westcoast Labs Checkmark, University of Hamburg VTC malware tests etc. Network aware viruses like Melissa have proven that virus specified techniques are not sufficient enough to prevent infection by new viruses. The inherent backlog of post-infection generic methods and pre-infection heuristics make virus detection more powerful way to prevent and remove viruses. Antivirus products that consist of hybrid approach are likely to evolve.

The performance study of different antivirus is described in detail for computer in [5]. The classification is based on three groups (ranks) of antivirus i.e. AV Test, VB, AV comparative. According to the survey, no antivirus engine consistently holds the top place in each year across all testing organization.

The performance and protection of antivirus is described in detail in [6,7] where different antivirus are compared based on scanning methods like on-demand and on-access malware scan ,website rating, malicious URL blocking, Phishing protection, Behavior based detection and vulnerability scan.

Methods and Materials

Anti-malware software also known as Antivirus, is computer software that is used to detect, prevent and remove malicious software [8].

To study the performance of the different antivirus in a computer system full scan, custom scan, and quick scan parameters/methods are considered.

Basically four levels of malware products are available in the market:

• Paid antivirus
• Premium suites

Moving from free to premium suits the features gets added such as identity theft protection, parental controls, firewalls and system performance tools. Free antivirus software basically provides a bare low level of protection. It will scan for virus, and often can perform automatic virus scans as well. Few free apps have additional protection tools such as a browser add-on that checks for harmful links and premium suites consist of firewall [9]. Usually these features are limited to paid antivirus software products.

Paid antivirus lies as a middle ground between the basic free and the feature-packed antivirus security suites. Paid antivirus offers overall security tools like parental controls, identity theft protection  and hence more flexibility than a free antivirus package available, usually paid antivirus consist of few additional features than suites, which are designed to be one-stop protections hops. The biggest issue faced while going with free antivirus products is the lack of technical support, free antivirus users usually must assist by themselves.

Anti-viruses selected for the analysis in this research work are:

Norton is one of the well-known antivirus software. One of its key features is that it updates every 10 to 15 minutes to ensure that the system is up to date.

  McAfee Antivirus is software that protects the computer from spyware and viruses, and includes a firewall that helps in preventing hacker attacks to the computer.

Bit defender

Bit Defender give protection from spyware, viruses, root-kits, provides anti-phishing service, and offers a laptop and gamer mode.

Avira introduced Avira Protection Cloud (APC) which takes the information available through internet (cloud computing) to enhance the detection and effect on system performance less.APC was initially used only during a manual quick system scan but later it was extended to real-time protection.

Avast is the popular antivirus available in the market, and it has the largest share of the market for malware applications. Avast free antivirus product’s features include antivirus with Avast Passwords, antispyware, streaming updates, Secure HTTPS scanning, Home Network Security scanner, Site Correct, Do Not Track, anti-malware, Smart Scan, Rescue Disk, anti-phishing and Software Updater (manual).

For the comparative performance analysis of antivirus, time consumed by different anti-viruses for different scans like full, quick and customized are considered. Analysis is performed on a laptop consisting of intel i3 core processor with 2 GB RAM, 64 bit operating system and windows 8.1 single language version. The common steps carried out for the entire antivirus are:

Step 1: Install antivirus in the computer.

Step 2: Double click/right-click on the Antivirus System Tray icon and navigate to antivirus software.

Step 3: Click on scan tab

Step 4: Select the type of scan available in provided option (i.e. full scan, quick scan, custom scan).

Step 5: If custom scan is opted, user will be able to select the folders, drivers and software available on the system.

Step 6: Click on “Start” scan.

Step 7: The user will be prompted with the alert box with option “View results” after the scan gets completed

Step 8: The scan result will be displayed on the screen.

Step 9: The user will be able to repair the errors.

Table 1: Time based analysis on antivirus using full scan:

Table 2:Time based analysis on antivirus using quick scan

Table 3: Time based analysis on antivirus using custom scan:

Table 4: Antivirus performance and protection percentage [10]:

System Information:

System Type: 32- bit Operating System.

Processor: Intel(R) Core(TM) i3.

No. of files scanned in Full scan: 800114 files

No. of files scanned in Quick scan:55672 files

No. of files scanned in Custom scan: 413234 files

Results and Discussion:

McAfee antivirus scanned less files with more time than Avira. Avast scanned less files with less time compared to Avira. Bitdefender scanned more files in less time compared Norton. Hence Bitdefender antivirus performed better than other antivirus by   scanning more files in less time. Hence the data fetched by toptenreviews.com looks good in full scan as the topten reviews mention BitDefender to have 100 percent performance and protection.  The full scan results are plotted in figure 2.

In Quick scan Avira scanned less files consuming more time than McAfee. Avasta scanned less files in less time than Avista. Norton scanned more files in less time than Bitdefender. Hence the data fetched by toptenreviews.com looks good in Quick scan as the toptenreviews mention BitDefender to have 92 percent performance and 100 percent protection. The quick scan analysis is plotted in figure 3.

Custom scan

In custom scan performed for C drive, Avira scanned less files consuming more time than McAfee. Avasta scanned more files in less time compared to McAfee. Bitdefender scanned more files than Norton in less time. Hence Bitdefender performance is more than any other antivirus. The custom scan analysis is represented in the form a bar chart in fig 4.

As per the toptenreviews.com bitdefender has 100% performance and protection which is the same case of the analysis performed based on this paper. But comparing the performance of Avira to other antivirus, it has less performance as Avira took more time to scan the less number of files. But in the toptenreviews McAfee performance is tagged to below compare to other antivirus. Hence according to the analysis, Bitdefender has more performance compared to other antivirus and Avira has less performance.

Antivirus is a powerful program which protects and removes viruses from computer .Antivirus download new and updated definition files which contains the signature of viruses. When antivirus scans a file and identifies that the file matches a known piece of malware, antivirus stops the file from running further and put them into “quarantine”. In the performance study of different antiviruses, Bitdefender have high performance as bitdefender scans more files in less time. Norton can be rated second high performer as Norton as well scans more files in less time. Performance of Avira is low as it takes more time to executed limited files.

• https//www.howtogeek.com/125650/htg-explains-how-antivirus-software-works/
• Sulaiman Al Amro and Ali Alkhalifah,” A Comparative Study of Virus Detection Techniques”.
• Ankush R Kakad, Siddharth G Kamble, Shrinivas S Bhuvad and Vinayak N Malavade,” Study and Comparison of Virus Detection Techniques”.
• Sarah Gordon,” Antivirus Software Testing for the New Millenium”.
• https://www.opswat.com/blog/antivirus-performance-study-shows-diversification-key
• http://in.pcmag.com/antivirus-from-pcma/37090/guide/the-best-free-antivirus-protection-of-2016
• http://thinhlong.vn/upload/download/avc_report25.pdf
• https://www.raymond.cc/blog/test-the-effectiveness-of-your-antivirus-firewall-and-hips-software/
• https://www.sans.org/readingroom/whitepapers/commerical/anti-virus-software-challenge-prepared-tomorrows-malware-today-782
• http://www.toptenreviews.com/software/security/best-antivirus-software/

• Business & Technology

FortiGuard Labs Threat Research

• Industry Trends
• Customer Stories
• PSIRT Blogs
• CISO Collective

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins

Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: The stolen information can be used for future attack Severity Level: High

Last year, FortiGuard Labs uncovered the 8220 Gang’s utilization of ScrubCrypt to launch attacks targeting exploitable Oracle WebLogic Servers. ScrubCrypt has been described as an “antivirus evasion tool” that converts executables into undetectable batch files. It offers several options to manipulate malware, making it more challenging for antivirus products to detect.

We recently discovered a threat actor distributing a phishing email containing malicious Scalable Vector Graphics (SVG) files. The email lures victims into clicking on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. ScrubCrypt is then used to load the final payload, VenomRAT while maintaining a connection with a command and control (C2) server to install plugins on victims’ environments. The plugin files downloaded from the C2 server include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed for specific crypto wallets.

This article provides detailed insights into how the threat actor distributes VenomRAT and other plugins.

Initial Access

The attacker initiates the attack by sending a phishing email stating that a shipment has been delivered. It also includes an attached invoice. The attachment is an SVG file named “INV0ICE_#TBSBVS0Y3BDSMMX.svg,” which contains embedded base64-encoded data.

After victims open the SVG file, the ECMAScript creates a new blob and utilizes “window.URL.createObjectURL” to drop the decoded data as a ZIP file named “INV0ICE_#TBSBVS0Y3BDSMMX.zip.”

The decompressed file is an obfuscated batch file that embeds its payload in the section “------BEGIN X509 CRL-----.” Based on the decoded comment in the first line, it is presumed that this batch file was created by the BatCloak tool, known for using heavily obfuscated batch files to deploy various malware families. BatCloak has been employed since 2022 to distribute malware while effectively evading detection by antivirus programs.

The script initially copies a PowerShell execution file to “C:\Users\Public\xkn.exe” and utilizes the copied file in later commands. It includes parameters in each command, “-WindowStyle hidden -inputformat none -outputformat none -NonInteractive,” to conceal its activity from the victim’s notice. It then decodes the malicious data and saves it as “pointer.png.” After hex-decoding, the result is saved as a “pointer” and moved to “C:\Users\Public\Libraries\pointer.cmd.” Upon executing “pointer.cmd,” it employs “cmd /c del” to delete all the files mentioned above.

The “pointer.cmd” file serves as the ScrubCrypt batch file. It is deliberately cluttered with numerous junk strings to obscure readability. It incorporates two payloads encoded in Base64 format and employs AES-CBC decryption and GZIP compression to decompress them. It uses the PowerShell command “[System.Reflection.Assembly]::Load” to load the decrypted .NET assembly from a byte array, accessing its entry point method and invoking that method to initiate the execution of the assembly's code.

The first payload serves two primary purposes: establishing persistence and loading the targeted malware. It determines whether the current user is part of the built-in Administrator role in a Windows operating system to configure its persistence settings. Additionally, it checks for the presence of any debugger. If found, it terminates the program to avoid detection.

If the current user holds Administrator privileges, the program duplicates itself to “%AppData%/strt.cmd” and utilizes a PowerShell command to establish a scheduled task named “OneNote 83701.” This task triggers upon user login, executes “strt.cmd,” and operates with elevated privileges. Conversely, if the user lacks Administrator permissions, the program duplicates itself to the “StartUp” folder under the filename “strt.cmd.”

Finally, it loads an assembly from an embedded resource named “P,” which contains a compressed assembly. It then invokes the entry point method of the loaded assembly to execute VenomRAT.

The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass.

VenomRAT is a remote access Trojan (RAT) first identified in 2020. It is a modified version of the well-known Quasar RAT and is distributed through malicious attachments in spam emails. Cybercriminals utilize it to gain unauthorized access and control over targeted systems. As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim's knowledge or consent.

The fundamental configurations of VenomRAT are Base64-encoded, and AES-CBC encrypted. The decrypted data is shown in Figure 14.

After completing environmental checks, VenomRAT initiates communication with its C2 server. The initial packet transmitted contains basic information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed.

All C2 sessions are encrypted using the certificate specified in its configuration. By debugging the program, we extracted and decompressed the packets, revealing the keep-alive sessions established with the C2 server.

While VenomRAT's primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities. The assembly responsible for parsing packets from the server is outlined below. Upon receiving the “save_Plugin” directive from the server, it can decompress the data and save it to the registry.

The “save_Plugin” data comprises a DLL file named “SendFile,” which can parse other “plug_in” files sent from the C2 server. If a plugin file with the same name is already in the victim’s environment, it deletes the existing file and creates a new one with the current data. After decompressing the “plug_in” packet data, it examines the “Filename” to determine which PowerShell command to employ.

In Figure 21, once a “plugin” packet is received from the server, VenomRAT reads the registry to fetch the data for “SendFile.dll” and executes the payload contained within the plugin.

In the following sections, we’ll elaborate on the plugins provided by the VenomRAT C2 server.

Plugin 1 - Venom RAT v6.0.3

The first plugin is embedded in ScrubCrypt and loads without landing any execution file in the victim’s environment, which perfectly hides its trace. The second payload from the ScrubCrypt Batch file is called “ScrubBypass.” This file is highly obfuscated to hide the code flow, functions, and strings. ScrubBypass’s main jobs are patching the AMSI scan buffer and EtwEventWrite to achieve AMSI and ETW bypass.

The plugin VenomRAT is version 6.0.3. It has a Keylogger function and stores its C2 server information on the Pastebin website. It collects multiple data types, monitors the victim’s keyboard activities, and persistently sends stolen data to the C2 server.

Plugin 2 - NanoCore

NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It is known for its ability to remotely access and control a victim's computer, often without their knowledge. It continues to be relevant in the cybercrime world due to its source code being leaked and widely distributed in underground forums. This plugin is distributed to compromised devices by an obfuscated VBS file, shown in Figure 26.

The script stores the data for the next stage on the website “hxxps://nanoshield[.]pro/files,” which also serves as a Crypter service provider. Initially, it retrieves a JPG file and decodes the target section using the reversed URL as a parameter. Although accessing the second URL, “hxxps://nanoshd[.]pro/files/new_image.jpg?14441723,” was unsuccessful, modifying the hostname to “nanoshield.pro” allowed us to access to a similar file, as seen in the first URL ”hxxps://nanoshield[.]pro/new_image2.jpg?166154725.”

The JPG file employs steganographic methods to conceal code inside the picture, embedding malware data encoded in Base64 between the tags <<BASE64_START>> and <<BASE64_END>>. After decoding the JPG file, we obtained a .NET execution file. This file establishes persistence by configuring the registry key “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” and checks for any virtual environments. It then downloads encoded data from the “nanoshield.pro/files” URL, reverses the data, replaces the specific string “DgTre,” and employs “RegAsm” to proxy the execution of NanoCore.

Plugin 3 - XWorm

XWorm is a RAT that spreads through removable drives like USB flash drives, infecting Windows systems. It can steal information or allow remote access. Figure 32 shows the plugin from VenomRAT’s C2 server with the filename “xwrm3.1.vbs” at the end of the packet.

In addition to the VBS file, we retrieved another “plug_in” containing a batch script attempting to execute PowerShell commands. It downloads encoded data from “hxxps://kisanbethak[.]com/K/Universallsningen.lpk.”

The next stage of the PowerShell code resides at the end of the decoded “Universallsningen.lpk” file. Despite containing numerous junk comments to obfuscate analysis, the PowerShell script uses the Process Hollowing technique to inject shellcode into a legitimate process. Following injection and environment verification, the shellcode executes the final malware, XWorm. In this attack scenario, GuLoader also deploys NanoCore and Remcos.

Plugin 4 - Remcos

Remcos is a Remote Access Trojan (RAT) first appearing in 2016. It is marketed as legitimate software for remote management but is often used maliciously. Remcos can give attackers complete control over an infected system, allowing them to capture keystrokes, screenshots, credentials, and other sensitive information. It is typically delivered via malicious documents or archive files and has been seen in phishing campaigns. This plugin was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named “remcos.vbs”, ScrubCrypt, and Guloader PowerShell.

The configuration for Remcos is RC4 encrypted in the “ SETTINGS ” resource, and the decrypted data is shown in Figure 42.

Plugin 5 – Stealer

This plugin is not only deployed via the obfuscated VBS script mentioned in the previous section but it is also embedded in a .NET execution file obfuscated using SmartAssembly. The .NET execution file decodes the next stage payload from the Resource file “ach” and writes the data into the memory.

It then copies itself to the TEMP folder and sets this copied file to the scheduled task named “Nano.” This task repeats every 10 minutes after the first trigger.

The next stage payload is more straightforward. It contains a hardcoded array for the malicious DLL file for stealing the victim’s sensitive data.

The DLL file stores its configuration in Base64 encoded data, including the C2 hostname and the certificate to encrypt the communication.

This DLL file keeps monitoring the user’s system and aims for specific crypto wallets, Foxmail, and telegram data by performing the following tasks repeatedly:

1.     Gathers details about the victim's environment, such as the PC name, username, antivirus software, disk information, and operating system version.

2.     Verifies the existence of the following paths: “"%AppData%\atomic\Local Storage\leveldb” “%AppData%\Electrum\wallets,” “%AppData%\Ethereum\keystore,” “%AppData%\Exodus\exodus.wallet,” “%AppData%\com.liberty.jaxx\IndexedDB,” “%AppData%\Zcash,” “%AppData%\Foxmail” and “%AppData%\Telegram Desktop\Telegram.exe”.

3.     Checks if the following registry exists: “Software\Bitcoin\Bitcoin-Qt,” “Software\Dash\Dash-Qt” and “Software\Litecoin\Litecoin-Qt. “

4.     Once collected, the targeted data sends the data appended with the execution file path at the end to the C2 server, “markjohnhvncpure[.]duckdns.org.”

This analysis reveals a sophisticated attack leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt. The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.

The attackers’ ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

W32/Rescoms.U!tr MSIL/NanoCore.K!tr MSIL/Kryptik.TPQ!tr MSIL/Kryptik.AKNE!tr MSIL/Kryptik.AKCI!tr MSIL/Kryptik.AHUA!tr MSIL/GenericKD.70765425!tr MSIL/GenericKD.61253965!tr MSIL/Agent.VIC!tr MSIL/Agent.SUB!tr MSIL/Agent.PEP!tr.dldr MSIL/Agent.CTE!tr MSIL/Agent.CFQ!tr JS/Agent.PIJ!tr BAT/Agent.B7E9!tr BAT/Agent.ARX!tr.dldr VBS/Agent.IFT!tr PowerShell/Agent.2C1B!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.

We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

hjkdnd[.]duckdns[.]org mup830634[.]duckdns[.]org markjohnhvncpure[.]duckdns[.]org homoney177[.]duckdns[.]org febvenom8[.]duckdns[.]org rachesxwdavid[.]duckdns[.]org

hxxps://nanoshd[.]pro/files/new_image.jpg?14441723 hxxps://nanoshield[.]pro/new_image2.jpg?166154725 hxxps://kisanbethak[.]com/P/ hxxps://kisanbethak[.]com/K/

06779e1015bd7dd2012ad03f7bb3f34e8d99d6ca41106f89cb9fb1ec46fe034e 0b5631041336a58ab859d273d76c571dd372220dfa1583b597a2fe5339ad4bf7 0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168 2373840bc455d601551304ec46c281b218e90a91dce3823709c213814636e899 258578c03ca314ac3a636a91e8b3245230eae974cf50799d89b3f931e637014c 411ad772af94a042413af482a2ef356d3217bcc5123353e3c574347cb93e3d5a 4a4b5c22c877437c359ef2acaeeb059881da43b11798581cf2f31c2c83fc3418 4cda23993d793ef070be7b9066f31a45b10c1e72d809f4a43726da977a0069d8 51ecf11a64e934409bfada2b6f0c4d89c3420ca95640bc88f928906e6f0b4832 53a522051e0319176dece493b7e2543135ed41c402adbfeda32a5f6be7d68175 546a85e384ced3d4535bad16a877ecd36a79849c379c5daa357689116f042c1b 5c5caa3182d6b121c1445d6ca81134ec262cd5ea4f9ef1944f993b63d1987647 5f1746b4bd8d94d4d3feb1e2d4a829b6c3bab9341e272341f4b3a1da01d20745 6aaff578555cb82159a9c16a159f0437c39b673744e0c537c4b7f0f67f56c5d9 6ac5c7284aaa0c195723df7a78ae610a7ee096b3b5bc19f6838451acd438116e 71a22bed7ab5a26158fc1cf1b7bb87146254672483aad72736817ff16e656c7b 7d7a710e3c0e5da830213f9b72f44a72d721adcf17abc838f28286dde8a1e8d9 7d9c8d44554ee10310805920afb51249a1e8cd3e32b430e8c9638fec316913d3 85790dad1a0af5febd7d90e0ec9ce680ec87dcc31a94a25bfb454bb121164bfd 8e97019f8c4712f1fc9728c4706112a5ef85a05aa809985709faef951925e094 94b2e06e45407f193cfe58e18f5c250bbd1b8e857a754f1c366913129b9dada7 bee35a9d30d6f69cd6d173c6a6a93110cac59ab3710e32eced6f266581e88b87 cd1364d8c7f6f0246ed91cd294e2e506e7c94ba2f9a33c373c6fcfe04bbe17e7 d04bf1a9f6014bf4bcdb3ac4eb6d85bcc4159ae25a7f00c4493cbcb8e892e159 d05ad3dc62e1dc45fd31dc2382c1ea5e5f26f4f7692cb2ef8fd1c6e74b69fa16 dc2c1694d363d78cdfed0574cf51413b9b48d932e076033bb76cf69a4470b7e9 dceea68a037376b323d2a934f9fdc59bfbd2c2c0ed66014bdf059f403f4dc6f2 e190d172b7d3c7f1055052f0ed3da5d5979a8a2b622ca2fbcea90774a5bf6008 f02c04bc428694a11917375f41ecb7c7aa326cf242b4c56ed1e7b3ae14d5dd68 f4164be3d357682754559aa32ea74c284eee64140d3f56a63a225d5de10d051c

Related Posts

Deceptive cracked software spreads lumma variant on youtube, another phobos ransomware variant launches attack – faust, new banking trojan “chavecloak” targets brazil, news & articles.

• News Releases
• News Articles

Security Research

• Threat Research
• FortiGuard Labs
• Ransomware Prevention

Connect With Us

• Fortinet Community
• Partner Portal
• Investor Relations
• Product Certifications
• Industry Awards
• Social Responsibility
• CyberGlossary
• Blog Sitemap
• (866) 868-3678

Copyright © 2024 Fortinet, Inc. All Rights Reserved