AVLab.pl Test of security solutions in blocking attacks on Internet banking

Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

L

Local Host

Andy Ful said:
Many malware samples used to use FTP, but most of them used Windows native support for FTP (FTP Server or web browser). The native support for FTP is enabled in Enterprises, but rarely in small businesses. That is why I am curious how often are malicious attacks via FTP without such support (Chrome removed FTP support and FTP Server is disabled by default on Windows Home and Pro).:unsure:
Click to expand...
You misunderstand, FTP is not disabled by default on Windows 10, this does not try to Host a FTP server on the infected machine, it accesses a FTP server (which is supported and enabled by default on all Windows versions).

This has been going on for years now, is nothing new.

The security suites pretty much block the FTP link in this test (the ones that passed at least).
 
  • Like
Reactions: cryogent, Zartarra, JB007 and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Local Host said:
You misunderstand, FTP is not disabled by default on Windows 10, this does not try to Host a FTP server on the infected machine, it accesses a FTP server (which is supported and enabled by default on all Windows versions).

This has been going on for years now, is nothing new.

The security suites pretty much block the FTP link in this test (the ones that passed at least).
Click to expand...

Yes, you are right. My downloads via FTP in PowerShell were blocked, but not by the lack of native support. They were blocked by Constrained Language Mode in PowerShell. I corrected my previous posts.
Still, it is interesting how popular are the attacks in the wild performed fully via FTP.:unsure:
I can imagine that the malware can upload the data to the malicious FTP server and download from it the file with instructions. But such attacks have to transfer many files, so they are probably not popular.

Edit.
Here is some additional information about non-HTTP CnC servers for RATs:
www.zscaler.com

Catching RATs Over Custom Protocols

In this article, Zscaler security research team dissect the custom protocols used in some of the most prevalent RATs seen in recent campaigns. Read more.
www.zscaler.com www.zscaler.com
 
Last edited:
  • Like
Reactions: Zartarra, JB007, SeriousHoax and 6 others
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
220
Andy Ful said:
Most of the tested products blocked the HTTP attack vector, so the question is how popular are the attacks performed fully via FTP.
Click to expand...
The question should be - why you shouldn't use a non-popular protocol to start attack, insteed know-well HTTP/S by everybody? Imagine a SMB protocol and vulnerability to propagate a huge ransomware attack in 2017 (NotPetya). Why you cannot use diferent attack method than usual? To check protection when it comes to HTTP protocol you can visit our Advanced In The Wild Malware Test on webiste: avlab[.]pl/en/

Therefore we want to try different protocol than HTTP/S to check vendor's protection, their reaction on simulate a running malware and delivered to the system in another way.

Nightwalker said:
I was going to ask exactly that, FTP protocol was dropped/deprecated in Chrome, Edge and Firefox, so how was it tested for browser internet banking protection?
Click to expand...
No, we have used a FTP client to drop malware to the system first. Next, if it wasn't blocked the samples was executed to check for example keylogging protection (system-wide and browser-based) or protection against stealing passwords from files that stored on disk.

Dear Readers! If you have another questions to change methodology or add another ways to try bypass protection, you can write here. Next edition of internet banking we can take this into consideration.
 
  • Like
  • +Reputation
Reactions: cryogent, Zartarra, JB007 and 11 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Adrian Ścibor said:
...
Dear Readers! If you have another questions to change methodology or add another ways to try bypass protection, you can write here. Next edition of internet banking we can take this into consideration.
Click to expand...

Using FTP to drop the malware is welcome in such tests and this is a well known attack vector. In the current methodology, the CnC server uses HTTP, and FTP is used only to download the banking malware.
If I could suggest some improvements then the test can be extended to CnC traffic via non-HTTP protocols, like FTP, SFTP, SMTP, Telegram API, or custom TCP protocols. This would be also justified by the results of the current test. Strictly speaking, only one AV missed the banking test (G Data), because all others manage to block the traffic with CnC server (via HTTP). Of course, we can suspect that some other AVs that allowed downloading the banking malware via FTP might also fail to block the CnC traffic via FTP, but it would be better to prove it in the test.
 
Last edited:
  • Like
  • Thanks
Reactions: cryogent, Zartarra, JB007 and 9 others
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
220
Andy Ful said:
Using FTP to drop the malware is welcome in such tests and this is a well known attack vector. In the current methodology, the CnC server uses HTTP, and FTP is used only to download the banking malware.
If I could suggest some improvements then the test can be extended to CnC traffic via non-HTTP protocols, like FTP, SFTP, SMTP, Telegram API, or custom TCP protocols. This would be also justified by the results of the current test. Strictly speaking, only one AV missed the banking test (G Data), because all others manage to block the traffic with CnC server (via HTTP). Of course, we can suspect that some other AVs that allowed downloading the banking malware via FTP might also fail to block the CnC traffic via FTP, but it would be better to prove it in the test.
Click to expand...

Very interesting! Thanks for idea.
 
  • Like
Reactions: cryogent, JB007, SeriousHoax and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592

Adrian Ścibor,​

I do not fully understand the below info:

1642769598451.png


It can be that I misunderstood what was blocked by SmartScreen :
  1. Did SmartScreen block the banking malware (downloaded via FTP and executed) so it could not do malicious actions?
  2. Was the banking malware neutralized when banking via Edge with enabled SmartScreen?
 
  • Like
Reactions: cryogent, JB007, SeriousHoax and 3 others
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
220
Andy Ful said:

Adrian Ścibor,​

I do not fully understand the below info:

View attachment 263741

It can be that I misunderstood what was blocked by SmartScreen :
  1. Did SmartScreen block the banking malware (downloaded via FTP and executed) so it could not do malicious actions?
  2. Was the banking malware neutralized when banking via Edge with enabled SmartScreen?
Click to expand...

ad1. Unfortunately, it didn't. SmartScreen seems to be working for EDGE (http/s) and Microsoft Store.
ad2. Yes, the threat was prevented from starting, because SS.
 
  • Like
Reactions: Nevi, cryogent, JB007 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Adrian Ścibor said:
ad1. Unfortunately, it didn't. SmartScreen seems to be working for EDGE (http/s) and Microsoft Store.
ad2. Yes, the threat was prevented from starting, because SS.
Click to expand...
Thanks.(y)
I think that the HTTP/S attack vector could be also successful against SmartScreen, if the banking payload was downloaded via HTTP/S without using the web browser (similarly to the FTP/S). Malc0ders usually do it in targeted attacks via scripts when using some LOLBins, COM objects, or PowerShell cmdlets. The file is downloaded without a MOTW, so it is not checked by SmartScreen or BASF.
In modern targeted attacks on businesses, Defender free on default settings would be insufficient protection.
 
Last edited:
  • Like
Reactions: cryogent, JB007, Venustus and 5 others

Similar threads

Adrian Ścibor
    • +Reputation
    • Like
    • Applause
AVLab.pl Summary of the Advanced In-The-Wild Malware Test – September 2024
Replies
7
Views
945
Security Statistics and Reports
Vitali Ortzi
Vitali Ortzi
Adrian Ścibor
    • Like
    • +Reputation
    • Hundred Points
AVLab.pl Cyber Transparency Audit Q2 2024 - "Transparency First. Then Trust"
Replies
6
Views
542
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor
Adrian Ścibor
    • Like
    • +Reputation
    • Hundred Points
EDR-XDR solutions overview - visibility of attacks in telemetry based on offensive fileless attacks
Replies
3
Views
535
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top