AVLab.pl Test of security solutions in blocking attacks on Internet banking

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,428
Many malware samples used to use FTP, but most of them used Windows native support for FTP (FTP Server or web browser). The native support for FTP is enabled in Enterprises, but rarely in small businesses. That is why I am curious how often are malicious attacks via FTP without such support (Chrome removed FTP support and FTP Server is disabled by default on Windows Home and Pro).:unsure:
You misunderstand, FTP is not disabled by default on Windows 10, this does not try to Host a FTP server on the infected machine, it accesses a FTP server (which is supported and enabled by default on all Windows versions).

This has been going on for years now, is nothing new.

The security suites pretty much block the FTP link in this test (the ones that passed at least).
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,803
You misunderstand, FTP is not disabled by default on Windows 10, this does not try to Host a FTP server on the infected machine, it accesses a FTP server (which is supported and enabled by default on all Windows versions).

This has been going on for years now, is nothing new.

The security suites pretty much block the FTP link in this test (the ones that passed at least).

Yes, you are right. My downloads via FTP in PowerShell were blocked, but not by the lack of native support. They were blocked by Constrained Language Mode in PowerShell. I corrected my previous posts.
Still, it is interesting how popular are the attacks in the wild performed fully via FTP.:unsure:
I can imagine that the malware can upload the data to the malicious FTP server and download from it the file with instructions. But such attacks have to transfer many files, so they are probably not popular.

Edit.
Here is some additional information about non-HTTP CnC servers for RATs:
 
Last edited:

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
99
Most of the tested products blocked the HTTP attack vector, so the question is how popular are the attacks performed fully via FTP.
The question should be - why you shouldn't use a non-popular protocol to start attack, insteed know-well HTTP/S by everybody? Imagine a SMB protocol and vulnerability to propagate a huge ransomware attack in 2017 (NotPetya). Why you cannot use diferent attack method than usual? To check protection when it comes to HTTP protocol you can visit our Advanced In The Wild Malware Test on webiste: avlab[.]pl/en/

Therefore we want to try different protocol than HTTP/S to check vendor's protection, their reaction on simulate a running malware and delivered to the system in another way.

I was going to ask exactly that, FTP protocol was dropped/deprecated in Chrome, Edge and Firefox, so how was it tested for browser internet banking protection?
No, we have used a FTP client to drop malware to the system first. Next, if it wasn't blocked the samples was executed to check for example keylogging protection (system-wide and browser-based) or protection against stealing passwords from files that stored on disk.

Dear Readers! If you have another questions to change methodology or add another ways to try bypass protection, you can write here. Next edition of internet banking we can take this into consideration.
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,803
...
Dear Readers! If you have another questions to change methodology or add another ways to try bypass protection, you can write here. Next edition of internet banking we can take this into consideration.

Using FTP to drop the malware is welcome in such tests and this is a well known attack vector. In the current methodology, the CnC server uses HTTP, and FTP is used only to download the banking malware.
If I could suggest some improvements then the test can be extended to CnC traffic via non-HTTP protocols, like FTP, SFTP, SMTP, Telegram API, or custom TCP protocols. This would be also justified by the results of the current test. Strictly speaking, only one AV missed the banking test (G Data), because all others manage to block the traffic with CnC server (via HTTP). Of course, we can suspect that some other AVs that allowed downloading the banking malware via FTP might also fail to block the CnC traffic via FTP, but it would be better to prove it in the test.
 
Last edited:

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
99
Using FTP to drop the malware is welcome in such tests and this is a well known attack vector. In the current methodology, the CnC server uses HTTP, and FTP is used only to download the banking malware.
If I could suggest some improvements then the test can be extended to CnC traffic via non-HTTP protocols, like FTP, SFTP, SMTP, Telegram API, or custom TCP protocols. This would be also justified by the results of the current test. Strictly speaking, only one AV missed the banking test (G Data), because all others manage to block the traffic with CnC server (via HTTP). Of course, we can suspect that some other AVs that allowed downloading the banking malware via FTP might also fail to block the CnC traffic via FTP, but it would be better to prove it in the test.

Very interesting! Thanks for idea.
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,803

Adrian Ścibor,​

I do not fully understand the below info:

1642769598451.png

It can be that I misunderstood what was blocked by SmartScreen :
  1. Did SmartScreen block the banking malware (downloaded via FTP and executed) so it could not do malicious actions?
  2. Was the banking malware neutralized when banking via Edge with enabled SmartScreen?
 

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
99

Adrian Ścibor,​

I do not fully understand the below info:

View attachment 263741

It can be that I misunderstood what was blocked by SmartScreen :
  1. Did SmartScreen block the banking malware (downloaded via FTP and executed) so it could not do malicious actions?
  2. Was the banking malware neutralized when banking via Edge with enabled SmartScreen?

ad1. Unfortunately, it didn't. SmartScreen seems to be working for EDGE (http/s) and Microsoft Store.
ad2. Yes, the threat was prevented from starting, because SS.
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,803
ad1. Unfortunately, it didn't. SmartScreen seems to be working for EDGE (http/s) and Microsoft Store.
ad2. Yes, the threat was prevented from starting, because SS.
Thanks.(y)
I think that the HTTP/S attack vector could be also successful against SmartScreen, if the banking payload was downloaded via HTTP/S without using the web browser (similarly to the FTP/S). Malc0ders usually do it in targeted attacks via scripts when using some LOLBins, COM objects, or PowerShell cmdlets. The file is downloaded without a MOTW, so it is not checked by SmartScreen or BASF.
In modern targeted attacks on businesses, Defender free on default settings would be insufficient protection.
 
Last edited: