Antivirus shortens the life-time of financial malware

October 23, 2012

This title breaths a certain amount of obviousness, but most financial malware or banking Trojans are actually designed by cyber-criminals to avoid detection and hide for antivirus programs. The main goal of these digital bank robbers is clearly to steal your money by manipulating online bank transactions.

Research by SurfRight shows that the average life-time of a banking Trojan on a computer is 81 days for computers that do not have an up-to-date antivirus program. And the average life-time of a banking Trojan on a fully protected computer, that has an up-to-date antivirus program, is 25 days.

New users
These statistics are based on scan results from new users that run HitmanPro for the first time. And since it is based on a user’s decision to find a second opinion and download HitmanPro, these numbers should not be taken as exact science. Nonetheless, it is a clear indication that using an up-to-date antivirus program dramatically reduces the life-time of a banking Trojan.

Long time
Many people will now ask “why didn’t the antivirus program catch the banking Trojan right away? 25 days is still a long time.”

That is a valid question. If the banking Trojan is stopped right away, HitmanPro will not detect one on that computer because it has never been there. Antivirus programs are the last line of defense and will stop the vast majority of malware attacks, but not 100%.

  • Does the police prevent all robberies? They should, but they don’t.
  • Does the coast guard stop all drug transports before entering the country? They should, but they don’t.
  • Is a doctor’s diagnosis correct every time? It should, but it isn’t.

In other words: Using an antivirus program on your computer will stop most malware attacks, and will reduce the life-time of malware that has slipped the defenses and silently installed itself on the computer.

BBC Click: How banking Trojans go undetected and steal your money

How did we measure?
2,465,497 users scanned their computer with HitmanPro between October 2011 and October 2012 (1 year). The above mentioned statistics are not based on a laboratory research but are derived from real-world computers. The HitmanPro agent reported back the date the banking Trojan was installed on the computer, including which antivirus program the user was using (including its status) before HitmanPro removed the banking Trojan. The specific banking Trojans we counted for this statistic were Zeus, Citadel, SpyEye and Tinba.

Last August, our HitmanPro agent discovered Citadel Trojans within the Dutch government during the Dorifel outbreak. We also discovered that these Trojans were active on fully protected computers for roughly three to four weeks, without being detected. This period – shocking for most people – was clearly not an incident but is in line with our research results.

AV-Comparatives Malware Detection Comparative

October 2, 2011

AV-Comparatives, an Austrian Non-Profit-Organization, which is providing independent Anti-Virus software tests free to the public,  recently released the results of their “On-demand detection of malicious software”, where 20 well known Antivirus products were compared.

The 10 highest scoring products detected between 97.3% and 99.7% of the test set of over 200,000 malicious files, which means that on average over 2,000 (!) malicious files were not detected.

And if you are not using one of the Antivirus products in the top-10 but one of the other products (including some very well known names), you might even be at bigger risk.

See for the full test report.

Click here to check what your Antivirus product might have missed.

1 out of 3 users with up-to-date antivirus software are still infected with malware

May 23, 2011

The survey was conducted between January 1st and March 31st 2011 with 489,469 users who scanned their computer using SurfRight’s Hitman Pro 3 Behavioral Scan. While nearly two thirds of users (320,279) had an up-to-date antivirus program installed, some 169,190 users had not. Of even greater concern was that 101,498 (32 percent) of those with the latest antivirus software were found to be infected with malware.

See for the full results.

Microsoft cures 260.000 TDL3 infections

May 3, 2010

Microsoft’s Malicious Software Removal Tool (MSRT) cleaned over 260,000 computers that were infected by Alureon (aka TDL3 or TDSS). See for more details.

MSRT is effective against TDL3 up to version 2.273, but it has no effect against newer versions of TDL3 (spreading since April 2010). Hopefully Microsoft will be able to clean these soon. But the good news is that at least these 260,000 people were rescued.

From our own user base, we see that 32,610 computers were infected with TDL3 while 22,607 computers (69.3%) has an up-to-date AntiVirus program installed. Most AntiVirus programs will be able to prevent an infection. But after the machine is infected, many AntiVirus programs have difficulties detecting and removing an infection. TDL3 is spreading since October 2009.

Microsoft unintentionally cleaned virus infected PC’s

February 20, 2010

Unknowingly, Microsoft was able to clean a lot of computers that were infected by the TDL3 rootkit (aka TDSS aka Alureon), although it was a pretty drastic method. Because when users installed the Windows patch, their computer was unable to boot, and had to be restored.

Microsoft recently confirmed that the recent Windows XP crashes were caused by a rootkit called Alureon.

After the patch was released, the authors of the rootkit modified their code and updated their users, but apparently they lost a lot of users.

We currently see a significant reduction in the number of users that are infected by this rootkit and use Hitman Pro to clean their PC. Since mid January, about 15-20% of the Hitman Pro users who were infected, were infected by this rootkit (TDL3 aka TDSS aka Alureon). After February 10 (when the Windows patch was released) this dropped to below  10%.

Interesting detail: Of all the TDL3 infected systems, more than 75% is using an up-to-date anti virus program. Nearly all anti virus programs are still unable to detect a TDL3 rootkit infection.

TDL3 rootkit authors have fixed their incompatibility with Microsoft’s MS10-015 patch as can be seen in the right corner of the graph as the rootkit is on the rise again.