Category "Testing"

There are 8 results found

Zero day testing of SigFree Cerberus.

SigFree Cerberus security software yields outstanding benefits

SigFree Cerberus v1.0 test results, including zero day malware testing, have just been released. Testing shows that Cerberus can detect malware and provides benefits to the user where other security software solutions cannot.

Tests using real life, zero day malware will tell whether security software provides benefits or not. DayZero Systems has just released testing performed during the final stages of development of SigFree Cerberus v1.0.

The conclusion is very clear. SigFree Cerberus found malware when other security software solutions could not. Cerberus delivers on its benefits.

SigFree Cerberus provides zero day protection against worms and other similar self-propagating and self-mutating malware, including many viruses. Cerberus does not require known signatures so detection can occur before malware spreads and causes costly damage. Before the malware steals personal information or uses system resources as part of a bot network.

A range of results were blogged recently. See a short summary at http://blog.dayzerosystems.com/2014/11/05/benefits/. This included two real life zero day events and one designed attack. There are links to more detailed reports. The designed attack was made with the popular test program, Metasploit, using the “sneaky attack” option.

The two real life malware examples are named fwkums and 5minut1. They are both infections that can install themselves simply by clicking on the wrong URL, image or email attachment.

The fwkums malware tested is a mutation of a prior infection. It’s very dangerous and can steal personal information as well as take over the computer. At the time of this test, only 9 of 53 other security software solutions could detect this new mutation, https://threatcenter.crdf.fr/?More&ID=418800&D=CRDF.Trojan.Spy-Generic.2557074387. SigFree Cerberus security software found the infection quickly.

The 5minut1 malware is an adaptive virus that behaves somewhat like a worm. It launches a full screen advertising window and can carry other payloads. By adaptive, it senses when an attempt is made to detect it and changes its behavior to try to evade detection. Since SigFree Cerberus does not require known signatures or behavior to detect the malware it targets, it found 5minut1 quickly. At the time, only 1 in 51 other malware detection software solutions could detect 5minut1, https://www.virustotal.com/en/file/12144360ede7a5fb8074e93e83d9e6cccad05148c2733ce5a7df46ee540952cb/analysis/1397402126/#additional-info.

The two above tests were successful. But testing of a security software solution like SigFree Cerberus is not complete without putting it up against “sneaky speed”.

Sneaky speed is often used to test networks. It challenges testers because it is designed to evade detection. It will change its behavior to avoid being found. But again, SigFree Cerberus found it quickly with its signature-free technology. Attempts at evasion are quickly thwarted by Cerberus.

The time has come for new thinking in internet security software and DayZero Systems is stepping up to the challenge. SigFree Cerberus v1.0 is the first in an arsenal of future signature-free applications to be released by DayZero Systems, the new leader in zero day threat protection. Cerberus does not protect systems from every type of malware. DayZero still recommends continued regular scans using Windows Security Essentials or, on Windows 8, use of Windows Defender.

SigFree Cerberus v1.0 comes with a free two week trial, just click: http://cerberus.dayzerosystems.com/download/. DayZero promotes safe computer use. After downloading, right click on the file name in its folder, click properties, and click the digital signature tab. This ensures that the software comes from a trusted, certified source. The version 1.0 license is US$14.00 per computer on which it is installed, comes with all v1.0 upgrades, and is not time-limited. The license may be bought through Digital River by clicking http://cerberus.dayzerosystems.com/buynow-v1/.

security softwaresecurity software

Benefits accrue to anyone who installs Cerberus

Benefits! That is what everyone wants from any type of software. With Cerberus, some benefits are dramatically clear. Other benefits may be “behind the scenes”. But there is no question that everyone obtains benefits from SigFree Cerberus’s unique signature-free protection.

Benefits of Cerberus were confirmed in testing during its final development stages. We already reported on testing of the malware 5minut1. Cerberus found this malware at a time when Virus Total reported that only 1 out of 51 virus engines were able to detect 5minut1. The figure below contains the link to Virus Total for 5minut1:
benefits

You can also read more about this test on our blog at “5minut1.exe – zero day testing of Cerberus”.

We also reported on tests for fwkums. Fwkums is a very dangerous malware that can steal your personal information. It can also take control of your computer. At the time of our testing, only 9 out of 53 other detection engines could detect fwkums. You can also see that report on our blog at “fwkums – zero day testing of Cerberus”.

These tests demonstrated the benefits of Cerberus very well. Without needing signatures as the other detection engines do, Cerberus found both quickly. Cerberus found these dangerous programs. Picture this. Those bugs could have been on computers for months or years. The other detection engines could not find them until they caused damage. Someone finally saw the problem and found the source. Then the other detection engines could define signatures. Or, they could model the specific behavior of these infections.

But Cerberus needed none of that. Cerberus found these dangerous infections without knowing anything about them. Cerberus could have found them when they first gained entry to a computer! Those are the benefits of Cerberus!

Both of the examples mentioned above were designed to be evasive. This particular fwkums infection was a mutation. The 5minut1 infection was adaptive. It changed its behavior as it ran to try to evade detection. Both were quickly detected and neutralized by Cerberus. No damage was done by either infection. And Cerberus did this without known signatures or behavior patterns of these particular infections.

Another blog had three manufactured scenarios using the popular Metasploit tools. These also made Cerberus’ benefits clear. All three were reported in our blog “Metasploit port scanning target for Cerberus”. But one of the most thrilling was blogged in detail in “Sneaky speed – why you need SigFree Cerberus”

“Sneaky Speed” is a challenge. This scenario is adaptive to evade detection. Being adaptive, Sneaky Speed tests its boundaries. This way, it determines a threshold. It then scans below that threshold to avoid being detected. However, Cerberus detected and contained sneaky speed in only 125 milliseconds (0.125 seconds) after start of test. Nothing sneaky speed could do would convince Cerberus to let it go.

This demonstrates the validity and benefits of Cerberus’ signature-free approach! We suggest you give the free two week trial a go. Links are below.

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. Or you can find download links on our Landing Page. License sales are exclusively through Digital River and you can go to their MyCommerce site to buy a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

5minut1 – excellent zero day test of Cerberus

5minut1.exe – This is an excellent example of a zero day test for Cerberus. This test demonstrates that Cerberus can find new zero day threats where others could not. In this case, only 1 of 51 threat protection solutions could detect this virus that acts somewhat like a worm. Cerberus detected 5minut1 immediately and controlled and then finally quarantined this bug!

5minut1.exe is a good example of Cerberus’ unique protection. Remember, when new threats are found, they may have been installed on many, many computers for a very long time. Sometimes, this type of zero day malware is not only annoying like 5minut1 but, instead, very destructive. Sometimes, it has been years until the active threat has been identified.

5minut1 has very interesting behavior as you will see below. This type of testing shows that Cerberus can find zero day malware long before other types of threat protection software. This is because Cerberus is signature-free.

This testing was done on April 15, 2014. This is the same day this new variant was added to the VXVault:
5minut1

On April 13, 2014, Virus Total reported that only 1 of 51 internet security programs were able to detect 5minut1. When we tested, Microsoft Security Essentials did not identify this virus. Cerberus detected this new malware immediately!

5minut1

The effect of 5minut1 was to launch an unframed, full-screen Internet Explorer advertising page about every 3 minutes. These unframed, full-screen pages are annoying not only because of the advertising or objectionable material they contain. They also don’t have the customary delete and minimize buttons. With this type of virus, one never knows whether there is something more dangerous lurking while this full screen window is dominating your screen. Or that may be triggered if you try to get rid of the window.

In this case, 5minut1 shows evidence of being self-mutating. Different variants seem to have been reported to different repositories. This complicates detecting this type of malware by traditional means. But it also highlights the importance of Cerberus which doesn’t care if the malware mutates. Cerberus will continue to find it!

5minut1 attempted to stay below some threshold and was somewhat adaptive in an attempt to escape detection. However, Cerberus detected 5minut1 immediately. Because of the adaptive nature of 5minut1, Cerberus contained and then relaxed it 22 times! before finally declaring it malicious and quarantining it. But Cerberus suppressed the advertising payload every time. However, 5minut1 would continue launching a blank IE window until it was finally quarantined.

All in all we consider this a resounding test of Cerberus’ unique capability and proof that it is a valuable addition to anyone’s internet security!

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. License sales are exclusively through Digital River and you can go to their MyCommerce site to purchase a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

fwkums – zero day testing of Cerberus

fwkums – This is a zero day test for Cerberus. This test demonstrates that Cerberus can find new zero day threats where others could not.

fwkums is a good example of Cerberus’ unique protection. Remember, when new threats are found, they may have been installed on many, many computers for a very long time. Sometimes, this period is only months. Sometimes, it has been years until the active threat has been identified.

This type of testing shows that Cerberus can find these very destructive threats long before other types of threat protection software. This is because Cerberus is signature-free.

We’re going to tell you the download site for fwkums. Why? It’s important in verifying that this was a new variant. This new variant carried and planted slightly different, but known, variants of a trojan and a virus. We’re going to replace some letters of the url with xxx in three places so it cannot be accidentally triggered, or copied and pasted in a browser: hohidukxxx.mizubasxxx.xxx/fwkums.

WARNING: fwkums and its payloads are very dangerous malware. They can steal your personal information, alter settings on your computer, and take control of your computer.

The fwkums testing was run on May 16, 2014. Original Virus Total data is not available directly but the French threat center CRDF listed fwkums as first added to the database on May 15, 2014 (click the figure below to go to the CRDF page).
fwkums
The CRDF Threat Center also retained a snapshot of Virus Total on May 15, 2014 showing that only 9 out of 53 security programs had definitions for this variant.

The download of fwkums.exe was not flagged by Microsoft Security Essentials. Immediately, the process ovtoso.exe is installed and starts to scan and attempts to contact outside URLs. Microsoft Security Essentials also did not flag this install and did not detect this process’ activity. However, on a reboot, early April 2014 variants of Trojan:WinNT/Necurs.A and PWS:Win32/Zbot.gen!GO are found and are also active. A Microsoft Security Essentials scan does later find these two files. Note that we only mentioned Microsoft as that is the only threat protection we checked. Remember again that it was not only Microsoft that did not find this particular variant upon installation. Only 9 of 53 solutions were able to detect this variant at the time of this testing.

Keep in mind that if this variant was actually first installed on systems three months before this date, Cerberus would have still found it. No others would have been able to identify fwkums.

Cerberus contains fwkums activity through three contain and relax cycles. Fwkums significantly decreases its activity and the processes are not quarantined. If fwkums should restart its activity, Cerberus would contain it again. Even if fwkums changes its identity, we would still expect Cerberus to find it.

Cerberus detected the fwkums process when most other solutions could not!

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. License sales are exclusively through Digital River and you can go to their MyCommerce site to purchase a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

Sneaky speed – why you need SigFree Cerberus

Sneaky speed testing demonstrates why SigFree Cerberus is a necessary addition to your internet security measures! Please read the following. Then see below for a one-click path to starting your two week trial version of DayZero’s SigFree Cerberus.

Sneaky speed testing does just as the name implies. Sneaky speed is designed to evade intrusion detection attempts. This setting is adaptive. It adapts to the reaction it receives from any protection or intrusion detection attempts sensed. The reason it does this highlights the value of Cerberus. Sneaky speed is designed to defeat common rate limiting methods of detection and detection methods that use thresholds. For example, in the latter, being adaptive, Nmap tests its boundaries and determines the threshold. It then scans below that threshold to avoid being detected. However, Cerberus detected and contained Nmap sneaky speed in only 125 milliseconds (0.125 seconds) after start of test. Nothing sneaky speed could do would convince Cerberus to let it go. This demonstrates the validity and usefulness of Cerberus’ signature-free approach! Try the two week trial below the figure today!

sneaky

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. License sales are exclusively through Digital River and you can go to their MyCommerce site to buy a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

Metasploit port scanning target for Cerberus

Metasploit test setups in the early development stages of Cerberus (The best part is the last by the way).

Metasploit is a tool used for network penetration testing. Penetration testing is done to discover a network’s vulnerabilities. For the basics of penetration testing, take a look at this Wikipedia article. For a bit more including a short mention of Metasploit, take a look at this InfoWorld article, “Penetration testing on the cheap and not so cheap”.

Within the Metasploit framework, Nmap was used as the port scanning solution. Nmap stands for network mapping. It has multiple capabilities but at the core, it probes to discover what other hosts and resources are available on a network.

We’ll show the results of tests using three of the Nmap scan modes. These were insane, polite and sneaky scan speeds.

In each test, you’ll also see that the process “Ruby Interpreter” is contained at the end. In Metasploit, Ruby can be used to write the commands to be issued to manage the target object. In each case, the Nmap scenario runs its course of port scanning as a worm infection may do. Afterwards, Cerberus then detects the Ruby Interpreter trying to send some illegitimate messages. This was added to the command sequence as a curiosity on our part and supports the conclusion that Cerberus is doing its job as was intended. In each case, it detected both worm-type scans as well as illegitimate messages. These were suspicious but none of these were malicious so none were quarantined. However, all were contained as should have been with Cerberus on the job.

Insane Speed

This is a very fast scanning rate. You can see in the figure below that Nmap was contained and then relaxed. Nmap actually tried several intermittent scans before starting insane speed. If this had continued it would have been contained. However, Nmap started to increase the scan rate and was contained only 63 milliseconds (0.063 seconds) after start of test. This figure does not show all the Ruby Interpreter activity which continued to send messages at long intervals and was contained and relaxed followed by a strong burst 30 minutes after start of test. They were all contained but never quarantined as none were malicious.

metasploit
 

Polite Speed

This mimics a very slow worm, which is usually difficult to detect. You can see in the figure below that Nmap was contained and then relaxed two times, the second at the end of the Nmap part of the test. Cerberus still contained Nmap only 109 milliseconds (0.109 seconds) after start of test. Again, neither Nmap nor Ruby were ever quarantined as they were not malicious despite the scans and messages being illegitimate.

metasploit
 

Sneaky Speed – This is a great example of why Cerberus is a great addition to your computer’s security measures!

This setting does just as the name implies. It is designed to evade intrusion detection attempts. This setting is adaptive. It adapts to the reaction it receives from any protection present. The reason it does this highlights the value of Cerberus. Sneaky speed is designed to defeat common rate limiting methods of detection and detection methods that use thresholds. For example, in the latter, being adaptive, Nmap tests its boundaries and determines the threshold. It then scans below that threshold to avoid being detected. However, Cerberus detected and contained Nmap sneaky speed in only 125 milliseconds (0.125 seconds) after start of test. Nothing sneaky speed could do would convince Cerberus to let it go. This demonstrates the validity and usefulness of Cerberus’ signature-free approach!

metasploit

Rongvhin.C – Development stage test results

The Rongvhin family of malware is a trojan, sometimes referred to as a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version tested, Rongvhin.C, was discovered in October 2013. We performed this testing on March 18 2014. We knew mostly what to expect and this was not a test to determine how Cerberus performed with zero day malware. Rongvhin.C is most correctly described as a trojan but also often discussed as a virus.

Rongvhin’s main purpose seems to be to generate reputation and google rankings for certain ads, websites or software downloads for its authors or their Customers. Rongvhin Rongvhin.C may also change the blocked and allowed sites set on your computer. This can be rectified by returning to the default values. You can read more about the Rongvhin family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanClicker%3aWin32%2fRongvhin.C#tab=1.

We installed TrojanClicker: Win32/Rongvhin.C from file H_LOADER.exe. This installed files miniads.exe miniads2.exe, miniads3.exe & adsminirun.exe. This is where the name confusion enters as while the Rongvhin.C is a trojan, the executables installed behave as viruses.

During our testing miniads.exe and miniads3.exe were the only ones to become active. Miniads.exe did not display malicious activity but tried to send several messages. Miniads3.exe would try to send out messages about every 8 minutes and SigFree Cerberus would contain it. If it is not contained, it will send messages for about 2 minutes and then go dormant for 8 more minutes, and then repeat the cycle. However, Cerberus contained it meaning that Cerberus stopped its messages from being launched into the web.

Rongvhin.C

Cerberus did not quarantine. Cerberus can control the Rongvhin.C programs by simply containing them when they attempt to send messages. Through Cerberus’ actions, you may determine you want to remove the infection from your computer. But, even if you choose not to do so, Cerberus will still be protecting you. Cerberus will continue protecting even if Rongvhin.C mutates or is changed into a new variant that other programs cannot protect. Cerberus does not need known signatures!

As with Sirefef discussed in a prior blog entry, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success! SigFree Cerberus protected the computer from the effects of the Rongvhin.C trojan and rendered its objects useless to complete their tasks!

Sirefef – Early development stage test results

The Sirefef family of malware is a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version of Sirefef tested was discovered in November 2013. We performed this testing on March 12, 2014. We knew what to expect and this was not a test to determine how Cerberus performed with zero day malware.

Sirefef’s main purpose seems to be to generate ad revenue for its authors Sirefef by altering search results. It may download updates to add to its capability or to alter its signature. It seems capable of carrying a payload. You can read more about the Sirefef family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Sirefef.gen!B.

We ran this on XP SP3, as most likely being the most vulnerable.

We installed TrojanDropper:Win32/Sirefef.gen!B. Scanning, we found files TrojanDropper:Win32/Sirefef.gen!B, Trojan:Win32/Sirefef, and Trojan:Win32/Sirefef.AB. The virus is capable of turning off Windows firewall and Microsoft Security Essentials. Added protection in this case is definitely a benefit.

The virus infected two host processes, services.exe and svchost.exe. Services.exe was the most active and was contained five times by SigFree Cerberus and then quarantined. This process would go dormant when contained but was finally deemed malicious. It was almost five seconds after installation that the process was quarantined but most of this time it had returned to its dormant state.

As we mentioned, this is often the case with the operation of Cerberus. The suspect will respond to being contained by moving to a dormant state. With some malware, repetition of this action is enough to expend the limits of the malware. This repeated containment is not dangerous. Containment is simply a first stage of quarantine. We developed this method to prevent containment of good objects. Remember, we are signature-free. We are not only trying to find malware that has already been found. Our objective is to find our targets quickly and to be able to find our zero day targets just as quickly.

The second instance of the virus infected svchost.exe but was almost inactive. SigFree Cerberus contained it six times during the test but it fell dormant each time. It presented no danger.

Again, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success!