3 min read

Newest Windows Version Runs Oldest Malware Still in Wildcore

Bogdan BOTEZATU

November 06, 2012

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Newest Windows Version Runs Oldest Malware Still in Wildcore

Ever since the release of Windows 8, one of the key marketing points of the new OS made in Redmond was built-in safety. Given that we’re a curious bunch of people here in the Labs, we decided to take an Enterprise version of Win 8 for a spin and see for ourselves how it performs in the vanilla state.

So, we took samples of the most frequently-encountered 100 families of malware as we’ve seen them in the past six months and tried to see how many of them can actually run on the Windows 8 system successfully, despite the default presence of UAC, Windows Defender and the rest of security enhancements snuck into the OS (ELAM and Safe Boot, for instance).

Testing methodology

Step 1: In order to carry the test, we used two identical machines running stock configurations of Windows 7 and Windows 8 respectively.

Step 2: After running a malicious sample and assessing whether the computer has been compromised or not, the system is rebooted to a clean operating system and testing resumes. It is assumed that the piece of malware has successfully infected the PC when it has spawned its own process and kept that process running until reboot.

Controlling the machines with one script

Step 3 – Testing on Windows 7, Windows 8 and Windows 8 with Windows Defender:  The malware test on Windows 8 was carried in two steps, as follows:

a)      In order to ensure that both Windows 7 and Windows 8 environments are on par, we disabled the anti-malware solution that ships by default with Windows 8 in the first test.

b)      The second test was a real-life scenario, with Windows 7 versus Windows 8 + Windows Defender.

Step 3: The malicious sample set was built of 380 samples of the most popular 100 families of malware in the past six months, as reported by the Bitdefender Real-Time Virus Reporting System. These samples were hosted on an internal FTP repository and copied to the machine after booting it up.

Step 4: After running the sample in the selected environment, the python script emails a detailed report with the process differences between the original system and the infected one.

Reports on spawned processes sent via e-mail

Imagine our surprise when, among reports of failed executions triggered by malware that either tripped Windows Defender detections or got blocked by UAC, we saw 7-year old malware such as the Zlob Trojan, a couple AutoIT worms and two generic mass-mailer worms run without any “compatibility” issues.

Shortly put, if the piece of malware to be run does not require UAC elevation, does not try to install a rootkit driver and if it’s not intercepted by Windows Defender, it gets executed.

It is true that Windows 8 comes with great innovations in terms of security, such as protection against rootkits when an antivirus runs atop of the OS, but last time we checked, rootkits accounted for roughly 5 percent of the global production of malware. UAC, another feature that is supposed to help mitigate the impact of malware, has been long enough on the market to force malware creators redesign their creations not to require extra privileges, so we didn’t expect it to be a great differentiator.

Bottom line, if you’re an early Windows 8 adopter or if you’re planning to deploy it anytime soon, you should keep in mind that most of the innovations on security built into the new OS are meant to assist the antivirus in the fight against malware, and not to replace it.

[Python magic and test machine setup courtesy of Alex Coman, Malware Researcher]

tags


Author



Right now

Top posts

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

December 06, 2022

1 min read
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

October 05, 2022

1 min read
A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

EyeSpy - Iranian Spyware Delivered in VPN Installers EyeSpy - Iranian Spyware Delivered in VPN Installers
Janos Gergo SZELESBogdan BOTEZATU
2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Bitdefender

January 05, 2023

1 min read
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
Adrian SCHIPORVictor VRABIE
1 min read