Leaked files from state-sponsored hackers reveal which protection their trojans can’t get past

Leaked files from state-sponsored hackers reveal which protection their trojans can’t get past

Your typical anti-malware provider has their products tested in a lab to bolster credibility. But with recent leaks on massive surveillance companies, there’s new data available to help measure how good popular anti-malware products are at detecting unwanted threats.

What do surveillance companies have to do with anti-malware?

There is a lot of controversy that surrounds big surveillance firms, and for good reasons. These companies help their clients (often times government agencies) spy on people and on other organizations or countries.

While many claim that this is for the safety of their people, big governments often have to hire these firms that specialize in making malware, breaching the privacy of unassuming individuals. How these firms develop their malware deeply involves anti-malware programs – they must test leading anti-malware software so that they can develop undetectable trojans that successfully infect systems.

Normally, this kind of internal information is kept incredibly private. These firms have highly sensitive data concerning their products and their customers that could really compromise international intelligence agencies.

But some high-profile leaks in the last twelve months are not only political, they’re practical. Below we’ll discuss two surveillance hacks that reveal which anti-malware providers are actually most effective in keeping unwanted programs off your computer.

Hacking Team’s trojan detected by 5 out of 34 antivirus vendors

Hacking Team is a Milan-based company that provides surveillance technology to clients from all over the world, including governmental agencies in countries such as Russia and the United States.

In early July, an unknown hacker released a torrent of 400 GB of company data. This included internal communications and code, as well as records of anti-malware testing. This screenshot of one of their internal documents shows a number of anti-malware suppliers and how Hacking Team’s trojan, Galileo, fared against their products in performance tests.

Emsisoft Anti-Malware blacklisted by Hacking Team

Emsisoft Anti-Malware blacklisted by Hacking Team – Source: Hacking Team

Green means the malware bypassed the antivirus and was able to infect the system. Yellow means it was able to infect the system and was operational, but during the process some unspecific pop-ups may have appeared (like a generic firewall alert). Red means that a malware detection was triggered. A few vendors were ‘blacklisted’ by Hacking Team’s trojan. That means, the malware doesn’t even bother to start any action when it notices that a specific protection software is running. That way it remains hidden, but also can’t do any spying. As you can see in the full table, only 5 out of 34 vendors were able to detect the Hacking Team malware.

FinFisher’s malware agent FinSpy able to bypass 31 out of 35 vendors

FinFisher is a German-based firm responsible for programs that enable governments to surveil citizens. This type of surveillance, called “lawful interception malware” is very controversial, as it’s questionable if these programs actually help protect people at all.

In September 2014 Wikileaks took a stand against FinFisher and accused the surveillance firm of selling their products and services to oppressive regimes. This leak involved the company’s malware as well as internal documents. Among the information leaked was a table of anti-malware softwares, which reveals what programs their malware agent FinSpy was able to dupe and which ones it wasn’t. FinFisher tested different programs with different versions of the trojan, and recorded how the different anti-malware programs responded to each threat. The following table gives an overview of the results. In the “Full Trojan” column (Install Admin) you can see which vendors warned or blocked the full trojan.

FinSpy wasn’t able to dupe Emsisoft – Click to see the full list

The green “pass” means that the antivirus didn’t detect any threat. The yellow “warn” means that the antivirus detected the trojan as suspicious and alerted the user about it. The red “fail” means that the trojan was detected as malicious. As you can see, the majority of vendors were not able to detect FinSpy at all (green). Only 4 out of 35 vendors reliably detected the threat as suspicious (yellow) or malicious (red) and therefore blocked it completely.

Consider your privacy needs when choosing software

In studying the tables above, it’s important to remember that products that failed to detect these trojans may be just as likely to fail to detect others. It’s also possible that these products are run by companies that work with state-sponsored firms rather than against them. What are your privacy needs? Are you concerned with protecting yourself against government surveillance?

Choosing a program that keeps you safe from all types malware may seem impossible, but the tables above give you an unbiased look at what really works against surveillance trojans:

1. Vendors that detect Hacking Team’s trojan

Emsisoft was able to block the Hacking Team trojan and was given the great honor of being blacklisted as a result! Sophos and CMC AV were the other programs that Hacking Team blacklisted. Comodo and Rising also did a great job by detecting and blocking Hacking Team’s trojans in most cases. A few other vendors showed “not-so-worrysome” popups for Hacking Team, while all other vendors were not able to detect the trojan at all.

2. Vendors that detect Finfisher’s malware

Emsisoft Anti-Malware, Comodo Internet Security, Outpost Security Suite Pro and Trusport Total Security are the only vendors that were able to detect Finspy’s full trojan in all cases.

As shown above, Emsisoft performed very consistent since both Hacking Team and Finfisher’s malware had issues getting past (if at all). Whatever program you choose, know that your privacy is important — don’t put it in the wrong hands.

Have a great, malware-free day!

  • Great stuff, I always knew Emsisoft was an excellent product. The hackers just proved it.

  • m1lhaus

    There has been 400GB data leak, not 400MB. Am I right?

    • Fabian Wosar

      Thanks. The typo has been fixed.

  • Ken Esq

    Chrome is warning against going to WIkiLeaks (your links)

    • Christian

      It’s a false positive in Chrome’s safe browsing filter. You may check the website address at http://www.virustotal.com to confirm that no antivirus product is finding any threats on that Wikileaks page.

  • Lawrence Shimer

    lol, nothing more than scare tactics to promote a product. They count on you taking this literal.
    I would gladly take this test just running Malwarebytes Pro alone with no antivirus in place.
    Emsisoft’s scores are so far below the national average that they would rather have you focus on this bit of information thats produced “in house”.

    • Christian

      1. The information provided here is not from us, but from the leaked documents of Hacking Team and FinFisher. See the image links even go to the original sources to verify yourself. I admit it is scary and heavy stuff, but not being made scary by us. Big difference!

      2. I’m sure you can show proof for your ‘score’ accusation. So far, all real-time protection tests I’ve seen Emsisoft ranks significantly better than Malwarebytes. AV-Comparatives awarded Emsisoft as one of the top rated products 2014 and Emsisoft Anti-Malware had the lowest number of total infected systems across ALL real-world protection tests in 2014. That’s hard evidence, just see http://www.av-comparatives.org

      • Lawrence Shimer

        lol on respected sites like PC mag your AV is not listed within the top 5 of 2015.
        Malwarebytes is not an AV and still it out performs Emsisoft.
        Say what you want but a little digging on the part of the consumer can and will paint a very clear picture.
        I dont have an issue with Emsisift, what I have an issue with is the scum companies that employ the “fear tactics” to promote or sell a product, that is shitty marketing.
        Any company that has to employ these tactics is screaming “Stay away, don’t buy me”
        Stand on your strengths and your product will sell itself right ?
        not so much. lol

  • John D Lord

    Excellent. Congratulations Christian and Team Emsisoft….wunderbar, warum dumme Leute denken, freeware ist gutware, ist es fur dumkopfen .

  • I’ve been using Emsisoft in combo with Microsoft Security Essentials , and I find them to be a one two knockout .
    Emsisoft is the most comfortable anti anything suite I’ve used , and you can’t go wrong with that . Why they even check your results and repair false positives , Bravo Emsisoft .

  • David Beetham

    I am using chrome/Google on my boost android phone, and it is NOT blocking wikileaks….

  • bonbonboi

    Even so I cant believe Emsisoft could make it longer, I believe Emsisoft every single day receives a lot of offers to corporate with such agencies around the world in return for a lot, way a lot of cash.

  • bonbonboi

    I reviewed the Anti-Virus-Results-FinSpy-PC-4.51 file, the Emsisoft got a lot of passed results plus some warns (Most user don’t know how to respond to such warns). I see ESET Smart security is better than anything else.