Tuesday, March 19, 2013

32 AntiVirus versus the latest Java Exploit (CVE-2013-1493)

Image a scenario where someone wants to target your computer to get access to your files. This task can be accomplished in several ways and one of them is using a java exploit on a crafted/compromised website.

What i want to test is how AntiVirus manage "unknown" threads or forbidden behavior (an unsigned applet shouldn't be allowed to download files to your local disk).

This test is based on basic/home/free products like Symantec AntiVirus and not Symantec Internet Security which has more features. Some companies provide only Internet Security suites so this cannot be a fully comparison between these products.

I tried to test all AntiVirus in this list but i came out with only 32, because some of them don't provide a free trial and the others i was unable to find it or install it. The important thing is that i covered all major/popular AntiVirus.

Testing machine is a Windows 7 SP1 32 bit fully patched on Virtualbox with Java SE 7 update 15 and as browser Firefox.

The exploit is CVE-2013-1493 not obfuscated that after a successfully exploitation tries to download from a remote host to temp directory hello.jpg , after that the is renamed to hello.exe and executed using cmd "cmd /C 'temp_path\hello.exe'".

The executable just prompt "Hello Malware".

I decided to run this executable instead of the classic calculator because some AntiVirus have cloud based reputation service and since this is an unknown file dropped by java (like malware) they should prompt some warning.

Maybe someone of you will say "this is not a malware, of course av doesn't block it", what i want to test here is the software against the java exploit not about malicious executable detection, because this is another story.

Developers of chk4me claim to not send uploaded files to AntiVirus companies so this is the right place to check the exploit before the test.

To be more clear i made this table where i report the "score" obtained by the AntiVirus against CVE-2013-1493.

I used this scale of values:
  • 0 = Exploit and "malicious" exe executed successfully
  • 1 = Exploit executed successfully but "malicious" exe not executed or sandboxed
  • 2 = Exploit blocked/not executed
AntiVirus Name Score
Ad-Aware Free Antivirus+0
AVG Antivirus Free 20130
Avira Free Antivirus 20130
Bitdefender Antivirus Free Edition0
Quick Heal Antivirus Pro 20130
Immunet 3.00
Dr.Web Anti-virus Pro0
ESET NOD32 Antivirus 60
FortiClient Endpoint Security Management0
F-PROT Antivirus0
F-Secure Anti-Virus0
G Data AntiVirus 20130
IKARUS anti.virus0
Kingsoft Internet Security 90
Malwarebytes Anti-Malware Free0
McAfee AntiVirus Plus 20130
Microsoft Security Essentials0
NANO Antivirus0
Norman Antivirus 100
Outpost Antivirus Pro0
Panda Cloud Antivirus0
Rising Free Antivirus0
VIPRE Antivirus 20130
VirusBuster Personal Antivirus0
ArcaVir 2013 Antivirus1
Avast! Free Antivirus1
Comodo Antivirus Free1
Emisoft Anti-Malware 7.01
Trend Micro Titanium Antivirus Plus1
Kaspersky Anti-Virus 20132
Norton AntiVirus2
Sophos Anti-Virus2

Summarizing the results:
  • 24 (75 %) don't detect the exploit neither the executable 
  • 5 (16 %) don't detect the exploit but they warn you about the executable
  • 3 (9 %) detect the exploit. 
Looking only the exploit, 91 % don't detect it and 9 % are able to block it.

There were some cases where i was undecided between the score 1 or 2, like the case of ArcaVir. When an applet tries to contact another domain ArcaVir prompt you an alert, however its not saying "this is an exploit and i block it" but "hey, this applet is trying to connect to this domain, what you wanna do ?". For this reason i opted for a score of 1 instead of 2.

Symantec surprised me because a couple of months ago didn't detect any java exploit and now they block it all, maybe they have decided to improve their basic software after the Wall Street Journal story.

As last thing here is the video, maybe you will find it boring but you can see how several antiviruses handles a java exploit.


  1. The trolling in this post is strong...

    1. Thanks for the post, I am techno savvy. I believe you hit the nail right on the head. I am highly impressed with your blog. It is very nicely explained. Your article adds best knowledge to our Java Online Training from India. or learn thru Java EE Online Training Students.

  2. Ciao ho testato questa exploit circa una settimana fa penso che non sia molto stabile oltre tutto devi comunque eseguire l'applet cmq.. รจ stata tenuta nascosta come un tesoro bhaa cmq.. bello il video

  3. Ad-Aware Free Antivirus Plus 2013 is latest antivirus software....

  4. Thanks for sharing review of AdAware.

  5. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you need to watch this video
    right away...

    (VIDEO) Get your ex back with TEXT messages?

  6. Thanks for providing the information . The articles in your blog helped me a lot for improving the knowledge on the subject. Also check my small collection on this at Java online course blog

  7. Informative blog.
    I am using www.webroot.com/safe
    on my laptop. It's very easy to download and install on my PC. I would prefer you to use this once. If you face any difficult you can also call on toll free number +1-844-533-0436

  8. Thanks for sharing this post. Here is the world's best antivirus for PC & Mac. Download full version here: www.webroot.com/safe. Webroot antivirus solutions are like an armour which constantly works to protect your device from viruses, malware, and other security threats.

  9. The writer of this blog deserves more exposure as such talent is rare to find, I am sharing this piece further and I appeal to the readers to do the same as it will boost up the morale and confidence of the writer and get instant support for Avast Antivirus visit at Avast Support Number & Avast Contact Number & Avast Phone number

  10. Hi there,
    I appreciate your Blog. Thank you for sharing your valuable information.
    Check out our website we provide Antivirus Helpline support services. If you face any Antivirus related issues give us call at 1-888-883-9839.

  11. I was badly stuck with errors with my AVG but this blog here took me through them thanks a lot to the writer.
    Avg Help Desk Number UK| Avg Support Number UK

  12. How to Install Webroot? You can download Webroot root antivirus to avoid any kind of problem in your computer such as update Antivirus, data recovery,email password change etc.