FEATURE
Detecting malware across
operating systems
Szilard Stange, OPSWAT
The AlienSpy RAT made headlines recently.1 It is an alarmingly sophisticated
cross-platform delivery method giving new life to the well-known Citadel trojan,
a Zeus variant that has been in circulation since early 2012.2 AlienSpy can target
Windows, Linux, Android and Mac OS X devices and boasts at least 12 separate
spying plugins that cyber-attackers can use to steal data, gain remote desktop
access or even capture webcam sessions.
This malware has successfully targeted
banking institutions, critical infrastruc-
ture providers and government agen-
cies – a scary prospect given the robust
features it offers hackers. Cross-platform
exploits can only be expected to increase
both in number and sophistication
over the next decade, so what questions
should those of us in the anti-malware
community be asking ourselves as we
approach the challenging times ahead?
It is clear that the steady evolution of
cross-platform malware must be met
with increasing cross-platform malware
detection capabilities.
Given the increasing frequency of
cross-platform malware exploits, a fre-
quently asked question is whether anti-
malware engines designed for Windows
can detect Linux and Android-based
malware. It’s in interesting question, and
one that must be carefully considered in
today’s threat landscape. These anti-mal-
ware products were developed specifi-
cally for different platforms over a period
of 20-plus years. Most anti-malware
software vendors have solutions for both
Windows and Linux-based platforms
that were first developed in the 1990s or
2000s. Conversely, the first anti-malware
product for Android was released around
the second half of the 2000s, as the
Android platform is relatively new from
an anti-malware perspective.
Given the wide range of environments
and disparate time periods in which
these products were developed, we were
curious to see if detection capabilities
were specific to the product’s stated
platform, or if they could have a broader
June 2015
use. The question: can an anti-malware
product detect malware written for
another platform?
Cross-platform malware
detection
It is common to find a mixture of differ-
ent server and workstation operating sys-
tems in any IT environment, so the abil-
ity to detect malware across multiple plat-
forms is essential to maintain the security
of your network. For instance, let’s take a
look at what happens when an incoming
email is sent from a Linux-based com-
puter, but the end-user accesses his or her
mailbox from a Windows computer.
This scenario is especially likely given the
increasing sophistication of spear-phishing
attacks as a vector for malware. In fact, our
own CFO recently received an incredibly
well-crafted spear-phishing email, and was
suspicious only because the communica-
tion patterns didn’t match the typical
emails he receives from the CEO. Not
Figure 1: Multi-platform environments allow malware to pass via non-vulnerable systems to those
targeted by the malicious software.
Szilard Stange
all employees would notice those small
signs of phishing, and without any anti-
malware products on its mail server, the
Windows computer can easily be infected
by Windows malware. The same issue
could occur if the anti-malware product
providing protection for the Linux-based
mail server isn’t able to recognise incoming
Windows-based malware.
“It’s true that installed
anti-malware products are
sometimes sufficient to
catch malware and prevent
infections. That being said,
it is important to note the
limitations of anti-malware
products and recognise that
there are more effective
solutions out there”
You may be thinking, “This is true,
but why should I worry about this? I
have an anti-malware product installed
on my computer!” And it’s true that
installed anti-malware products are
sometimes sufficient to catch malware
11
Network Security
 FEATURE
and prevent infections. That being said,
it is important to note the limitations
of anti-malware products and recognise
that there are more effective solutions
out there. Here are a few important
questions to ask around that topic:
UÊ 7…ÞÊŜՏ`ÊÜiÊÀiÞʜ˜Ê̅iÊÃV>˜˜ˆ˜}Ê
capabilities of a single anti-malware
engine when multi-scanning technol-
ogy is available?
UÊ 7…ÞÊŜՏ`ÊÜiÊÀiÞʜ˜Ê>˜Ìˆ‡“>Ü>ÀiÊ
products installed on our computer,
when we know they can be difficult
to manage and ensure that they
are up to date?3
UÊ 7…ÞÊŜՏ`ÊÜiÊÌÀÕÃÌʘiÌܜÀŽi`ÊVœ“-
puters in an environment where end
users often have admin privileges that
could expose the network to potential
threats?4
Therefore, in order to achieve ade-
quate network protection it is neces-
sary for anti-malware engines to detect
malware regardless of platform. Cyber-
attackers are creating malware that can
target multiple operating systems, so
shouldn’t our anti-malware products
offer similar cross-platform features? In
theory, we should be able to use Linux-
based firewalls with content filtering,
Linux-based email servers and Linux-
based web proxies to catch Windows
malware before it attacks our network.
How scan engines work
At the beginning of the anti-virus era,
scan engines used only simple pattern
matching to recognise malware, com-
pared to the techniques they now use
to detect advanced threats.5 This is a
cat-and-mouse game because malware
writers are always working on new dis-
guises to make detection harder, such as
encryption, polymorphism and rootkit,
while anti-malware vendors are working
to discover new approaches for detecting
these threats.6 Modern scan engines use
CPU emulation, operating system emu-
lation, cryptanalysis, sandboxing, heu-
ristic and many other complex methods
to detect threats. By using one or more
of these technologies, scan engines can
achieve an optimal detection rate and
speed, depending on the type of cur-
rently analysed file.
12
Network Security
In order to have the right expectations
for scan engines, it is useful to know how
anti-malware scan engines work. Each
anti-malware engine consists of two main
parts: the engine core or engine binary
and a signature database. The engine
core is the heart of the scan engine and
contains the scan logic – how to analyse
different files, how to extract archives, etc.
In summary, the engine core can scan files
for both known and unknown threats.
“Anti-malware vendors
usually use the same
database for all supported
platforms to cut down
on costs. Not only is the
database the same, but the
actual functionality of the
scan engine itself is nearly
the same on each supported
platform”
The signature database checks files
against lists of known malware to speed
the detection process. Currently, there are
more than 300 million different malware
samples out there. Many anti-malware
vendors are proactively using generic
detection technologies to reduce the size
of signature databases and to provide pro-
tection against a lot of different malware
types. Despite these efforts, signature
databases are quite large. Most of them
are 100-200MB in size and are constantly
growing as vendors release new updates.
Signature updates are usually released
after thorough quality testing has been
performed. These tests require time and
a huge amount of resources, so anti-mal-
Figure 2: Sample multi-scanning results for detection of Linux-based malware by Metascan Online.
ware vendors usually use the same data-
base for all supported platforms to cut
down on costs. Not only is the database
the same, but the actual functionality of
the scan engine itself is nearly the same
on each supported platform, indicating
that the detection capabilities should not
change through the platforms.
Revealing test results
We collected a variety of third-party test
results where you can check the detection
capabilities of many anti-malware prod-
ucts. AV-Comparatives and AV-Test are
independent anti-malware testing
organisations focusing primarily on anti-
malware product research and product
testing.7,8 They test not only Windows-
based products but they also provide test
results for mobile protections, mainly for
Android-based security products. Their
mobile protection test results include
detection rates for malicious Android
applications.
VirusBulletin is a UK-based security
information portal and testing company,
focusing on the global threat landscape.9
It performs anti-malware product testing
six times per year. Every test is based on
a different platform, including many for
both Windows versions and Linux plat-
forms. Every test includes WildList sam-
ples and recent malware samples.10 The
company tests proactive and reactive
detection capabilities as well.
While these organisations provide a
good sense of the performance of anti-
malware engines, they do not include
many malware samples written for Linux
platforms because the Windows OS is a
much more popular target for attack. So
June 2015
 FEATURE

we decided to do our own research. We

collected scan results from a free multi-
scanning tool. We were curious about
the cross-platform detection capability of
scan engines, so we tested over 100 ELF
binaries provided by one of our vendor
partners. We focused on malware for
Linux platforms, as most engines in the
scanning tool were Windows-based.
We examined the average detection rate
of five different Windows-based products
and found that an average of 95% of
Linux-based malware was detected by the
Windows anti-malware products. When
combining the scan results of these differ-
ent scan engines we found 100% of the
Linux-based malware sample was detected Figure 3: Detection of Linux malware by Windows anti-virus tools.
by the multi-scanning solution.
While APK files (Android program
install packages) are not as likely to be
found on a corporate network as other
file types, we also checked the capa-
bilities of Windows-based products
to detect malware in this format. We
tested over 60 malware samples writ-
ten for Android, collected primarily
from androidsandbox.net, using seven
Windows anti-malware products from
vendors who also have an Android-based
product with a detection rate greater Figure 4: Sample multi-scanning results for detection of Android-based malware by Metascan
Online.
than 95% based on our results.
We concluded that the vendor’s
Windows-based products could also detect
Android-based samples with approximately
the same detection level as their mobile
protection product, so we can assume that
these vendors have processed Android sam-
ples in their laboratory.
When we checked the aggregated scan
results of the multi-scanning solution,
the detection rate was again 100%.

Android and limited

resources
As you now know, malware scanning is a
quite resource-intensive process in terms of
the processor usage needed to run multiple
Figure 5: Detection of Android-based malware by Windows AV programs.
detection technologies and the amount of
memory/disk usage needed to keep signa-
ture database running effectively. there are still many Android devices with anti-malware engines would overload
Although modern Android-based very limited hardware capabilities. Is their these devices, rendering them unusable.
mobile phones and tablets have improved lightweight hardware able to run anti- After quick market research, we were
processor capabilities and a greater malware scan engines and store informa- able to conclude that most security
amount of memory/disk space than tion from large signature databases? In applications made for Android-based
desktop computers did 10-20 years ago, most cases, the answer is no. Standard platforms contained a lightweight scan

13
June 2015 Network Security
 FEATURE
engine and/or signature database for
detecting malicious Android applica-
tions. Our findings indicated that these
scan engines couldn’t detect malware
that was written for other types of plat-
forms. A few security applications used
vendor cloud services to check hashes of
scanned files that could provide detec-
tion for non-Android threats, but they
were in the minority.
Conclusion
While Windows-based anti-malware
products do effectively detect Android-
based malware, the resource limitations
previously discussed limit an Android-
based anti-malware program’s ability
to detect malware written for another
platform.
“A strong emphasis on the
importance of avoiding
software vulnerabilities
by keeping programs and
operating systems up to
date, as well training for
how to avoid phishing
attacks provides a strong
first line of defence for
cross-platform malware”
It is important to remember that anti-
virus programs for Android function
differently than traditional engines. On
Android, a sandbox technique ensures
that an application may only access
its own data. These products cannot
monitor file system changes to scan all
files, nor can they do a full file system
scan to look for malicious programs. To
partially remedy this issue, third-party
security applications can rely on hooks
that the Android operating system pro-
vides by default, which proves effective
for scanning applications, but not for
catching other types of malware, such as
those stored on an SD card.
This should not be an issue if we use
our mobile devices carefully. Every time
we make a connection to a desktop
PC to transfer files between a mobile
device and a PC, or we move an SD
card between our devices, we have to
make sure that our desktop computer
14
Network Security
has up-to-date protection. Protection
is important for Android devices and
Android-based platforms because mali-
cious programs can easily place or drop
malware programs to our SD card and
our PC to infect further devices.
As we have seen, detection capabilities
for Linux malware by Windows-based
anti-malware products is quite high, so
users and network administrators can
generally trust that malware written for
Linux will be caught by their Windows-
based anti-malware products, especially
if a multi-scanning solution is in place.
Education for consumers and
employees will become more impor-
tant over the next 10 years, as many
of these sophisticated attacks can be
prevented by common-sense cyber-
security improvements.11 A strong
emphasis on the importance of avoid-
ing software vulnerabilities by keeping
programs and operating systems up to
date, as well training for how to avoid
phishing attacks provides a strong
first line of defence for cross-platform
malware. New cross-platform malware
is being discovered every day, but by
putting our focus on improving detec-
tion via multi-scanning, and investing
resources in consumer and employee
education, organisations in the anti-
malware community can mitigate the
damages caused by these sophisticated
exploits.12
About the author
Szilard Stange joined OPSWAT as direc-
tor of product management in 2014. He is
responsible for one of the company’s flagship
technologies, Metascan. Prior to joining
OPSWAT, Stange held many engineer-
ing and product management positions in
the IT security industry and helped create
many anti-malware products, next-gen-
eration firewalls and security monitoring
products at BalaBit and VirusBuster. He
brings expertise in enterprise level security
software definition and development and
holds a Master’s degree from the University
of Pannonia.
References
1. Mimoso, Michael. ‘New evasion
techniques help AlienSpy RAT
spread Citadel malware’. ThreatPost,
Kaspersky Lab, 8 Apr 2015. Accessed
May 2015. https://threatpost.
com/new-evasion-techniques-help-
alienspy-rat-spread-citadel-mal-
ware/112064.
2. Segura, Jerome. ‘Citadel: a cyber-
criminal’s ultimate weapon?’.
MalwareBytes blog, 5 Nov 2012.
Accessed May 2015. https://
blog.malwarebytes.org/intelli-
gence/2012/11/citadel-a-cyber-crimi-
nals-ultimate-weapon/.
3. Dunn, John. ‘Who runs an anti-
virus scan these days? Apparently
almost nobody’. TechWorld, 28
Jan 2015. Accessed May 2015.
www.techworld.com/news/secu-
rity/who-runs-anti-virus-scan-
these-days-apparently-almost-
nobody-3595951/.
4. Winn, Adam. ‘How Bad Software
Updates Put Your Network at Risk‘.
OPSWAT blog, 13 Mar 2015.
Accessed May 2015. www.opswat.
com/blog/how-bad-software-updates-
put-network-at-risk.
5. Galea, Deborah. ‘How to Detect
Advanced Threats‘. OPSWAT blog,
12 Mar 2015. Accessed May 2015.
www.opswat.com/blog/detect-
advanced-threats.
6. ‘Polymorphism’. The Java Tutorials,
Oracle. Accessed May 2015. http://
docs.oracle.com/javase/tutorial/java/
IandI/polymorphism.html.
7. AV-Comparatives. Home page.
Accessed May 2015. www.av-com-
paratives.org.
8. AV-Test. Home page. Accessed May
2015. www.av-test.org/en/.
9. Virus Bulletin. Home page. Accessed
May 2015. www.virusbtn.com/index.
10. WildList. Home page. Accessed May
2015. www.wildlist.org.
11. Galea, Deborah. ‘10 Things to
Include in Your Employee Cyber-
security Policy‘. OPSWAT blog,
27 Mar 2015. Accessed May 2015.
www.opswat.com/blog/10-things-
include-your-employee-cyber-securi-
ty-policy.
12. Hebels, Justin. ‘New cross-platform
malware discovered’. Thawte, 5 Feb
2014. Accessed May 2015. https://
community.thawte.com/articles/new-
cross-platform-malware-discovered.
June 2015