Brazilian Trojan Bankers

[BrBrasil]

Hello guys!

I was wondering, the only bad thing in Avast detection IMHO, is the Brazilian trojan bankers that we keeping receiveing by email or orkut scraps... The other detections avast seems to be very well.

In the last month, I received 13 differents trojan bankers in my Email / Orkut.
Sadly, avast just found 1. The others, he missed badly.

Avira in the other way, found 12, and the other one it missed, he added one day later. From this 12 detections, 11 were with proactive protection (generic signature or heuristics). The other was with normal signature.

Is it possible to avast create this same kind of protection that avira made for trojan bankers here in Brazil?
This kind of malware keep growing, and I dont think that a based signature protection is enough to stop this thing to spread and stay undetected.

Thanks!

BrBrasil

[smage]

Hi,

I think that it would greatly help if you could send the samples to avast virus@avast.com

Avast already has some proactive detection in terms of generic detection and avast 5 is supposed to deal with that issue.

For the mean time, you could add Threatfire-a free behaviour blocker to your security setup to help deal with zero day threats.
Alternatively there is also a free anti-Trojan called Comodo Boclean which you could use. 

Hope that it helps.

[gery]

you can try SUPERANTISPYWARE FREE or MALWAREBYTES FREE install update and scan with both of them one at a time not at the same time.

[solcroft]

Speaking purely from an observational point of view...

avast! has the habit of performing poorly against "mainstream" malware, so to speak – by "mainstream" I refer to most of the popular families created and maintained by commercial malware writers. Detection for Zlob, rogue antivirus programs, and ecards are generally less than ideal, and what is even more confusing is that these samples take days to be added to the signature database – during which, of course, the malware families have already been updated multiple times.

If anyone knows about the Waledac (card.exe) trojans being spammed about lately, it's being speculated as the potential successor to the Storm botnet – and another variant family that avast! seems to drag its feet in adding detection for as well.

[Lisandro]

rogue antivirus programs, and ecards are generally less than ideal

I feel the same...

[kubecj]

Funny, and I think we're pretty good in covering rogues, since we catch the scripts in their pages, we block all of their pages and we also detect the binaries. That's three layers of protection.

Same applies to waledac - all of their distro sites should be blocked by the url blocker.

[Lisandro]

Funny, and I think we're pretty good in covering rogues, since we catch the scripts in their pages, we block all of their pages and we also detect the binaries. That's three layers of protection.

Same applies to waledac - all of their distro sites should be blocked by the url blocker.

So why people complain about bankers worms, why do people get infected with antivirus 2008 and 2009 some weeks ago?

[igor]

Regarding Brazilian bankers in particular - I believe we are getting quite a lot of samples from Bank of Brazil on a regular basis... so I would assume (now that's really just an assumption, I really don't know any objective data) that the detection should be quite good... 

[solcroft]

Funny, and I think we're pretty good in covering rogues, since we catch the scripts in their pages, we block all of their pages and we also detect the binaries. That's three layers of protection.

Same applies to waledac - all of their distro sites should be blocked by the url blocker.

kubecj,

No offense, but it took me all of 3 seconds to bypass those 3 layers of protection simply by using a search engine: hxxp://freexxxvideo3.osc.pl/

VPS is 090111-1. Please add detection for that binary as well, while you're at it; thanks.

[kubecj]

Have you actually tried that?

JS:FakeAV-A [trj] on best-antivirus-proteXXXction.com/2009/1/_freescan.php?nu=880829

Also the binary is giving me 404

[solcroft]

As a matter of fact, I have. Web Shield shows no detection on my end.

Since you're also apparently unable to see the binary, it's been submitted via Virus Chest.

[solcroft]

Same applies to waledac - all of their distro sites should be blocked by the url blocker.

Speaking of Waledac distro sites - at least one is getting past (116.99.19.127), and 4 variants of the binary over the last 2 days are yet to be added to the signature database.

[smage]

Hi,

Avast is doing well, but I think it still can be improved.
Avast is not detecting this malware but it blocks the website from which it can be downloaded.

http://www.virustotal.com/analisis/61bd153eb74d975d1877c10e3527cb39

[solcroft]

Hi,

Avast is doing well, but I think it still can be improved.
Avast is not detecting this malware but it blocks the website from which it can be downloaded.

http://www.virustotal.com/analisis/61bd153eb74d975d1877c10e3527cb39

Well, four new Waledac distro IPs popped up during the last 2 hours, 3 of them hosting a binary with the same MD5 hash. avast! stopped none of them, neither domain nor binary.

Not to mention there's still the handful of undetected variants from days ago. This whole "we block the malicious domains!" strategy is making me rather uneasy, to say the least.

[kubecj]

This whole "we block the malicious domains!" strategy is making me rather uneasy, to say the least.

This is additional protection, not a replacement.