Author Topic: Why avast! not detect brazilian trojan encrypted?  (Read 19777 times)

0 Members and 1 Guest are viewing this topic.

Henrique - RJ

  • Guest
Why avast! not detect brazilian trojan encrypted?
« on: September 12, 2013, 10:38:44 PM »
For years avast not detect brazilian virus encrypted:

http://goo.gl/Ys0bR8

Avira AntiVir always detect ( heuristics ) this type of virus.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #1 on: September 12, 2013, 10:41:51 PM »
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Henrique - RJ

  • Guest
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #2 on: September 12, 2013, 10:46:24 PM »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #3 on: September 12, 2013, 10:51:41 PM »
OK. That is not detected.
If you can get the file or have the file you can report it to Avast here: http://www.avast.com/contact-form.php

Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Henrique - RJ

  • Guest
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #4 on: September 12, 2013, 10:57:39 PM »
I am referring to heuristic.

Avira AntiVir always detect ( heuristics ) this type of virus.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #5 on: September 12, 2013, 11:02:06 PM »
I dont know why it is not detected, but avast heuristics are not that good as Aviras.

But with DeepScreen which will be implemented in Avast 2014 this will get better. ;D
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #6 on: September 12, 2013, 11:04:24 PM »
Here also missed: http://app.webinspector.com/public/reports/17049131
I get HTTP/1.0 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 12 Sep 2013 21:00:12 GMT
Server: sffe
Content-Length: 937
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
  </style>
  <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/v2nH26</code> was not found on this server.  <ins>That’s all we know.</ins>

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Henrique - RJ

  • Guest
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #7 on: September 12, 2013, 11:11:39 PM »
Here also missed: http://app.webinspector.com/public/reports/17049131
I get HTTP/1.0 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 12 Sep 2013 21:00:12 GMT
Server: sffe
Content-Length: 937
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
  </style>
  <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/v2nH26</code> was not found on this server.  <ins>That’s all we know.</ins>

polonus



????????????????

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #8 on: September 12, 2013, 11:35:35 PM »
As this was pointed out to me I will explain myself now.
That was the request and response via WebBug I got for that link you posted, I understand they go to VT results now.
Here avast misses detection: https://www.virustotal.com/en/file/5c4e38c52886fe40fbdd259c2cbef402ec0d751472d93244313af217fe1c195f/analysis/1378777119/
Well avast has some history of missing these detections, it is a known flaw.
Funny I found that your links to VT results cannot be resolved by WebBug and not by wepawet either.
This also includes/means that they are open to abuse as you see from my result.
The link you gave was not malicious an sich and resolved to normal VT results, but the format is insecure by nature and can be abused by malcreants,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Henrique - RJ

  • Guest
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #9 on: September 12, 2013, 11:58:15 PM »
As this was pointed out to me I will explain myself now.
That was the request and response via WebBug I got for that link you posted, I understand they go to VT results now.
Here avast misses detection: https://www.virustotal.com/en/file/5c4e38c52886fe40fbdd259c2cbef402ec0d751472d93244313af217fe1c195f/analysis/1378777119/
Well avast has some history of missing these detections, it is a known flaw.
Funny I found that your links to VT results cannot be resolved by WebBug and not by wepawet either.
This also includes/means that they are open to abuse as you see from my result.
The link you gave was not malicious an sich and resolved to normal VT results, but the format is insecure by nature and can be abused by malcreants,

polonus


And why analysts do not improve the heuristic of avast! ?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #10 on: September 13, 2013, 12:17:50 AM »
Well see here: https://www.virustotal.com/en/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/
and the detection here: http://f.virscan.org/fbvideoupdate9.1.exe.html
Answer to your question they may not as yet have developed the special detection routine for this generic detection for unknown variants.
It is the runtime packer that is being missed. Hopefully the developers will catch up, or get the expertise via Zoner AV,

polonus
« Last Edit: September 13, 2013, 12:29:49 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Henrique - RJ

  • Guest
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #11 on: September 13, 2013, 03:38:11 AM »
Because to this deficiency of avast! many of brazilian PCs being infected.

Virus are spread by facebook

So it avast! sieve is called here in Brazil

.
« Last Edit: September 13, 2013, 04:01:06 AM by Henrique - RJ »

Henrique - RJ

  • Guest
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #12 on: September 14, 2013, 01:19:20 AM »
Has failed heuristics and analysis sandbox of avast! in this case.

This type of virus, once installed, is spread by pendrive and Facebook for theft of bank accounts.

Thousands of infections every day.

.
« Last Edit: September 14, 2013, 01:38:12 AM by Henrique - RJ »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #13 on: September 14, 2013, 01:20:11 PM »
You can report the file to Avast via this form: http://www.avast.com/contact-form.php
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Why avast! not detect brazilian trojan encrypted?
« Reply #14 on: September 14, 2013, 01:41:56 PM »
Here avast detects: https://www.virustotal.com/en/file/5c4e38c52886fe40fbdd259c2cbef402ec0d751472d93244313af217fe1c195f/analysis/
Here you could check detection score of avast!: http://support.clean-mx.de/clean-mx/md5.php?CAT_QuickHeal=Worm.Gamarue
It is also the price you pay for avast"s popularity in Brazil. Malcreants even disguise their malware as avast program: http://malwaretips.com/Thread-Banking-Trojan-posing-as-Avast-AV
In such a situation malcreants seeks to go under the avast detection radar first and foremost, just because avast is so popular ober there.
The slack detection on Brazilian Trojans was also mentioned several times by our former forum member and now avast team member, Tech,
who himself is native to that vast South American country...

polonus
« Last Edit: September 14, 2013, 01:47:11 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!