Author Topic: A fresh undetected injector sample  (Read 4010 times)

0 Members and 1 Guest are viewing this topic.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: A fresh undetected injector sample
« Reply #1 on: December 08, 2013, 04:54:23 PM »
Hi spywar,

Is this the same detection we are discussing here? -> http://www.isthisfilesafe.com/sha1/4EF5762FE78DD69BC48DD8802D716937174D927C_details.aspx
& http://www.blackhatworld.com/blackhat-seo/black-hat-seo-tools/428644-get-twitter-account-checker-free-bhw.html , so this ->
https://www.virustotal.com/nl/file/85c51af1ac19281b669f12138e7f230a1314b230105df0747faf1a8c84d28bd1/analysis/1333983158/
Could well be a PUP or else a particular packer detection:
 F-PROT PecBundle
PEiD PECompact 2.xx --> BitSum Technologies
See also here: http://pl.rghost.net/50771686   and (possibly your doing?) -> http://www.drwebhk.com/en/virus_techinfo/Trojan.AVKill.31641.html
Also consider the low detection rate here: http://f.virscan.org/TwitterAccountChecker.exe.html

Because of the false packer detection issue my verdict is either a FP or minimal a PUP detection,
or this could be useful as an indicator for SEO SPAM detection/IDS on sites (enhancing Sucuri's detection rate for instance).
Good job tracing it,

polonus
« Last Edit: December 08, 2013, 04:57:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

spywar

  • Guest
Re: A fresh undetected injector sample
« Reply #2 on: December 08, 2013, 05:34:29 PM »
Hi polonus,

Yes this is exactly this one. Could be a PUP actually...
I'm gonna let you know different vendors verdict in a few hours if I get at least the DrWeb one. It has also been reported to Xandora, and currently under processing.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: A fresh undetected injector sample
« Reply #3 on: December 08, 2013, 05:40:02 PM »
Hi spywar,

Good action, my friend. Also contact Sucuri's to see if they consider this as Blackhat SEO Spam malware?
Daniel Cid and his friends could almost be seen as the "inventors" of such detections  ;D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

spywar

  • Guest
Re: A fresh undetected injector sample
« Reply #4 on: December 08, 2013, 07:41:22 PM »
I did a rescan of the sample on VT just to check out if new detections are available from other vendors.

https://www.virustotal.com/en/file/ba384b0e23b27353b8145918ac55734caefb7e9781779ec54bb76969d917b83c/analysis/1386527879/

now 7/49
Kaspersky's backend (KSN) classified it as a malware, in a few hours, it's gonna rename it with an appropriate malware name.
Mcaffe's Artemis system also identified it.
TrendMicro and Baidu.
I'd like to add that even though we don't see any detection from Comodo, it's now actively detected by the backend as malware
if you'd like to check go http://file-intelligence.comodo.com/search-sha1.php and search for SHA-1 fad151dedf9d847a46772a0cd2c239735d38a633

spywar
« Last Edit: December 08, 2013, 07:42:53 PM by spywar »

spywar

  • Guest
Re: A fresh undetected injector sample
« Reply #5 on: December 08, 2013, 07:43:37 PM »
Emsisoft Anti Malware Network backend also classified it from Unknown to Malware.

spwr

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: A fresh undetected injector sample
« Reply #6 on: December 08, 2013, 07:54:56 PM »
Fast reaction from Emsisoft there.

Emsisoft is overall really good.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

spywar

  • Guest
Re: A fresh undetected injector sample
« Reply #7 on: December 08, 2013, 08:19:19 PM »
Yes their Anti Malware Network backend is rather one of the faster way of malware identification.

spywar

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: A fresh undetected injector sample
« Reply #8 on: December 08, 2013, 08:21:39 PM »
Im at the moment thinking about switching to Emsisoft for 1 or 2 years until DeepScreen has got better.

But im not sure yet. My F-Secure license expires on 21.December.

What would you use?
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

spywar

  • Guest
Re: A fresh undetected injector sample
« Reply #9 on: December 08, 2013, 08:28:40 PM »
I have not done yet...But have you already tested avast! with Hardened Mode sets to agressive against unknown pieces of malware ?
I'd be interested to see how it does...
Regarding Emsisoft, exellent products as well as one of the best support I have never seen.
I've never used F-secure so far, thus can't give any comments about it.

spywar

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: A fresh undetected injector sample
« Reply #10 on: December 08, 2013, 08:32:45 PM »
Hardened mode is good but gives false positives like exe files from Tune Up Utilities, Installers got blocked for me.

Hardened mode blocks almost every single unknown file. I have 13 here on my desktop. Already submitted.

Emsisoft is great i can tell, they have a high ram Usage (about 100-150 mb in a VM for me. But not really that much slowdown.
Also they have a great firewall and behavior blocker.

F-Secure is also good, but it blocks some legit applications.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10