Avast! continues to show poor detection against JS:Numecod

[TrueIndian]

Even after raising this issue multiple times with avast! team and virus lab members I still don't see a improvement when it comes to detecting js:numecod samples that downloads ransomware.

Not just that,avast! continues to be sloppy to add detection for these files.I am not sure why either their automated systems don't see such files or they are just manually analyzing it.This specific family of malware is getting past avast and we are completely counting on IDP to detect it.I know I am repeating myself but I think there is something we can do to speed up the reaction process.

Also the big bummer is that avast! at times doesn't detect the file on download it waits until I execute until the malware deobfuscates itself.I know kaspersky and some other vendors can see through that obfuscated code and block it.

This one malware family where avast has to wait till the end moment and when its not blocked the user is infected 90% of the time.

I am not impressed as this is a infection vector.I have even suggested some ideas of monitoring wscript specifically since most systems won't have something running it by default anyway and how much % of good files use this? Very less I assume.I know I shared a similar idea of dual extension malware which I am seeing alot now but since my return from the roundtable I am seeing avast improving in this field.The reaction time to this threat family by avast is very poor.

By the time the lab adds detection there are new varients in town

https://www.virustotal.com/en/file/3fbd07ddec481d20aada0ed0993726b8a22b07586f853a0727ab04d468b2e6c9/analysis/1486016682/
https://www.virustotal.com/en/file/269e887e064ff5555d22433c69cfa0151cf34dc3779fbe6b90db8e07c28a6d35/analysis/1486016699/
https://www.virustotal.com/en/file/0959d9f4071e8bcf165ca61258df30e984dea237625d05d3a881b99fa7b582da/analysis/1486016918/
https://www.virustotal.com/en/file/afe34bfe2215b048915b1d55324f1679d598a0741123bc24274d4edc6e395a8d/analysis/1486017096/
https://www.virustotal.com/en/file/b9124e47c12410ef2baea3b9abe3008eb7628f25f58d1d6a96fb1058b69046fd/analysis/1486017130/
https://www.virustotal.com/en/file/bb198b5b0d4d1349f79ae77a64ca466bf0d2ae61098bd373a0f49e2ad5cf8d50/analysis/1486017164/
https://www.virustotal.com/en/file/f6de8183ec321dc491a3a27785056cbb94b06d5614efeea8c1bdc34060c4d2d7/analysis/


But if you guys are looking for some help with this particular family I have alot more of these samples.I have like 25 pieces of the same family,most are couple days old and some new but all are not being detected I even submitted them

[Pondus]

Is the payload from these downloaders detected?

[TrueIndian]

Is the payload from these downloaders detected?

I will send you the files if you want.They just try downloading things from different URL's in my experience and something eventually gets through.All avast can do is keep poping up with blocked messages but the machine still remains infected anyway.

If anyone wants to test this family PM me with your mail address.It will be interesting to know how the IDP performs against them.But still this is a problem.

[Yanto.Chiang]

Hi TI199,

Nice sharing, would you share with us how this malware attack the victim?
It seem the malware posing as microsoft document and send in attachment file.

Cheers,

[TrueIndian]

Hi TI199,

Nice sharing, would you share with us how this malware attack the victim?
It seem the malware posing as microsoft document and send in attachment file.

Cheers,

Yes most of it is a email attachment or just a direct download.

Regards,
True Indian

[Sirmer]

Hello,

thanks for samples, Did you try the whole infection vector? Because we have different detections, so mostly scripts, like nemucod downloader, are detected in email attachment which is a way how it is spread.

[Sirmer]

For example F6DE8183EC321DC491A3A27785056CBB94B06D5614EFEEA8C1BDC34060C4D2D7 was detected in last 3 day 82times, it doesn't mean sample not detected on VT is not detected at all

[TrueIndian]

Yes I did.First of all thanks for replying to this thread.

Most files were recieved from mails either with an attachment or a link to the malware download but avast was quite.I have seen some threads at the forums where people are infected something like this.I have sent the files to you from mail anyway.

By the way I don't see what detection are you refering too....are there still some detection modules only working on execution? Why not detect the file once its downloaded if you have the detection,why wait till the point of execution?? Because they are obfuscated scripts avast should be able to scan through it on download just like other av's do.

Some of these files have been scrapped from infected USB's.

It's still a interesting stat that you mentioned.I know VT detection isnt everything.

[Sirmer]

These samples should be blocked when you receive it through the email, so before downloading to your PC or execution.
In this case I am just wondering how it can infect USB because all files are just simple downloaders.

[Yanto.Chiang]

Hi True Indian,

Thanks for your sharing.

Previously, i have the same problem as you and you can submit the sample of malware to avast with following the guide as below link:
https://www.avast.com/faq.php?article=AVKB258

I hope with this information can help you.

Cheers,
Yanto

[TrueIndian]

These samples should be blocked when you receive it through the email, so before downloading to your PC or execution.
In this case I am just wondering how it can infect USB because all files are just simple downloaders.

So is there a seperate database for mail shield I assume? Yes!! Atleast from what I have investigated some of the guys got it from usb which i am suprised as well

[Sirmer]

It is not separate database but in mail shield we can use specific algorithms to detect malware.

[savcin]

FYI: New additional detections for submitted files have been created.

[TrueIndian]

That's very interesting to hear.

Thankyou VLab.

[TrueIndian]

Hello,
I found a something similar to numecod and avast completely missed it
https://www.virustotal.com/en/file/80d21093ecf7c5f10f1846689c3d592a5b54bfe2437ac305970b9531d9f330ac/analysis/1486291370/
And similar to this I have seen numecod from some URL's I have already submitted most.