Author Topic: Avast missed 2 Trojans, every day, for over two years.  (Read 2776 times)

0 Members and 1 Guest are viewing this topic.

Offline Frank3142

  • Newbie
  • *
  • Posts: 3
Avast missed 2 Trojans, every day, for over two years.
« on: May 25, 2021, 04:37:55 PM »
Hi
I write with a cautionary tale for others.

I have used Avast for something like 15 years and (mostly) been very pleased with it, because what you don't know, won't disrupt that pleasure. In that time, it allowed in one very nasty rootkit which was a mother to get rid of, so overall you would want to forgive it one slip. We're all human. However what I discovered today is the deal breaker. I discovered that I had not one, but two trojans on my machine, working away furiously and blissfully undetected. Looking at my backups, I've been host to them for at least 2 years - my backups don't go back any further than that. With the computer on most days and an up to date Avast running, it absolutely did not find them. To share the blame a little, neither did Malwarebytes, but that's another story.

The identity of the two trojans are:

Tonick.gen
Tiggre!plock


How I found them.
I had frequently read it said that it's bad practice to have 2 antivirus programs running on the same PC (mine is Windows 10, by the way - and yes, all updated constantly). The advice was that if you use Avast you should disable Windows Defender. So long story short, I did the experiment of switching Defender back on and running a deep scan. That's what found these trojans and that's what removed them. Avast; null points.

So sadly, but pragmatically, today is the day I bid a sentimental fairwell to Avast and switch to Bitdefender. They come top in several contemporary (that's the key word), reputable reviews that are backed by lab tests, and to sweeten the deal there's a fat discount on offer, currently, for up to three machines. So, be warned. Complacent confidence in your virus protection is a great drug, soothing and soporific, which is exactly what the hackers need you to feel.

Au revoir, Avast.
« Last Edit: May 25, 2021, 04:40:51 PM by Frank3142 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37532
  • Not a avast user
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #1 on: May 25, 2021, 07:41:55 PM »
And you have of course checked those files so you know it is not a windows' defender false positive ?


Offline Frank3142

  • Newbie
  • *
  • Posts: 3
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #2 on: May 25, 2021, 08:05:02 PM »
Yes.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #3 on: May 26, 2021, 11:23:12 AM »
Avast like AVG has this trojan Downloader.Tonick (Worm) classified under a different name, as Worm/VB.AHSM [AVG].

Look for altered version of svchost.exe MD5: e4bc9ec9aa4874c66a6e21e56709609e
and
%TEMP%\tmp-3\msdto.exe
File name: msdto.exe
Size: 315.46 KB (315460 bytes)
MD5: c0213b45672715c77574c2722ee1a01f
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\tmp-3\
Group: Malware file

Downloader.Tonick exists from 2013 henceon.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline MarkJohnson

  • Full Member
  • ***
  • Posts: 119
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #4 on: June 02, 2021, 02:27:23 AM »
Hi
I write with a cautionary tale for others.

I have used Avast for something like 15 years and (mostly) been very pleased with it, because what you don't know, won't disrupt that pleasure. In that time, it allowed in one very nasty rootkit which was a mother to get rid of, so overall you would want to forgive it one slip. We're all human. However what I discovered today is the deal breaker. I discovered that I had not one, but two trojans on my machine, working away furiously and blissfully undetected. Looking at my backups, I've been host to them for at least 2 years - my backups don't go back any further than that. With the computer on most days and an up to date Avast running, it absolutely did not find them. To share the blame a little, neither did Malwarebytes, but that's another story.

The identity of the two trojans are:

Tonick.gen
Tiggre!plock


How I found them.
I had frequently read it said that it's bad practice to have 2 antivirus programs running on the same PC (mine is Windows 10, by the way - and yes, all updated constantly). The advice was that if you use Avast you should disable Windows Defender. So long story short, I did the experiment of switching Defender back on and running a deep scan. That's what found these trojans and that's what removed them. Avast; null points.

So sadly, but pragmatically, today is the day I bid a sentimental fairwell to Avast and switch to Bitdefender. They come top in several contemporary (that's the key word), reputable reviews that are backed by lab tests, and to sweeten the deal there's a fat discount on offer, currently, for up to three machines. So, be warned. Complacent confidence in your virus protection is a great drug, soothing and soporific, which is exactly what the hackers need you to feel.

Au revoir, Avast.

Ironically, I have had this issue on every AV I've ever used.  I will buy a new license, and see one AV has a really good rating and I will try it out.  I use it for a year or two and get a different AV.  and everytime I get a new AV and run the first scan, it always finds very old stuff.

While my system has been infected for a very long time.

I don't know of it is the cause, but I noticed on a new version, it does a full system scan right away.  But I notice that it only seems to do a full scan once and marks things as safe.  But it doesn't seem to do a full rescan later, unless you manually do it yourself.  It just scans new stuff coming in.  My guess is a new virus isn't detected, or it delays it's activation since it was marked safe.  then it sneaks in.  and since it is new, there may not be a cure for it yet, so it runs without issue.

Just my guess, but it seems to happen to all AV software I have ever used, and I've been computing since the 80s.  Not that there were a/v software in the 80s.

Heck, I even had virus found on the new AV software and existing a/v software suddenly finds it at the same time as the new one.

But I always manually run my A/V programs monthly or so, anymore.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2294
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #5 on: June 02, 2021, 08:57:43 AM »
Hello,
can you share the detected samples, please (https://support.avast.com/en-za/article/258/)? Or upload them to virustotal.com and share the scan result link, please?

Thank you,
Milos

Offline trnano

  • Newbie
  • *
  • Posts: 8
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #6 on: June 07, 2021, 06:30:00 PM »
Hello Milos,

I shared repeatably with avast another sample many days ago:
https://www.virustotal.com/gui/file/9f2fb97fea297f146a714d579666a1b9efd611edd8c1484629e0a458481307e5/detection

Proudly, avast still report "No issues found":
« Last Edit: June 07, 2021, 06:33:12 PM by trnano »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #7 on: June 07, 2021, 09:58:13 PM »
Hi trnano,

When you look at VT scan results' details, it comes with a non-validated (e.g. not-verified) MS signature.
MS Windows and other Operational Systems, I'd say no more,  ;)  ;)
Voodooshield would have probably stopped execution of the file in question in it's tracks.
It often kept me from harm's way, when I was not alarmed in another way.
Then it could also be no part of the collected avast's defenitions.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37532
  • Not a avast user
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #8 on: June 07, 2021, 10:04:15 PM »
It is old, so it could be they have a reason for not detecting it?

https://www.virustotal.com/gui/file/9f2fb97fea297f146a714d579666a1b9efd611edd8c1484629e0a458481307e5/details


History
Creation Time   2014-08-31 15:34:44
Signature Date   2017-09-29 04:22:00
First Seen In The Wild   2018-04-26 19:49:54
First Submission   2018-04-28 02:02:07
Last Submission   2021-05-11 07:09:37
Last Analysis   2021-06-07 19:59:56




« Last Edit: June 07, 2021, 10:06:33 PM by Pondus »

Offline trnano

  • Newbie
  • *
  • Posts: 8
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #9 on: June 08, 2021, 08:24:31 AM »
File was dropped via malicious web-shell from
hxxp[:]//t[.]hwqloan[.]com/svchost.dat

In my opinion it is a clear piece of malware and I do not understand why avast is happy with this file around.

Offline Tomáš232

  • Avast team
  • Newbie
  • *
  • Posts: 3
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #10 on: June 08, 2021, 09:46:10 AM »
Hi, file 9F2FB97FEA297F146A714D579666A1B9EFD611EDD8C1484629E0A458481307E5 was resolved as malware and detection created.
URL t[.]hwqloan[.]com is already detected.

Thanks for report.

Offline trnano

  • Newbie
  • *
  • Posts: 8
Re: Avast missed 2 Trojans, every day, for over two years.
« Reply #11 on: June 08, 2021, 11:37:52 AM »
Was resolved, but after 3-4 weeks from my first submit (repeated weekly) of this file to avast lab.
And after some discussion about file in this topic :)
When I submit malware files to avast analysis system, I'm thinking ( or at least I hope) about reasonable time of definition update.
I have avast on 65+ workstations and servers, and I am not happy with this delay.
I am sure that many of the submitter's are IT professionals...