Author Topic: Win32:Lnkget or FP?  (Read 12030 times)

0 Members and 1 Guest are viewing this topic.

dude2

  • Guest
Re: Win32:Lnkget or FP?
« Reply #15 on: September 11, 2009, 01:39:08 AM »
As I questioned in #11, if an embedded script was downloading unharmful stuff or even failed to download stuff because the target file on the ftp server was not there, then can we still categorize this script as Trojan Downloader, Trojan Dropper, or any type of Trojan? I am trying to understand what type of Trojan Win32:Lnkget is. If Win32:Lnkget was overcautious on suspicious downloading activities, should we count it as a false positive?
« Last Edit: September 11, 2009, 01:53:47 AM by dude2 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Lnkget or FP?
« Reply #16 on: September 11, 2009, 07:33:53 AM »
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.

dude2

  • Guest
Re: Win32:Lnkget or FP?
« Reply #17 on: September 11, 2009, 09:33:36 AM »
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.
Based on Alwil's VPS record, when Avast initially captured and categorized this as Win32:Lnkget Trojan, what was seen as the downloaded dangerous payload or downloaded malware?

Even if there was something downloaded that triggered Avast back then, but how can it still trigger Avast to generate an alarm now when there is no file to download?

Unless somehow lnk-embedded downloading command script itself will trigger Avast to detect it as a Trojan doesn't matter if the downloaded stuff is harmful or if downloading action is ever completed? But, in that case, wouldn't this Trojan decision be too lax in comparison with Trojan definition in http://www.viruslist.com/en/virusesdescribed and http://www.viruslist.com/en/virusesdescribed?chapter=152540521 ?
« Last Edit: September 11, 2009, 09:44:20 AM by dude2 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Lnkget or FP?
« Reply #18 on: September 11, 2009, 10:37:39 AM »
Quote
Quote
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.
Based on Alwil's VPS record, when Avast initially captured and categorized this as Win32:Lnkget Trojan, what was seen as the downloaded dangerous payload or downloaded malware?
Who knows ...

Quote
Even if there was something downloaded that triggered Avast back then, but how can it still trigger Avast to generate an alarm now when there is no file to download?

Unless somehow lnk-embedded downloading command script itself will trigger Avast to detect it as a Trojan doesn't matter if the downloaded stuff is harmful or if downloading action is ever completed? But, in that case, wouldn't this Trojan decision be too lax in comparison with Trojan definition in http://www.viruslist.com/en/virusesdescribed and http://www.viruslist.com/en/virusesdescribed?chapter=152540521 ?
It depends on type of detection http://en.wikipedia.org/wiki/Antivirus_software#Identification_methods, this one detects malicious .lnk file nothing else -- it doesn't try to download other files and analyze them, its not "File emulation".

I'm still not sure what is your problem?

dude2

  • Guest
Re: Win32:Lnkget or FP?
« Reply #19 on: September 11, 2009, 06:16:42 PM »
After all, I do not think that you have the key info:
"How malicious is the script from this lnk?" or "what constitutes Win32:Lnkget Trojan?"

Based on your provided reference link: http://en.wikipedia.org/wiki/Antivirus_software#Identification_methods , it says:
>>
Malicious activity detection is another approach used to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses or variants on existing viruses.
<<

All referenced links pointed to the key idea:

"It takes a little more investigation to distinguish a malware from a suspicious false positive."

Normally, this investigation will reveal the true identity of the suspicious script. From Viruslist.com, a Trojan dropper/downloader will be identified as either a dangerous payload or a malware/adware with the help of a signature or other methods. I suspect that could be the reason some 32 out of 41 AV software products would not categorize it as a Trojan downloader/dropper when this script can not be downloaded from the ftp server for further investigation.

If Alwil is not about to provide the key info with regard to what the damaging activity signature it had when Win32:Lnkget was first created, then who knows? I may have to rest my case here. Your help thus far is appreciated nonetheless.
« Last Edit: September 11, 2009, 07:45:54 PM by dude2 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Lnkget or FP?
« Reply #20 on: September 14, 2009, 11:50:03 AM »
Quote
After all, I do not think that you have the key info:
"How malicious is the script from this lnk?" or "what constitutes Win32:Lnkget Trojan?"
I think, that the behavior of the script in the .lnk file was described and the script on ftp server (which is now inaccessible) can be changed anytime, so who knows, what it will be doing? The detection Win32:Lnkget just detects the script in .lnk file, which downloads and runs some another script.



dude2

  • Guest
Re: Win32:Lnkget or FP?
« Reply #21 on: September 14, 2009, 06:03:26 PM »
Quote
After all, I do not think that you have the key info:
"How malicious is the script from this lnk?" or "what constitutes Win32:Lnkget Trojan?"
I think, that the behavior of the script in the .lnk file was described and the script on ftp server (which is now inaccessible) can be changed anytime, so who knows, what it will be doing? The detection Win32:Lnkget just detects the script in .lnk file, which downloads and runs some another script.

Welcome back, Milos. Do you agree to all those references' saying that Trojan downloaders/droppers DO NOT JUST TRY TO DOWNLOAD "SUSPICIOUS SCRIPTS" BUT TO DOWNLOAD AND EXECUTE "MALCIOUS SCRIPTS" BASED ON THE "IDENTIFIED SIGNATURE" OR "DETECTED ABNORMAL BEHAVIOR IN THE FILE EMULATION" PROCESS?

Unless you do not agree with those references, you should have seen the catch. I do not have the  signature of Trojan Win32:Lnkget, when it was built into VPS DB, to show its malicious intention, nor can Avast emulate anything out of nothing downloaded from the ftp server. How can I be sure that there was ever a malicious script on that ftp server? Moreover, how can a failed download process still have what it takes in the signature?

To prove it is not just a hoax or false positive but rather a real threat, especially on a controversial case where 32 out of 41 AV products gave a different opinion, I do encourage Avast to go the extra mile after this much already provided help.

dude2

  • Guest
Re: Win32:Lnkget or FP?
« Reply #22 on: September 19, 2009, 03:59:47 AM »
I dare not to say butter would not melt in the envelop of the suspected email ;), but with Reply#21 unanswered I am not convinced either that Avast's explanations and provided evidences cleared all doubts and proved those 32 AV product vendors giving false negative results.

It seems I may have to present my case with the info received from Avast thus far to third party organizations for their opinions. Win32:Lnkget or FP? I hope the answer will be found and justified soon.

kubecj

  • Guest
Re: Win32:Lnkget or FP?
« Reply #23 on: September 23, 2009, 04:01:04 PM »
Too bad we're still missing your point and we're speding time and resources on this thread.

The point of catching the downloader is to have multi-layered protection. The best way is to catch the downloader and the downloaded stuff. We catch the downloader which is still capable of doing the harm as soon as the site it's pointing to comes alive.

Even if somebody would use the very same lnk obfuscated .bat file for 'legal' reasons, it'd be still detected by us (because of the sheer stupidity of doing so in this way).

We don't care much if other products have false negatives or not, it's their problem, not ours.

I don't think there exists any reason to continue in this thread since everything was said already and we'll stick to our point.