Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 373122 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #316 on: March 21, 2011, 07:00:25 PM »
This parasitic virus that infects Win32 PE executable files missed by avast, see: http://www.virustotal.com/url-scan/report.html?id=0fada3e4220ae5e9bb7e9a0f255115de-1300726070
file analysis: http://www.virustotal.com/url-scan/report.html?id=0fada3e4220ae5e9bb7e9a0f255115de-1300726070
= 2011-03-21 16:52:06   htxp://nutromchuu.co.cc/release/d2f0b5c46987429e2ad87a745a130a92/Internet-Explorer_update.exe   2D7307DCB9E615FFD1A28C3089F9CA4A   46 . 16. 240. 3    UA   JSSality.AO
See: http://wepawet.iseclab.org/view.php?hash=0fada3e4220ae5e9bb7e9a0f255115de&t=1300729945&type=js  (suspicious}
accompanying Anubis report to be found here: http://anubis.iseclab.org/?action=result&task_id=1cd3f576f2e1d72d4b1515c19f4c57216
see: htxp://jsunpack.jeek.org/dec/go?report=519636b9a472c69744b37908c41fe4409ab1c24c (this link only for experienced users)

polonus
« Last Edit: March 21, 2011, 07:04:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #317 on: March 21, 2011, 10:43:19 PM »
Here this suspicious IRCBot malware was not detected. Resides here: 2011-03-13 01:49:03   hxtp://www.etoro.com/SDL/typeC/eToro1140.EXE   AA34FA609C772A1A75960912A863E7AC   188. 95. 97. 212   NL   PHPIRCBOT.CE   

See url scan: http://www.virustotal.com/url-scan/report.html?id=58a3500d79093f8d48f351b8b2618894-1300739399
File analysis scan: http://www.virustotal.com/file-scan/report.html?id=6492099ee8a84d0a6e7c9152d44517444a8906244197a8453be52b29830c3311-1300743017
Suspicious: http://wepawet.iseclab.org/view.php?hash=58a3500d79093f8d48f351b8b2618894&t=1300743150&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=152b9df0e8a5515c4ed6a81498033f41c
 
Sig buster output: Wise_Installer vna SN:1361

another example of PHPIRCBOT.CE can be found here:
 htxp://2gov.co.cc/pk2/ktytyvjlfli see for this: http://www.malware.pl/report/195.80.151.83

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #319 on: March 26, 2011, 03:25:01 PM »
Nice find, Marc57,

Good to give a couple of the resources where this malware is treated:
htxp://malc0de.com/database/index.php?search=KR&CC=on
Go there only if you are security aware enough and know what not to click and better even what not...
and then we will land here:
htxp://malc0de.com/database/index.php?search=vaccinescan_set (for experienced users only)
where we have 5 variants with ThreatExpert reports,
If we do a bit of reconaissance we see the malware site 124. 217. 218. 10 is down, so that makes the
find a bit more irrelevant. But there seems still activity from there:

htxp://down.rprotect.co.kr/rprotect/rpwacherh.dll
trojan fake-alert see: http://www.virustotal.com/latest-report.html?resource=f920958410f6ebaddfc9a1a4d66db082
Which avast naturally detects as Win32:Adware-gen
Do not visit that site, because it also infects with Win32:Virtob
see: http://www.virustotal.com/file-scan/report.html?id=9f1410c3796ddf9348f7a0bcc85a381b500d639b550918797f2abbd65e47a1d1-1299580539
So also neatly detected by good old avast, because we can only detect what is there,
and dead links or malware sites that have been brought down do not count...
But let us see if "vaccinescan_set_etc." resides somewhere else and is alive?
4 alive of 5 found at malware for domain search:
virustotal reports for the live ones are not very, very promishing,
so we see how important Marc57's posting was:
http://www.virustotal.com/file-scan/report.html?id=395feefcaa6ab9a02d489bbe03826e6df1bb6cda20087bc4dfec471341ddfa85-1300866728
&
http://www.virustotal.com/file-scan/report.html?id=8212515ad446410f6d47e9eae6eb4906fa9532b5e4952b28d843fd86b5dccfb5-1300853172
&
http://www.virustotal.com/file-scan/report.html?id=21b7dfcc8b2572ab78a30e4e7974a60998841c7d8ef7f746310d0813c6cdb445-1300853156
&
here detection is slightly better with 10 /42 (23.8%)
but avast misses it altogether:
http://www.virustotal.com/file-scan/report.html?id=bf12984f90b2c8afb8f3b5a5149eabc9c979a61736b2f414d444b6903a4135d3-1301117268

So sometimes it is worth delving a bit deeper with our cold renaissance methods,

polonus
« Last Edit: March 27, 2011, 12:51:06 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #320 on: March 26, 2011, 09:38:39 PM »
Oh and just another thing, if you know where to look, you can even find some binairies for the malware that
Marc57 found, let's see, here:  http://report.xandora.net/xangui/malware/view/efaeff5a90c6173b0b92d338b598f2f6

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
« Last Edit: March 27, 2011, 05:01:47 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline danny96

  • Malware Fighter
  • Advanced Poster
  • **
  • Posts: 668
  • No-malware!
Real-time protection and Firewall: COMODO Internet Security 12.0.0.6810 -- Additional Protection: Web Of Trust, Ublock, NoScript, Malwarebytes Premium, Avast! Online Security, Hitman Pro -- OS: Windows 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
« Last Edit: March 27, 2011, 10:17:03 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #327 on: May 04, 2011, 02:43:49 PM »
Thanks Burkoff for helping improving detection :)
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!