Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 373083 times)

0 Members and 1 Guest are viewing this topic.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86919
  • No support PMs thanks
Re: Samples missed by avast (VirusTotal links only!)
« Reply #405 on: August 15, 2011, 03:13:14 AM »
http://www.virustotal.com/url-scan/report.html?id=94986b54cc7a3a6e3abbd5f0b63a9bea-1313356410

Sorry if I'm wrong about it, I'm new to Virustotal.

This surely has nothing to do with missed samples, e.g. files not detected and your VT results relates to a site check rather than a file ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37147
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #406 on: August 15, 2011, 10:03:29 AM »
Quote
This surely has nothing to do with missed samples, e.g. files not detected and your VT results relates to a site check rather than a file ?
yea......but infected website is not detected

VirusTotal - html scan
http://www.virustotal.com/file-scan/report.html?id=009bdd5924e151b71cbaf5d3d37bc9bd7e6c3d0ccb0ccf300fd737be81b601a6-1313364210

« Last Edit: August 15, 2011, 10:13:45 AM by Pondus »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86919
  • No support PMs thanks
Re: Samples missed by avast (VirusTotal links only!)
« Reply #407 on: August 15, 2011, 02:18:40 PM »
Which again isn't a sample and not one which you can submit. Surely the whole purpose of this topic was/is to post the link and send the sample to avast for analysis.

Personally I still feel this topic a waste of time as there is zero follow up by the poster when the sample is detected. So you might as well cut out the topic middle man and just send it to avast.

Well going directly to the remote source (superpuperdomain.com/count.php) rather than the suspect origin site it becomes less and less clear cut, and would need to be reported to avast for further analysis. The script tag after the closing html tag is possibly where the suspicion is but Sucuri isn't to detailed on exactly what it finds.

See image of complete follow through from the script tag after the closing html tag (on all pages), to the final javascript file in the chain in adsshownow.com.

http://www.virustotal.com/file-scan/report.html?id=ff99d5233e40b1ba7e897172dacf3eae8fd436e3b65e251976ef5a7997f477d3-1313408365

http://www.virustotal.com/file-scan/report.html?id=e0f41a7a5fca244e5d2f3c98a94a39d665f21cca86c89c90662d4f89deaffbaa-1313409355

http://www.virustotal.com/file-scan/report.html?id=c15dd1360da706e839a14a224d4484b43bce90aaa1a7b01ba1aa9df87f16e39d-1313174208

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #409 on: August 20, 2011, 08:53:02 PM »
Thanks for helping improving detection Polonus.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37147
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #413 on: September 10, 2011, 10:20:59 PM »
hmmmmmm........Only the lonley   :-\     did you upload the sample Burkoff ?......if not i have  ;)




or is everyone wrong and avast! correct ?


sigcheck:
publisher....: Hades.net.cn
copyright....: Hades
product......: NBA 2K9 Mini Editor
description..: NBA 2K9 Mini Editor
original name: n/a
internal name: n/a
file version.: 1.0.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned



Well ThreatExpert say:
Quote
Contains characteristics of an identified security risk. - Severity Level High
http://www.threatexpert.com/report.aspx?md5=d3d5f0c4d959cb24a9b9194213a7a146

« Last Edit: September 10, 2011, 10:43:08 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #414 on: September 10, 2011, 10:53:25 PM »
Hi Pondus,

Or possibly it could not be executed: According to the Unix file command your file is of the following type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit.......
See: http://wepawet.iseclab.org/view.php?hash=381aae8fcce7f9f82278615c4d054d36&t=1315687363&type=js
& http://www.prevx.com/filenames/X461520440149902130-X1/NBA2K9.EXE.html
&                                                                                                http://siteinspector.comodo.com/public/reports/329355

Finally got anubis analysis via direct url scan:
http://anubis.iseclab.org/?action=result&task_id=144bac9e65818aaf415500f4821117490&format=html

polonus
« Last Edit: September 10, 2011, 11:06:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37147
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #415 on: September 10, 2011, 11:06:47 PM »
Malwarebytes detect it as Virus.Alman

so i guess the detection is good......MBAM fp is rare

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #416 on: September 10, 2011, 11:18:51 PM »
Hi Pondus,

Forwarded all info to virus at avast dot com, my friend. There still could be a remote possibility the protective Unix packer is being flagged by the rest of the "av pack", but I tend towards a non-detect more than to a FP.
Good we all helped out again and our initial thanks go out to Burkoff naturally for reporting this. Well, you could see, this non-detect blew his emoticon right out of proportion  ;D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
« Last Edit: September 14, 2011, 10:54:11 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
« Last Edit: September 15, 2011, 10:38:51 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Burkoff

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #419 on: September 15, 2011, 08:37:43 PM »
Hi, polonus

NBA2K9.exe No added !  ??? ::)

China url block.