Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 347853 times)

0 Members and 1 Guest are viewing this topic.

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Samples missed by avast (VirusTotal links only!)
« Reply #795 on: May 31, 2012, 06:24:02 AM »
« Last Edit: June 01, 2012, 05:48:09 PM by true indian »

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Samples missed by avast (VirusTotal links only!)
« Reply #796 on: May 31, 2012, 05:40:49 PM »
« Last Edit: June 01, 2012, 05:47:52 PM by true indian »

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Samples missed by avast (VirusTotal links only!)
« Reply #797 on: May 31, 2012, 06:49:22 PM »
Windows Antivirus Rampart - FakeVimes

https://www.virustotal.com/file/4d0a1e0213904a7d397d51e38c4aaed26f8824984e9ca162505ea22a9ffae15c/analysis/

reported to avast!  ;)

EDIT: detection added
« Last Edit: June 01, 2012, 05:18:47 PM by true indian »

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Samples missed by avast (VirusTotal links only!)
« Reply #798 on: June 01, 2012, 07:22:59 PM »
 Windows Malware Firewall - new FakeVimes rogue

https://www.virustotal.com/file/b4d5db39daf38597453fb3acb9c403976fea86508b599e506d144ac42206d70b/analysis/

reported to avast!

edit: detection added
« Last Edit: June 03, 2012, 07:21:59 AM by true indian »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33261
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #799 on: June 01, 2012, 10:30:07 PM »
Missed JExploiS/t-Blacole.cx /fake LinkedIn Spam lrading to this malware via CVE-2011-3521 vuln, see: htxps://www.virustotal.com/file/d3af335637df9a1b29b9ed5e1cc0db6e60f313039ec758bfccfe0acebfb1e8d8/analysis/
see: htxp://zulu.zscaler.com/submission/show/e99c8ecf9c2b888f079a9ef0655ee90e-1338581545
IP address: 187.85.160.106, 184.106.200.65, 50.57.88.200, 50.57.43.49

Also found here that there was LinkedIn spam
Sop the payload is also here:

The payload is on immerialtv dot ru:8080/forum/showthread.php?page=5fa58bce769e5c2c  hosted on the following IPs:

50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)  See this address for our find

Plain list for copy-and-pasting:
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106

all this reported to virus AT avast dot com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33261
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #800 on: June 01, 2012, 10:34:23 PM »
Another one here, Trojan:JS/BlacoleRef.W missed: htxp://zulu.zscaler.com/submission/show/f58b27f17b497ce2c367cb12a7694ff5-1338582640
see VT results -> htxps://www.virustotal.com/file/38addb00e677ec62da4d04da6344107aeaa00ba204ab3f02d9806d3e0284e85d/analysis/
see: htxp://urlquery.net/report.php?id=62312  mdl_Leads to exploit kit detected 2012-06-01 13:22:00 live malware,
which avast should normally detect as HTML:RedirME-inf [Trj]
 Detected BlackHole exploit kit HTTP GET request
- Detected malicious injected iframe -> iframe src='htxp://mazdaforumi.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
(the one we reported in the previous posting)
We see this is an ongoing problem through a malware campaign (5 hrs ago, 6 hrs ago) when we search for: htxp://www.google.nl/search?sugexp=chrome,mod=9&ix=h9&sourceid=chrome&ie=UTF-8&q=iframe+src%3D'http%3A%2F%2Fmazdaforumi.ru%3A8080%2Fforum%2Fshowthread.php%3Fpage%3D5fa58bce769e5c2c

reported to virus AT avast dot com,

polonus
« Last Edit: June 01, 2012, 11:25:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33261
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #801 on: June 01, 2012, 11:54:46 PM »
Another Trojan:JS/BlacoleRef.W, not detected, htxps://www.virustotal.com/file/07ca7776a566cc872c2fd0602da135072e780a10b062175e00c2710f3f63a365/analysis/
from: htxp://zulu.zscaler.com/submission/show/af5d670395a65113f12e98337f95bb64-1338587387
see: htxp://urlquery.net/queued.php?id=62630
- Detected BlackHole exploit kit HTTP GET request
- Detected malicious injected iframe

reported to virus AT avast dot com
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Samples missed by avast (VirusTotal links only!)
« Reply #802 on: June 02, 2012, 12:03:09 AM »
Hi Polonus,

Not a new exploit method given in your post regarding "wire-transfer.htm".

I've seen the exact algorithm somewhere else.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33261
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #803 on: June 02, 2012, 12:17:34 AM »
Hi !Donovan,

Well then they are running a new campaign with this again. So old wine in new sacks, so to say. Thanks for your evaluation.
I just report what I see happening while scanning and when I cannot get a avast detection, I immediately report back to the avast base,
well analysts. I think you are developing a very good "feel" for the various varieties of malcoded scripts out there,
as it is inspiring for both of us,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
« Last Edit: June 03, 2012, 07:00:29 AM by true indian »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
Re: Samples missed by avast (VirusTotal links only!)
« Reply #806 on: June 03, 2012, 07:07:15 AM »
Hi Friends,

found by makcunknown

trojan ransom.
https://www.virustotal.com/file/d5faa80f5c8c083d37bc276f5dfe1598599fa07f67e8c9d55bbf8c41caa5bb62/analysis/

reported to avast!

EDIT: detection added
« Last Edit: June 07, 2012, 08:39:38 AM by true indian »

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33261
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."