Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 414192 times)

0 Members and 1 Guest are viewing this topic.


true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #781 on: May 24, 2012, 10:33:29 AM »
PowerBackupandRestoreSetup Rogue as given here:
https://www.virustotal.com/file/0eb6c55cf33e5eb5df9421668e053492/analysis/

See: http://zulu.zscaler.com/submission/show/86fe042ecff6fb676437e9aea6199675-1337848118

Detection missed!

reported to avast! with the link to sites hosting malware  ;)

Uploading sampe to MBAM now  ;D

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #782 on: May 24, 2012, 02:08:30 PM »
Hi true indian,

Again a questionable one as I will explain below.
Given as non-malicious here: htxp://www.isthisfilesafe.com/md5/0EB6C55CF33E5EB5DF9421668E053492_details.aspx

Maybe a detectionwas flagged because the program is protected against reverse engineering with modern-wizard.bmp, which some scanners
will flag as a possible malware packer, but actually comes virusfree, and because of the presence of "checkver104.exe
& ioSpecial.ini / silent installer also sometimes flagged, depending on the location of it.

Scanned htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe with DrWeb's oneline check turns up these results,
at some occasions commented by me at the end of the scan lines....

Engine version: 7.0.2.4281
Total virus-finding records: 2874792
File size: 962.25 KB
File MD5: 0eb6c55cf33e5eb5df9421668e053492

htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe - archive NSIS (NSIS packer identified by Fprot packer identifier)
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/script.bin - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/_=9A=80\ioSpecial.ini - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/_=9A=80\modern-wizard.bmp - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/AutoBackup.exe - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/Backup.dll - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/FileBackup.dll - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/FolderTree.dll - Ok (validity should be checked)
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/IrisSkin2.dll - Ok  (Sunisoft - safe)
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/LogViewer.exe - Ok  (- Module'
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/PowerBackupandRestore.exe - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/SimpleSync.dll - Ok (location should be verified)
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe - archive BINARYRES
>>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data001 - Ok
>>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data002 - archive JS-HTML
>>>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data002/JSTAG_1[9][8c] - Ok
>>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe/data002 - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/CheckVer104.exe - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/_=9A=80\iOClean.ini - Ok  / silent installer, could evoke Sandbox alert
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/_=9A=80\InstallOptions.dll - Ok
>htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/_=9A=80\ExecDos.dll - Ok
>hxtp://www.applicationbox.info/PowerBackupandRestoreSetup.exe/_=9A=80\System.dll - Ok
htxp://www.applicationbox.info/PowerBackupandRestoreSetup.exe - Ok

Typical executable flagged by Emisoft, malware active since 012-05-18 08:10:59 - other instances from other domains closed.
Analysis see:
http://camas.comodo.com/cgi-bin/submit?file=9a0dd7a6e08b7476fde0dc774b72d0e8cd780883bd53a2747c078eab6ef0e4c7
a variant of Win32/Agent.SZW
Bitdefender flagged this variant of Win32/Agent.SZWas ROJ_LOWZONE.BMC (backdoor)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #783 on: May 24, 2012, 02:13:51 PM »
that does seem a interesting one pol...i will surely upload this sample to comodo valkyrie and check if we have anything to be detected  :)

Thanks for the reports and analysis  ;)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #784 on: May 24, 2012, 02:24:43 PM »
Hi true indian,

What I mean to say is it is interesting as all file analysis for malcode is in my view, but i.m.o. this detection does not qualify to be added to avast detection.
Emisoft´s and other´s detection is based on a false interpretation of resource engineering protection and packer evaluation. The analysis that flags it is just not good enough to give the right interpretation and the malware and backdoor status is location dependant. All seems right there. At the end of the day it might well be this is a false possitive, but leave the final verdict to avast analysts.
I for one would qualify it as a PUP detection not more, see -
htxp://anubis.iseclab.org/?action=result&task_id=185ec922d48bb01141d5963d0c58bd1d9&format=html

polonus
« Last Edit: May 24, 2012, 02:34:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #785 on: May 24, 2012, 09:08:14 PM »
New undetected:
hxtp://urlquery.net/report.php?id=59292
but found malcious
htxp://zulu.zscaler.com/submission/show/5b124e86cc043c9d5a27951ccda33296-1337885769
hxtps://www.virustotal.com/url/e74c423163a1c2a577817added8452bf77f3907a65cff6bb726a44d594da3d6b/analysis/1337885933/
file scan gave: https://www.virustotal.com/file/ee093983a238538765e23737bdd82e8296fa895f27dbc532150accee74534c8b/analysis/1337885946/
a generic dropper dtection for a variant of MSIL/Injector.ACV
reported to virus AT avast dot com,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #786 on: May 25, 2012, 03:44:12 PM »
See: htxps://www.virustotal.com/url/d957ed47e8e37a165ea08052eda3d435e86c62ffadcc7fc44d4d595f45cc9c3e/analysis/
and
htxps://www.virustotal.com/file/ee51df51d91daa155caf8b167d6966e65c3587347a207380b5449e1582f200f7/analysis/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #787 on: May 25, 2012, 07:20:56 PM »
Rogue - Windows Safety Maintenance
https://www.virustotal.com/file/b388e80f7a73523a0861115a6d59070627e237ef0dc3c94373ab267776c7c55f/analysis/

reported to avast!  ;)

EDIT: Detection added
« Last Edit: May 27, 2012, 08:47:46 AM by true indian »

true indian

  • Guest


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #790 on: May 27, 2012, 01:59:40 AM »
Even from the VT link I can reconstruct the original malware site for that detection. Let me guess, it was this one htxp://zulu.zscaler.com/submission/show/8fe6f00a94e39973e4c97060f369deef-1338076028
accompanying VT scan: htxps://www.virustotal.com/file/f92bda7141b962e1eee36d2d54dd22a03ea27c0dee6924eeba96baedea85961c/analysis/
somewhat earlier as your one. But as you give an identifiable hash together with a searchable file-name I could do the reconstruction via
htxp://minotauranalysis.com/search.aspx?q=4d2ea30db117d9689f3d4718bbe44ebc
and what I can do others can do. It does not need rocket science to do this reconstruction to find the non-detection URL!
So I agree with and lean more and more towards DavidR's point of view to first send a sample and VT results
to virus At avast dot com, and try to be restrictive with info here, until detection has been added,

polonus
« Last Edit: May 27, 2012, 02:02:23 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #791 on: May 28, 2012, 09:37:13 PM »
found by Chabbo.... on Fake scan site

jotti
http://virusscan.jotti.org/en/scanresult/a2976e42d5d70b9d725f3c634aaa310f1bdad145

detected by Malwarebytes as Trojan.Dropper

uploaded to avast and SAS     ;)

true indian

  • Guest

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #793 on: May 29, 2012, 12:19:00 PM »
Java/Exploit.CVE-2012-0507.AP as reported by true indian is known to be a malicious backdoor Trojan, which runs without user knowledge and allows remote access to a PC for cyber criminals. This malware uses various files that exploit Java vulnerabilities. When it infects your system, hackers might get access to personal information like passwords or files.

Trojan.Maljava has the ability to block some programs from running, to make you think that your PC is at high risk. Every file of it is considered to be malicious, so if you find any - remove it as soon as possible under the guidance of a qualified removal expert.
On Vista & Win 7 malcode files can be found as:
%AllUsersProfile%\~[random]
%AllUsersProfile%\~[random]r
%AllUsersProfile%\[random].dll
%AllUsersProfile%\[random].exe
%AllUsersProfile%\[random]
%AllUsersProfile%\[random].exe
%UserProfile%\Desktop\Trojan.maljava.lnk
%UserProfile%\Start Menu\Programs\Trojan.maljava\Uninstall Trojan.maljava.lnk
%UserProfile%\Start Menu\Programs\Trojan.maljava\Trojan.maljava.lnk

To be protected alwats make sure you have the latest java version installed if you have java installed, so you are not vulnerable, check: http://www.java.com/nl/download/installed.jsp

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!