AVs fail Again

Lately I have seen many web downloads, some at forums and some at rapidshare and also a few torrents such as “Adobe Acrobat 9″ that include installation and a crack.
The installation or crack is in a password protected rar file that in order to get the password, one must run the suppled tool called “XXX Password Generator”.

This installs another variant of the AntiVirus 2008, I can truly say I can’t tell anymore if it comes from the same guys, ok of course it’s them but there is just no way they got so much man power to write so many completely different versions!!!
Here are the websites it pops up to purchase from:




Installs executables at:
%ProgramFiles%\Antivirus 2008\Antivirus-2008.exe
which is today detected by 24 of 36 AV vendors

http://www.virustotal.com/en/analisis/5ca67e83d763a44d2719de3c40ab0086

This virus adds a scary DANGER! iframe to your desktop.htt, who would remove this for you?

It installed some dlls and executables which are very known to AVs:

http://www.virustotal.com/en/analisis/3ed55959b67a666973798fa0c35f23f5

http://www.virustotal.com/en/analisis/c44ccd7ef6b11f700a52042bdb09057f

http://www.virustotal.com/en/analisis/ee13a4586807956432b3989534febf60

http://www.virustotal.com/en/analisis/2af01563b34916780ac23799ec1368df

http://www.virustotal.com/en/analisis/0e309871a713b62a6e68a0071ac54b06

http://www.virustotal.com/en/analisis/1f5371eb356e9c893c3dbec8b496641b

http://www.virustotal.com/en/analisis/0d012def38cd3adfe5ada8d7c45b3041

http://www.virustotal.com/en/analisis/0d9eacd2a5c15fb03a91f2b044000bc3

http://www.virustotal.com/en/analisis/bbef207525a04ba4152509a1e458d1e4

There is as another variant I found called “AntiMalwareGuard_Free.exe” packed with PECompact 2.xx, this is considered detected relatevly to the other variants 19 of 36 AV vendors detect it.

http://www.virustotal.com/en/analisis/c0b7c0498a9b0f684f9e3cbbcc0e5b53

So where is the problem???
The Troajn Downloader it self wasn’t detected by any vendor and now 2 month after I found it (which means the vendors got the samples from my virustotal file upload 2 month ago), now it is detected by only 15 AV vendors!!!

http://www.virustotal.com/he/analisis/a38ab04057b44c6bd870ef0446a19a5e

Kaspersky! McAfee! TrendMicro! Panda! F-Secure! Fortinet! Where are you people?!?!?!?!

The malicious guys have no problem replacing the executables at the server side to avoid detection, they even have the man power to write completely new ones.

Share
  • NoName

    i think this good example why you need to buy software or download open source solutions :)

  • Anonymous

    How about sending those files to :
    Virus_Research@avertlabs.com;virus@avira.com;samples@sophos.com;newvirus@kaspersky.com

    and/or to me?
    And lets get those files detected?

  • MrGutts

    I have seen those same files on a friends box, once they on the machine NO AV can get rid of them. Might as well scrub the machine and reinstall.

    The AV companies are being a bunch of corporate slacks in my eyes.

  • Funtime

    This is why I use only open source AV applications compared to corporate AV solutions. Open source AV is more likely to be updated quicker than corporate AV because it is written, and accepts signatures from developers who have had a chance to study the malware and create signatures to block it.

  • Mr. Gusten

    Hi,

    Opesource AV’s might be faster than (some) commercial. Look at the stats and history – sometimes ClamAV is faster, sometimes Mcafee/Symantec/Trend are faster. Does it really matter?

    1. No AV vendor out there can be fastest everytime! Open or Closed Source – doesn’t matter.

    2. NO AV vendor will ever be able to provide 100% coverage! There will always be malicious code out there for which there exist no signature. Most of the malware out there stay “below the radar”.

    So in my opinion – signaturebased protection (such as AV) is no longer an appropriate protection method.

    /Gus

  • Damage

    Anonymous – missing the point with the direct emails. All the vendors have access to samples submitted to VirusTotal and should be acting on them. 2 months they had to eval these.

    Mr. Gusten – also missing the point. The post isn’t at all about the race for first. It is calling out major vendors who’s primary revenue stream is derived from the detection of malware who:
    a. couldn’t/didn’t find common downloaders on their own.
    b. didn’t bother to act on samples of said downloaders when they were submitted to them via VirusTotal.

    Though you are on to something with your last statement. Unfortunately, behavioral detection simply doesn’t cut it either and in reality is often far less effective than even bad sigs.

  • http://www.n/a.com Mr. Gusten

    Damage – ACK on your points with regards to the original post. I totally agree.

    However, I was not commenting on the original post, but mainly on the comments (like you) made by FunTime and NoName, which focused on Open Source vs. commercial AV.

    Damage – behavioral detection simply doesn’t cut it either and in reality is often far less effective than even bad sigs.

    1. this is really interesting.
    On what facts/sw/solutions do you base this statement?

    Can you provide any detailed statistics on the coverage and track recod on protections from behaviour based solutions (perhaps from ’06/07 or 08) compared to leadtime for AV vendors based on sig’s? If yes, I think this would be very interesting factual data.

    2. Where am I missing the point? My statement was that no AV vendor out there can never be fastest everytime and never provide 100% coverage.

    I did not state that behaviour based solutions are able to do so?

    thanks
    /Gusten