I got a virus yesterday in a flash drive so i just copied it to my hard disk to test it against threatfire. I tested threatfire with many malwares and threatfire detected all so far.But yesterday it was a surprise. treatfire didnt detect anything or any malicious behavior.
I know that no software has 100% detection or somthng like that but the virus was strong. It disabled task manager, folder options ,regedit.exe, firewall.
i just got RTL utility which enables all these. and then i just got rid of that virus which slowed down my pc. And thanks to FirstdefenseISR pc is alright now.

Does anyone kow how to submit it to threatfire team?

http://www.pctools.com/threat-expert/submit/ would be the place!

sach1000rt,

Do you have the name of the virus that bypassed Threatfire? It's always useful for testing :shifty:

~interact

avira detects it as w32.sohanand.r, its a hidden file and has windows folder icon.

Hi,

Can you perhaps send me this malware, I would like to see how other HIPS react, TIA. ;)

No malware trading on the forums. Use email for such activities. Thanks.

sach1000rt,

I think I've found 3 variations of the virus you found. I tested it against a number of different types of HIPS solutions as per Rasheed187 comment. The results you found with Threatfire match the results from one of the strains I had (Sohanad.T)

MD5 -

Win32.Worm.IM.Sohanat.B = 9164574425915be7f47dd17cab810a5d
Win32.Worm.IM.Sohanad.B = 6488c49886e1546de04e823b6f64fba5
Win32.Worm.Sohanad.T = 8879f9425df0be833559107616f00219

Safe'n'Sec Pro (latest) -

Win32.Worm.IM.Sohanat.B = blocked
Win32.Worm.IM.Sohanad.B = blocked
Win32.Worm.Sohanad.T = allowed

Sana Security Primary Response (latest) -

Win32.Worm.IM.Sohanat.B = blocked
Win32.Worm.IM.Sohanad.B = blocked
Win32.Worm.Sohanad.T = blocked

ProSecurity ProSecurity v1.40 Public Beta 2 -

Win32.Worm.IM.Sohanat.B = allowed
Win32.Worm.IM.Sohanad.B = allowed
Win32.Worm.Sohanad.T = allowed

DriveSentry V3 (beta) -

Win32.Worm.IM.Sohanat.B = detected / blocked
Win32.Worm.IM.Sohanad.B = detected / blocked
Win32.Worm.Sohanad.T = detected

*detected = malware warning as soon as file copied to disk.

PrevX V2 - ???

Win32.Worm.IM.Sohanat.B = ?
Win32.Worm.IM.Sohanad.B = ?
Win32.Worm.Sohanad.T = ?

* Couldn't evaulate as error message displayed "license out of date".

PC Tools Threatfire 3.0.4.0 (Beta 2) -

Win32.Worm.IM.Sohanat.B = blocked
Win32.Worm.IM.Sohanad.B = blocked
Win32.Worm.Sohanad.T = allowed

There maybe more variations but I thought 3 was enough to get started :)

~interact

i sent the sample yesterday and their reply was very quick(in a minute).
their reply is on attached images, but how it will be included in threatfire as its not sig. based?

{QUOTE->

ProSecurity ProSecurity v1.40 Public Beta 2 -

Win32.Worm.IM.Sohanat.B = allowed
Win32.Worm.IM.Sohanad.B = allowed
Win32.Worm.Sohanad.T = allowed

<-QUOTE}
Thank you very much for your testing!
If possible, could you please to send those worms to support AT proactive-hips.com?
What type of warning you got while testing it with other HIPS software?
Thanks!

{QUOTE-> sach1000rt,

I think I've found 3 variations of the virus you found. I tested it against a number of different types of HIPS solutions as per Rasheed187 comment. The results you found with Threatfire match the results from one of the strains I had (Sohanad.T)

MD5 -

Win32.Worm.IM.Sohanat.B = 9164574425915be7f47dd17cab810a5d
Win32.Worm.IM.Sohanad.B = 6488c49886e1546de04e823b6f64fba5
Win32.Worm.Sohanad.T = 8879f9425df0be833559107616f00219

Safe'n'Sec Pro (latest) -

Win32.Worm.IM.Sohanat.B = blocked
Win32.Worm.IM.Sohanad.B = blocked
Win32.Worm.Sohanad.T = allowed

Sana Security Primary Response (latest) -

Win32.Worm.IM.Sohanat.B = blocked
Win32.Worm.IM.Sohanad.B = blocked
Win32.Worm.Sohanad.T = blocked

ProSecurity ProSecurity v1.40 Public Beta 2 -

Win32.Worm.IM.Sohanat.B = allowed
Win32.Worm.IM.Sohanad.B = allowed
Win32.Worm.Sohanad.T = allowed

DriveSentry V3 (beta) -

Win32.Worm.IM.Sohanat.B = detected / blocked
Win32.Worm.IM.Sohanad.B = detected / blocked
Win32.Worm.Sohanad.T = detected

*detected = malware warning as soon as file copied to disk.

PrevX V2 - ???

Win32.Worm.IM.Sohanat.B = ?
Win32.Worm.IM.Sohanad.B = ?
Win32.Worm.Sohanad.T = ?

* Couldn't evaulate as error message displayed "license out of date".

PC Tools Threatfire 3.0.4.0 (Beta 2) -

Win32.Worm.IM.Sohanat.B = blocked
Win32.Worm.IM.Sohanad.B = blocked
Win32.Worm.Sohanad.T = allowed

There maybe more variations but I thought 3 was enough to get started :)

~interact <-QUOTE}

I can see the pattern, add the custom rules mentioned of ThreatFire in this forum and you will get a prompt.

{QUOTE-> I can see the pattern, add the custom rules mentioned of ThreatFire in this forum and you will get a prompt. <-QUOTE}

The one concerning *.exe, etc section?

{QUOTE-> sach1000rt,

I think I've found 3 variations of the virus you found. I tested it against a number of different types of HIPS solutions as per Rasheed187 comment. The results you found with Threatfire match the results from one of the strains I had (Sohanad.T) <-QUOTE}

wow those are some worrying results there interact :)

do you still have samples of that virus? if so i wonder how it would fair against sandboxes like sandboxie or geswall.

@ interact, can you perhaps send me the malware by email? And when you say "allowed", do you mean that HIPS didn´t warn you about any suspicious behavior after executing the file? I think it´s a bit strange that PS performs so badly, it´s hard to believe. ::)

Guys - I've uploaded the three viruses (zipped) to Speedyshare what is the policy for posting the URL on this forum?

~interact

{QUOTE-> Furthermore, you agree not to post any links to warez sites or sites from which malware (viruses, worms, trojans, backdoors etc.) can be downloaded. <-QUOTE}http://www.wilderssecurity.com/TOS-Privacy.html

Ron,

Thank you for the response. It would be really beneficial if we could have an area to share malware samples. I think most of the vendors could quickly plug holes in their products if you allowed the group to examine the new techniques that are coming out. This is not a criticism just a recommendation.

~interact

OK, I did some quick testing, and both SSM Pro and Neoava warned me about suspicious behavior triggered by Win32.Worm.IM.Sohanat.B and Win32.Worm.IM.Sohanad.B, but I didn´t get any warning about Win32.Worm.Sohanad.T, so what is this worm trying to do exactly? I kept it running, and it did seem to use the CPU, but I got no warnings. The other two tried to modify some registry settings, add a startup entry and tried to create a Window Explorer plugin.

OK, so I used the PCTools threat-expert system, and they generated a report about Win32.Worm.Sohanad.T, the problem is that it´s pretty useless, I still don´t know what it tries to do. I also don´t know why HIPS stay quite, did anyone investigate it? Here´s the report:

http://www.speedyshare.com/168452152.html

{QUOTE-> Thank you very much for your testing!
If possible, could you please to send those worms to support AT proactive-hips.com?
What type of warning you got while testing it with other HIPS software?
Thanks! <-QUOTE}
dose ProSecurity can defense the worms proactively?
what is the difference with other hips?
for example :ssm!

{QUOTE-> The one concerning *.exe, etc section? <-QUOTE}

Sorry for the late reply yes

{QUOTE-> dose ProSecurity can defense the worms proactively?
what is the difference with other hips?
for example :ssm! <-QUOTE}
I'm sorry I haven't got these worms until now...

{QUOTE-> I got a virus yesterday in a flash drive so i just copied it to my hard disk to test it against threatfire. I tested threatfire with many malwares and threatfire detected all so far.But yesterday it was a surprise. treatfire didnt detect anything or any malicious behavior.
...
It disabled task manager, folder options ,regedit.exe, firewall.
Does anyone kow how to submit it to threatfire team? <-QUOTE}


Sorry about the delayed response. Thanks for submitting the sample.

As far as we've seen in the labs, Threatfire detects not one malicious behavior from the sample (md5 681b9f300a41b68347052c36f2708ee5) you provided, but if you clicked on "Allow" everytime you saw a warning, you would see 11 dialog warnings. In other words, Threatfire prevents all of the Sohanad family effectively.
If the user quarantines the sample based on the first malicious behavior that Threatfire detects (on a "VERY HIGH" warning), the sample would perform no malicious behavior on the system whatsoever.

I am not sure why you did not see the same results. Did you have the product suspended, perhaps?

Thanks much,
Kurt

@Cyberhawk Support

Thank You for such a really good Host Intrusion Protector & 0 day watcher.

.......But please try to ask the Team to investigate the bootup delays. I too am noticing a marked delay with ThreatFire installed. My first assumption is that it's a driver stack placement order or the drivers themselves that load on start up which is making for this rather frustrating occurance.

Still, the program is as sweet as ever in it's monitoring abilities. Keep up the good work, i know coding a perfect medium takes great effort, but you have a real useful product here to perfect on.

EASTER