another test:)

ok i tested a rouge antispyware look at his
~VT link removed per Policy,~
link:"http://spyblaster.com/"
what do you think?
tried it with Asquare Antimalware passed
SuperAntispyware pro fails
threatfire beta fails
drivesentry fails too

 

Oh not another test, lol. I've heard of this spyblaster before, but haven't seen it installed on anything lately.

 

man they want you to buy it even the trial just started after 5 minutes couple of pop ups trying you to buy it

 

Lol, isn't that every trial though? Hell, half the "freeware-with a paid option" apps I own do that to me

 

you have a point there lol,but this one even the install just finish before welcoming you start giving you pop ups to buy it

 

Twister doesn't catch this. Of course Comodo does. One can pass the installation in system32 as normal (he would put installation mode anyway).

Once it's installed and you run the nice desktop shortcut it becomes obvious that it's malware. It tries to modify every legitimate windows process it can think of and mind you after a point (modifying winlogon) i was clicking "no" and it was keeping trying for the next one. At the end, it even showed me an interface! It can deceive newbies, that's for sure.

http://img8.imageshack.us/img8/787/62969932we3.png

http://img5.imageshack.us/img5/9920/63839530ii0.png

http://img4.imageshack.us/img4/9476/80638345si2.png

http://img12.imageshack.us/img12/3152/82424684du6.png

http://img11.imageshack.us/img11/4574/41889819xe0.png

http://img10.imageshack.us/img10/6231/67947094hy0.png

http://img5.imageshack.us/img5/2307/55546330qm0.png

http://img4.imageshack.us/img4/9514/92430641im0.png

http://img11.imageshack.us/img11/6616/14539810hc1.png

http://img8.imageshack.us/img8/3540/10gn1.png

http://img11.imageshack.us/img11/4336/11no2.png

^ Great gui!

Have to reboot to exit from Shadow Defender now, because at the end i did install it out of the Sandboxie.

 

dont worry i have alot of &^%$#*&%^& stuff from lime wire ready to test i will find some time on saturday evening after giving familly some time

 

This seems to be very unknown as a rogue when for example searching for it on Google... I wonder how come? I've seen it here atleast a couple of times already.

I've NIS09, TF (the new beta, which you mentioned) and Prevx Edge. Non of them reacted an inch to SpyBlaster's setup file. A-Squared is the only one showing this detection clearly, but a bit down when searching with the term "spyblaster". SpywareBlaster comes first and then even SpyBlaster's own homepage.

 

Bah, that's what I hate about HIPS, if you don't know why programs would modify those areas, and if they need to, you're screwed. *scurries back on topic*...the interface looks crappy, lol. I'll keep an eye out for this thing on client computers.

 

And can someone test it with Geswall

 

i submit to virus total and 6 antimalwares flag it as malware

 

the one that really impress me was asquare antimalware it deletes all files and traces from this suker

 

Well, i think the most "alerting" pop up, even if someone *thinks* that he is running a legitimate antispyware, is when he will arrive at the winlogon.exe pop up. I mean, no security application has to touch winlogon to work properly... On the contrary, it is known to be a very effective way for a malware to get awful control over your windows.

I no see why an application modify smss.exe either, since that's the windows session manager. But the "winlogon", by its name only , should make someone suspicious...

I mean, ok, the COM and startup folders, can fool anyone . But from that point on, for someone with basic knowledge of windows processes, must start wondering. After the 2 processes i mentioned, it becomes more and more obvious, with the peak coming at explorer.exe. Modifying explorer.exe is giving it power to wreak havoc. And if you add ALL the alerts from the beginning, the pattern is obvious. It's trying to take full control of your PC, from startup, to running as service, to controling your internet and explorer.exe. It MUST ring a bell!

If every security application, in order to work, was to modify everything from winlogon, lsass, smss, explorer.exe, windows wouldn't boot probably or would crash every minute.

 

the trick here is that this one you can even delete manually but you think you delete all but is not like that it left a type of keylogger sort of malware,acording to asquare

 

Keylogger too? Well, i am happy i didn't discover. I was running it in Shadow Defender, but for all i knew (since i had no idea of what its malicious purpose is), it could crash windows or send outbound info if i kept with the "allow". So from the winlogon and afterwards, i was blocking it.

And after reboot, flushed from Shadow Defender. Anyway, it can sure fool many people. The installer looked quite "professional" too. (I mean, i 've seen worse). And it did have a GUI, a version and a "last update date". LOL! For all someone can know, it was an antispyware! This shows the beauty of classical HIPS, though, doesn't it... Where most scanners fail, here comes the classical HIPS to save the day...

 

A-Squared Free does not see this as a threat! What gives?

TH

 

i will test it again tonite and tomorrow mornig look for me in a pm and i will give the results full results from asquare antimalware

 

do you have the latest version?

 

agree 100%

 

Yes just checked again still undetected.

TH

 

a1 antimalware is not just signature based(blacklist scanner) like a2 free..has many many more proactive modules.
cheers

 

the paid version catch it

 

What also impressed me, is , not that most scanners fail (they don't have the signature, they fail, that's the destiny of scanners...), but that also Threatfire did. And this, while this little bugger, is practically trying to put his hand on most critical windows core processes. I didn't expect that from Threatfire... Twister's FDDS failed miserably, but it's not at Threatfire's level, so i can justify it more easily. Also, Twister's registry protector failed, since this one doesn't use the "traditional" run keys (probably can hook to winlogon) to start. So the Registry Protector was out of the game too.

I don't know how they managed to fool scanners and Behaviour blockers, but it sure shows an elaborate plan! The downside being, that by trying to control almost everything in Windows, it becomes very clear target for classical HIPS.

 

maybe the free version does not include the ikurus antivirus engine,to be honest dont know

 

It does but even Jotti does not see it. A-Squared Found nothing

Virustotal a-squared 4.0.0.93 2009.02.03 - Nothing!

TH