Discussion in 'NOD32 version 2 Forum' started by tempnexus, Oct 6, 2006.
Yep, NOD32 has a very good generic/heuristics detection of these samples. At least from what I can see in my collection.
EDIT: It detected "today's sample" as: Win32/Gromoz.H trojan
What samples? Certainly not the ".com" infection starters. They are being constantly ahead of any AV; the best detection of these is (somewhat surprisingly) Symantec's these days, but they're not so great either. Most of AVs are being constantly ridiculed by these trojans just like they are by the Zlob trojans.
Well, I may not have a too big collection - about 20 different unique www.(something).com samples. All of them (except 1) are detected by NOD32 as "Win32/Agent.XXX trojan" or "Win32/Gromoz.X trojan" or "probably unknown NewHeur_PE virus" or "a variant of Win32/Agent.XXX trojan". If I am not mistaken the last two count as heuristic/generic detection?
I haven't checked every day, but the times I've tried downloading samples, NOD32 have either detected them or later added detection.
i emailed support asking them to look at the thread started by TNT (here: http://www.wilderssecurity.com/showthread.php?t=136452) and got a reply back that detection was being added for the existing threats (this was a couple of weeks ago) and that future threats should get variant detection. I believe they were also looking at adding the danger sites to the IMON block list.
I don't imagine that all (past/present/future) gromozon threats will be detected by NOD32, but I think they are on the case with them.
Well, the gromozon pushers are back putting out new versions every day (if not more), so it might be that those are detected, but every new one I see is being missed by most (if not all) the AVs on VirusTotal.
PS: note that I'm talking about the "www.something.com" trojans/infection starters, I haven't tested the malware these are downloading/executing in a while.
As far as I've seen and tested, NOD32 detects many www....com samples, and out of those missed, after executing them it detects the files being dropped or downloaded.
Yeap tried of the new ones myself and Heuritics goes down the drain for them. None of the 29, 30, 31 and 32 are detected via heuritics, the system just gets hosed. (Yeap everything is set to max including the IMON. So far only AntiVir seems to be getting close but still nothing amazing.
I guess Advanced Heuritics are down for that type of infection (Considering as far as I know 32 "special" samples and no AH detection none of them).
I've got some samples detected by the development version of AH. Feel free to submit the undetected samples to samples @ eset.com
Did that allready.
The development version of AH? Is that the beta?
It's NOD32's Advanced Heuristics; they probably test it in their labs before they push out an update to the public.
Oh I know what AH means. I was just wondering what he meant by development version of AH. I was wondering if there is a new version of AH on the horizon. Since this one is beginning to fail misserebly when placed against the newest level of threat (the ex CWS authors...aka Gromozon).
While this maybe ot, could someone please explain where you get these type of threats and how they work. I don't mean url or specific sites but in general. While NOD and other AV/AT are hopefully catching up with this type of threat, is there any "behavioural" protection possible I can do as the first line of defence, ie avoiding certain types of sites, functions on sites or links?
Instead of taking a Nod support thread too far off topic....I suggest you take a look at our ongoing thread concerning this malware with an extensive discussion.
This thread---> Dangerous trojans on the loose
AH is not a "finalized" product that gets replaced with new versions of NOD32 the way I understood it. AH is a module that gets continually "tweaked"/updated to deal with threats; meaning there have been many updates to it (almost monthly) and there will probably be many more in the future, until they find a new/better technology. Before the tweak is pushed out in an update to the user, I assume that ESET labs must test it first (the "development" version or "alpha" version or whatever you might call it), to make sure it meets satisfactory levels of detection vs false positives. They can't therefore just test it against Gromozon samples only, but also against other samples to make sure the AH performs at least as good as their previous tweak, without more false positives. It may take hours or days or whatever before this "development" version reaches the user (in the form of an update).
If I am wrong, then somebody please correct me.
Good Evening folks,
I come from the far side of the wonderful world of grozmon removal and the changes it makes to a system.
In realtion to NOD32,I am uncertain of what exact com files are changed but grozmon has been seen removing various files,usually from Sys32 folder and replacing them with a 0 byte file.
If it doesnt replace the com file (dll) it will add a .bak extension to disable it.
In Nod itself,I believe it targets certain aspects of the Updater service.
I cant confirm this since I havent installed with a NOD product active.
I simply know because of 2 post I worked both of which had NOD32 and the grozmon rootkit.
After manual removal of the rooter both users complain of Updater failing.
The first user simply reinstalled NOD,the second is here somewhere posting a question about the issue.
I agreed to enter here with user to explain what was done during the cleaning process.
Separate names with a comma.