NOD32 AMON and IMON not detecting Dropper.pakes

Hi,

Going to this http://www.eset.com/support/faq1.php?id=1066 will give you info on how to test if AMON or IMON is working. Im glad it works and the protectionis comforting. Going to a site known for trojans disguised as keygens http://www.seriall.com/?s=dropper.pakes , click on the file. Ideally, NOD32 (AMON or IMON) should block the download as its a trojan. But, it allows it to be downloaded on your pc. If you run the exe file, NOD32 still allows it.

Is this a bug or is it just that NOD32 doenst recognize this? After downloading it and scanning the file, NOD32 doesnt detect its a trojan. Using ewido, it declares it as dropper.pakes and cleans it.

Let me know if you get the same result with NOD32.

 

Please be cautious when posting links to sites such as that. We ask that you make certain links un-clickable so as not to possibly infect others Please.

contents of 35.js script

contents of 35.html:

Thanks,
Bubba

 

Sorry about that.


So why isnt it being detected by NOD32?

 

Generally NOD32 has excellent detection rate for all kind of threats . NOD32 is more that perfect when dealing with unknown malware .
ESET does adds malware on priority bases (more here ) and I think they give droppers lower priotity than other malware because all dropped files later are detected either by signatures or by Threat sense (R) (Advanced Heuristics)

Moreover , keygens are not important at all because only user who is or intends to use illegal software is downloading/using keygens

I would recommend you to check your NOD32 settings and later , please write an email to ESET's Tech Support support@eset.us
Provide them with details about what you have tested and also with a link to this thread


Good luck !

 

Hi,

Thanks for the reply. Im just posting a vulnerability I found with IMON and AMON. I will be following your advice, thanks for the links.


Mark

 

You are welcome !

 

I downloaded the file in question. It's apparently a new variant of the trojan dropper Pakes.
I'll try to see if dropped malware is detected by NOD32. If it's the case, then add detection to the dropper itself isn't so important.
PS: I sent malware to Eset labs.

 

Boy I am glad that not everyone thinks like that.
Since, now I will take this file and send it as an attchment to 5000000 people and call it, mywetsweet18yearoldbody.exe and see how many people will execute this with intent to use illegal software?

All malware should be treated with equal weight or else what's the point of haveing an anti-malware system. How certain are you that this given malware will be limited to keygen only sites?

 

^ Agreed.

 

detecting keygens is not important but if it contains any real malware (like a trojan) then that should be detected.

 

Agreed too. Malware need to be detected even if it's only published on a illegal site.

 

I also agree. I notice that eset don't always add Trojan-downloaders that I submit, either through quarantine or samples(at)eset.com, probably because the file that the trojan downloads is already detected. But I'd rather see everything detected because the trojan-downloader can still spread if it is not detected, and it is still sitting dormant on a PC.

 

Thanks for those who particapted on this thread. I hope ESET takes action on this new variant.

 

I've just dig a little into this malware and after running it I found it drops a .dll in Windows/system32 and it creates 2 .tmp files in Docs and Settings.

Here is the scanning result from Avira which found the Trojan.PCK.Klone.G
NOD says nothing about them.

 

Please submit the files for analysis and they will be added according to priority - you know the procedure (mostly dll's are nothing without something to operate them)

Cheers

 

See post 7, samples have already been sent.

Cheers
Suggers

 

This thread is 4 days here.... I think ESET knows about it already. I"m sending them right now... but according to their priorities it will be added in about 2 weeks perhaps.

And there are 2 .bat files there except for those .tmp and .dll file.

EDIT:I"ve seen post 7 also now. Thanks Suggers.

 

No one can be absolutely certain that any samples they have are exactly the same as what another has already sent.

If you have something that isn't detected that you think should be then it's always better to send it for analysis anyway with as much relevant information as possible including a link to any thread where it is discussed. That way even if it is the same it gives ESET a better idea of how prevalent a threat may be and helps them to better prioritise.

Even using 'Submit for analysis' from within quarantine must at least register a count even if ESET already have a sample exactly the same already.

Cheers

 

I've sent it. Let's see what happens....
EDIT: They have been added. See here...

 

and the .dll being dropped.

 

This is great news !

 

I dont see the .dll warning. Imon though blocks the site all together. I just adjusted compatibility to maximum efficiency.

 

Check your threat log for AMON entries with the intrusion, you may have it setup to "clean automatically". You can check this by going to AMON > Setup > Actions and determining where the tick is placed under "If an infiltration is detected".

 

I ran this file into my sandbox and it dropped the .dll. You won't see it because NOD32 already blocks the .exe generating the .dll.

 

I hope in the future Eset will just act on quarantine files sent to them rather than having to resort to getting help from the forums.