Norton Internet Security 2013 vs AdAware

Ok, I downloaded the bad guy also. HitmanPro missed it also.

As far as VT goes, all the major players missed it also. It was interesting to see who did catch it. Vipre actually detected the adware installer. BTW - VT detection is up to 11/47.

 

Which ones detected it?

 

Emsisoft, Dr. Web, Eset Nod32, McAfee, F-Prot, Sophos, Clam, Vipre, Trend Housecalls - go figure to name most of them

 

WSA detects it

 

I just noticed something I missed from Insight on the initial download. Actually, Insight did tell the OP what he need to know. He just didn't know what to look for. Below is the URL Insight recorded; a redirect to CDN to load their dispicable download wrapper.

"http://downloadcdn.betterinstaller.com/installers/b/9/VirtualRouterPlusSetup_downloader_by_VirtualRouterPlusSetup.exe"

 

WSA detects it

 

Not sure what you mean. Insight popped out green, green means good and go ahead.

 

Here is a link to Sophos that explains what betterinstaller.com really is: http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Somoto%20BetterInstaller/detailed-analysis.aspx

Here is a link for the site rep of where you downloaded from: http://www.webutation.net/go/review/downloadcdn.betterinstaller.com. It is rated in red(dangerous) with a numeric ranking of 40/100.

Now for what the real problem is. Insight only analyses the primary download object and missed or ignored the download wrapper. The problem is download wrappers themselves are not bad but can hide adware and PUPS.

As a prior poster pointed out, Webroot Secure Anywhere detected the download wrapper since it is designed to be aggresive against adware and PUPS. I would imagine that Adaware would have detected it also.

Getting back to Insight, it gave the download of "good" not "trusted." Good does not mean trusted. Good means based on available info, the download appears to be OK. In other words, a risk is possible. My main criticism of Insight is as the OP pointed out, "Insight popped out green, green means good and go ahead." Insight should be modified to use a different color for "good" rated downloads so as to not visually confuse with "trusted" downloads.

The important lesson learned here is that nothing downloaded from second party web sites can be trusted. If a an aggressive HIPS is not installed then the download should be run in a sandbox the first time. Unfortunately, many apps won't properly install in the sandbox but hopefully the hidden adware will disclose itself.

I personally believe the best approach is to always exam in detail the URL from which the download actually occured. A quick web search on downloadcdn.betterinstaller.com would have yielded enough info to never install that download.

 

Interestingly Norton Safe web placed a green check mark on the site. This site should have been marked as red.
My guess is that Symantec simply completely missed both the site and the file. And as you said there are few design flaws with Good and not possibly trusted sources being marked as green. It would have been much easier if sources were just dived into Trusted/Green, Unknown/Yellow and Unsafe/Red.

 

Google. WOT, and most other web rep sites rate the original web site as safe.

Again what we are talking about here is a very gray area. The original web site has a download hosted at CNet. Probably because it makes money from doing so. Personally I beleive CNet should be blacklisted outright. That is not going to happen. The rating argument goes that a web site cannot be blamed for something a third party download site might do etc., etc.

Here is an excellent article on download wappers by Emsisoft; what they are and how to spot one: http://www.emsisoft.com/en/kb/articles/tec120224/.

-EDIT- Just to illustrate how much of a gray area this is, MBAM a while back started using CNet to host their downloads. When I saw that, I specifically confronted them on the download wrapper issue. They responded in effect that they have CNet on a short leash. No installer crap or they will take their business elsewhere.

 

Well it's one thing to have your installers wrapped with toolbars that can be uninstalled (bing, google, yahoo). Another one is having toolbars that cannot be uninstalled (deltasearch or whatever...) and that leave crap behind.
I agree it's a little gray area but I feel like Symantec has failed me on this one. I had to re-image my HD. I am currently trying ESET antivirus...

 

Sorry to hear that. You didn't mention the resident crapware, so I assumed you had taken care of it. I would have recommended that you try adwcleaner before doing a reimage.

 

Matt- Remember that the package threw off four different adware packages, 3 of them (including the one that changes the home page, search engine, and had the "your computer has registry errors" alert) had only 1,2 and 3 detections respectively and ESET wasn't included.

The best protection, as I pointed out above, against the installation turned out to be Comodo Program Manager. It monitored the installation of all 4 and removed them. All that was left was the reset of the home page and search engine. Took about 1 minute.

 

I scanned this link: "http://downloadcdn.betterinstaller.com/installers/b/9/VirtualRouterPlusSetup_downloader_by_VirtualRouterPlusSetup.exe" at Virustotal and only 4/27 flagged it. And from the analysis, it appears the ones that detected it were flagging betterinstaller.com.

I see you opened another thread and going the Eset Nod32 route. More power to you.

 

Yeah I got another AV that seems to be more dedicated towards fighting PUPs. Not sure what to do with NIS2013 license.... I got it really cheap but still...

 

Thanks for the link to Zulu. I had forgotten about it. Stored in my IE9 toolbar right now.

Actually, this is the way to check a download in my opinion rather than wasting resources running resident uninstalling software and the like. Just scan the actual download URL at Zulu since it interfaces with VT automaticatlly.

 

The site link in the first post leads to malware file and BrigthCloud considers the site a Moderate Risk and also there is a small redirect at times which is Blocked by WSA's Web Threat Shield! And VT detects the file 11/47 of the scanners. Somoto BetterInstaller Adware.

TH

 

There is a simple way to block the redirect this download is doing in IE9. I also believe this setting exists in IE8. Disable META Refresh in the Miscellaneous section of Internet setings in the Security tab. See attached screen shot. Also ensure SSL 2.0, SSL 3.0, and TLS 1.0 are enabled in the Security section in the Advanced tab.

 

For those that don't have the time to run the original file, perhaps it's helpful to explain what actually happens when the VirtualRouterPlus package is run.

1). When VirtualRouterPlus.exe is run you would see an initial install screen with a few option: by default, Typical Install is checked- this will install all of the adware (more later). Under this is Custom Install. This will prevent some of the adware from being installed. And right underneath the Custom Install button is a checkbox (checked by default) which allows the installation of the Sweetpacks toolbar, Sweetpacks Search change, and 3rd part popup ads. By unchecking this box Sweetpacks will not be installed.

So if one actually read the screen, checked Custom Instal and unchecked Sweetpacks and continued, a second screen comes up giving one the choice of installing Fast Free Converter. This program is not malicious but will lead to popup ads if you use the program. Bypassing this one will lead to the main program setup. So if one unchecked the appropriate boxes the only thing that would happen is that two files would show up in a Temp Directory- Pricepeep and FastFreeConverter. In essence the system is clean. No browser changes occurred.

2). By not reading anything and letting the Typical Install happen, a bunch of stuff gets installed: Sweetpacks, DealPly, FastFree. Only one can be termed malicious which is Pricepeeps (VT 18/47- Symantec/Norton does not pick this up, but again nether does Avast, AVG. ESET, or Panda). A HMP scan picks up 32 items.

However one other thing gets dropped on your computer- BundledUninstaller. This is an uninstall routine for all of the above. When this is run via the excellent Comodo Program Manager, on reboot EVERYTHING (including temp files) will be uninstalled and browser settings will be re-established. A HMP and MB scan shows a clean and happy computer.

Conclusion- In this case an unknown program had extraneous programs bundled with it. But again so does CCleaner, Java, and Adobe Flash. Do really nothing new here. Many times you don't need Link Scanners, specialty Adware preventers, etc. You just need the MOST POWERFUL MALWARE PREVENTER EVER!!!- common sense and the ability to read.

 

Cruelsister in general I completely agree with your analysis; especially that people have to be "fully alert and awake" when installing third party software.

However in this particular instance I disagree. Zulu rated this source "http://downloadcdn.betterinstaller.com/installers/b/9/VirtualRouterPlusSetup_downloader_by_VirtualRouterPlusSetup.exe" and resultant download 100/100 malicious. No reasonable person should risk their PC secuirty with a rating like that.

 

I am sorry but I disagree.
This is a 3rd party software that could not be uninstalled view default windows programs and setting manager.... This program left my FF search engine and other settings changed. This is a very definition of a malicious software.

And your referral here to common sense and use of all caps is a bit cynical...

 

Ad-aware needs dedicated software. AV's can get caught out. This is obviously a particularly sneaky little nasty one. I'd expect something like Emsisoft, Commodo or SAS to stop it. But there's no silver bullet, otherwise we'd all be using it. I used a Defensewall/NOD32 v4 combo and still got my pc owned a couple of years ago. I had to reformat mine. If you take the risk visiting certain websites or you take the risk downloading files from anywhere but a reliable source then you shouldn't expect your security software to save your bacon every time. You'll probably be ok with 99 out of 100 times, but you only need one to get past...

Paul

 

SAS real time failed to work as well. But you are right to an extant I shouldn't ask AVs from protecting me but Internet Securities should.