Poison rat

hilo m8
Nod32
maybe the worst updates.
You know that PI 2. has been released a few days ago-
30 days exactly- and it is still undetected to NOD32.
why wtf alot of pips trust on you pleas explanation

regards
starforce

 

To those who cannot see that a sticky post exists:
https://www.wilderssecurity.com/showthread.php?t=178177

Please , learn how to write in English . From your post I can't understand a word ... and we are not "pips" whatever it means , sorry!

 

Please try to explain much better Your question!
I am also interested in how would You pronounce what You wrote in Your first post?

 

Please allow me to translate. Some sort of malware (I'm guessing a trojan) wqs detected by the original poster 30 days ago and it is apparently still not detected by NOD. Therefore NOD's updates are the worst and NOD is letting all it's users down. Oh, and he wants an explanation for this apparent oversite.

 

Very kind of you ...

 

Yeah, they are always slow (I send a lot of samples to different AVs). Hopefully this thread will speed them up. I tested some poison-servers on virustotal, almost all big AVs detect it except NOD32, Symantec and McAfee.

 

And I sent this to them the same day it was released and since most AV:s has added detection but not NOD32 they cannot be trusted by me.

 

Is he talking about poison ivy ~Link removed~ - (not-a-virus:RemoteAdmin.Win32.Poison Ivy.20) (Backdoor.Win32.PoisonIvy.j for Server)

Thanks,

Chris

 

+sorry for my english big love frome israel i was at work so i cenot reply to the posts end rat is Backdoor.Win32.PoisonIvy lol it undetected to nod32?
why so? run time end scan time
p.s
sory for the pips

 

There's a signature for this sample

Code:

Win32/RemoteAdmin.PoisonIvy.230 (3)

in the newest update.

 

not the server the server is undetected so far 31 one days
run timr scan time
norton the worst av cen detected end nood notttt why?

 

NOD32v2 2359 06.27.2007 Win32/RemoteAdmin.PoisonIvy.230

File size: 2105798 bytes
MD5: fd287794107630fa3116800e617466a9
SHA1: 19862253caacadd621aaa74b78b334c01f4f346c

 

the clint is detected not the server only the rat not the server ?

 

Just did a scan. The server is now detected as Win32/Poison.K. Better late than never.

 

what version of sig you have?
i have sig ver no 2359 2706.2007
the server not cetected

 

is this thread about the poison/ratt tour going down this summer?

 

lol ha ha

 

Sorry to resurrect this thread but it is kind of important (to me at least).

I'm an official NOD32 reseller, although not sold much lately as I have nearly wound up my business. I've been proudly shouting the virtues of NOD32 for about 4 years now and I've been very pleased with how it's been received, it's detection rate and it's very low footprint.

However, 2 weeks ago I had cause to question my loyalties.
I noticed on a Friday night, whilst doing a little housekeeping, that I had 2 instances of Firefox running in processes.

Shut Firefox that was using about 35mb and then then tried to kill the FF using 3502kb in task manager.

It restarted within 20 seconds.

Spent about 10 mins trying to kill it. Then spent another hour or so trying to find out what was happening.

Finally found the answer on Mozilla forums - it was a Poison Ivy (PI) infection.

Now then, starforce's post is actually almost identical to a post on the support forum for PI (yes they have support forums, open to anyone) bragging that the latest version of PI went undetected by NOD32.

The server element can be encrypted and hidden using rootkits, it sat on 2 of my systems and the keylogger data was frightening.

If you want to read up then go here:

hxxp://poisonivy-rat.com/

and the forums can be found here:

hxxp://forums.chasenet.org/

obviously change the xx's for tt's

PI is sold as a Remote Administration Tool (rat), for sys admins and the like. However, it's primary use seems to be to use it for unlawful purposes - the forum seems to support this.

This is the first time I have ever had an infection on any of my systems, and to be hit twice is hard to swallow.

I know how it got on my systems (teach me to help a friend!) so all I'd say is be very careful about your faith in your AV - mine is very much shaken and it will take a while for Eset to convince me they should be the prime choice for my customers.

Regards

 

There does seem to be a number of threads around regarding missed viruses... I think NOD needs to catch another big zero-day virus via heuristics to restore everybody's faith. It has done it before, and im sure it can do it again

I, too sometimes feel that NOD could do better, but then again - no AV will catch everything, and I have never had a big problem with a virus before.

Ill just sit and pray that something comes up that makes me glad im an Eset customer once again.

 

Eset keeps improving the heuristics. It all boils down to the sample set you use for comparing AVs, I could give you tons of examples where you would be protected with NOD32 only so please stop this bashing that NOD32 is getting worse in detection.

 

By the way, I could not download any PR from hxxp://poisonivy-rat.com. Each file available on that website was blocked by NOD32.

 

I was not "bashing", as you put it. the fact I still use NOD on my machine is testament enough to that. My post was merely commenting on the fact that the hundreds of other posts bashing NODs apparent 'lack of detections' can be demoralising for other customers - and I was suggesting that NOD may block another large threat pro-actively in the future which would make everyone swallow their words if they dared bash NODs detection rate.

Nevertheless I apologise if it seemed like I was bashing

 

Id like to see screenshots of those samples that only nod detects uploaded on jotti,etc. Put your mouth to the test please.

 

No, we will not have anyone goading ESET Staff with such silliness. As already pointed out multiple times, every single antivirus (inclusive of NOD32) will miss samples at some point in time; 100% detection is not plausible with current technology.

Blackspear.