Zero Day-How's your AV

Yes, the results differ between virus.org and Jotti (have not tried VT yet)

At Jotti's, I saw the following differences:

F-Secure and KAV detects this file as Email-Worm.Win32.Zhelatin.ct (no detection at virus.org)
F-Prot detects this file as W32/Trojan.AEJW ("unknown" at virus.org)
AntiVir detects it as TR/Small.DBY.BW (at virus.org it showed "NULL")

VBA32 and Avast still do not detect this file. This file was received during the 13th of April and I am sure that at least NOD32, AVG, AVIRA, BitDefender and KAV were detecting it at that time.

 

The article IS useless and serves as nothing but an alarmist hoax. I have a copy of this malware as well (got it yesterday), and it seems like it's pretty much well-detected already.

 

You must be a credulous optimist, if you believe that scanners clean your computer and that's good for you, but not for your computer.

 

Yes, it is an alarmist bs. But the fact that later on the signature was added doesn't matter. It was either detected or not at the time in question. Here is another problem with this "article": VirusTotal. Does it represent the detection of the AV's in full?

Putting this all away for good: Ubuntu.

 

What is a Zero Day Attack.

http://www.dba-oracle.com/t_zero_day_attack_definition.htm

 

That's why I need stronger methods to get rid of these zero-attacks, instead of keeping them on my computer until some scanner finally removes it from my harddisk, which is already too late.

 

Much has already been said in other threads about preventing unauthorized executables (White List) which is a sure way for zero-day protection.

I want to mention another comment in the sans.org article I referenced:

My ISP ( local in town) uses a powerful anti-spam/anti-virus program as part of his MDaemon.PRO mail program. All executable attachments are stripped. I've complained, of course (since I no longer get stuff to test) but to no avail.

It is also possible for such a program to be set up to remove zipped executables. Yesterday I received this notice in Yahoo web mail account:

_______________________________________________________
Kerio WinRoute Firewall email scanner was unable to check the following file
(i.e.encrypted zip archive):
Name:hotfix-16855.zip
Content type:application/octet-stream
The file was removed.
_______________________________________________________

Now, no one here would open such a file if received, correct

But evidently thousands do, by accounts of the number of infections world wide. Social engineering is still the #1 reason for virus infections. Psychologists still haven't figured out why, so there is no need to speculate.

But we all can contact our ISP and urge them to implement such protection. It's available, however, not inexpensive. At sans.org recently, this was brought up. I asked, and evidently most ISPs choose not to do this, for various reasons.

Start a protest movement and write-in campaign!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

seems obvious to me, knowing people.

In this forum we might all be very careful when it comes to the security of our pcs and networks. But I bet many of us still smoke, drink too much, eat junk food, do drugs, take too many pills, use a phone while driving, drive too fast, sleep too little, stare at a screen too long... (the list goes on) even though we ought to know better on all of these!

Other people open silly attachments that say "so and so, NAKED" or click on silly "secure your pc now, click here" even though they ought to know better. And many people can fall for the mail sent from security@mycompanynamehere.com because they don't dare ignore something like this...

 

Testing viruses in password protected Zip's is utter bullshit. Nothing, really nothing can happen as long as they are password protected. And *every* RTM will catch it upon extraction, assuming that the malware is added via signature or detected via heuristics. It's absolutely pointless to test who detects malware and who not in a pwd-zipped file. What's next? Testing who can find malware in PGP-Encrypted files?! Some Testers are really stupid. It will help Gateways that such files will not be delivered if detected in a pwd-zip-file, but you cannot judge based on this if the AV is able to detect the malware itself.

 

I totally agree with you here. But I am noticing that certain products (Avira, for example) have added detection for password-protected archives containing such so-called "Storm Worms". I'm not sure if you are the correct person to ask it to, but I was wondering why Avira (and some others) took the effort to detect these password protected archives when the files will be detected anyway upon extraction? It makes no sense.

I still believe that this article was useless. I do not know what this "tester" had in mind while performing his "test".

 

As i said already it makes MAYBE sense for a email-gateway to detect that. But the point is that uploading pwd-protected-zips to jotti or virustotal says NOTHING if a scanner REALLY detects the malware. Then they should have uploaded the extracted sample.

 

And to avoid any missunderstandings: The jumping point is that they claim that others DONT DETECT IT AT ALL. And exactly this is wrong! I can assure that almost everyone detected the sample AS IT SHOULD BE DETECTED, since i checked that myself when i got it. It is absolutely *NO* problem to detect this file also in Zip-Protected files! Every password protected file STILL HAS THE FILENAME in the Header. You grab the filename, the lenght and you have already a few flags you can use. For example if that matches, filesize and extension (.exe or even more suspicious stuff like .PIF or .SCR) then you can for instance try to bruteforce the password. You have to filter here, otherwise you would brute force every pwd zipped file, even if it only contains a word document. The only question is if it is really needed - and that depends on the vendor, when he's selling huge amounts of gateway solutions than it might make sense to add that in this way as well.

 

Hi Mike,

May I ask why you think that MAYBE it makes sense for a email-gateway?

Submitting files (in password protected zipfiles in an attachment) to the AV/AT/AS vendors would no longer be possible...

 

Read my previous post above that explains how you can do it (Or at least how you can start to build somthing what doesn't flag *every* exe in a pwd-zip file)

 

I've to agree with Inspector Closeau. What would it mean if an antivirus detect password-protected archives? And so? Wow, it detected password protected archive.....and now? What happens until I don't unpack it? Simply NOTHING!

The danger is after unpacked, not until it's password packed

 

Sorry, I didn't see your post while I was posting....

 

And hardly any will catch it "assuming" it's a zero day attack and no databases have been updated.

How many AVs fully protected back in JAN2006 when those 200 odd zero day variants hit.

May I remind you - SFA.

 

Jan, the point of view for a gateway is completely different as from a local desktop system. Have you ever asked yourself why AV Vendors adding packed signatures EVEN WHEN THEY ARE ABLE TO UNPACK THAT SAMPLE IN QUESTION? I tell you why: Let's assume you get 1000 emails with a X-Packed Worm every min on a mailserver. Can you imagine what happens when you have to unpack 1000 samples? Or even worse, emulating them? If you add here a second signature over the runtime packed file your email gateway will detect the malware BEFORE it needs to unpack that. This results in MUCH FASTER email processing in case of a big outbreak. Understood?

 

Anyway, as far as i know PC-Welt will be also attending here: http://www.f-prot.com/workshop2007/agenda.html so there's some hope to tell them what is utter bullshit and what is completely moronish.

 

Thanks Mike !

Yes, I understand now.

But it could make the process of submitting malware via email (again: in password protected zip-file attachment) a problem.

 

not if you brute force the password, unpack the zip and then REALLY scan the malware file.

 

To add psw-zip signature will well protect the user from this worm before it reach your desktop and before extraction. It can significantly reduce the spam.

 

OK

So what happens (just trying to get it clear for myself ) :

You send a malicious file by email to a vendor (zipped etc); usually in one email to a lot of vendors.

Case 1.
That vendor knows already that file, and has made also a definition against it when coming in to them in the form of that password protected zip-file.
And their email-gateway uses their own anti-malware program.
What happens now? I guess they don't look further at it.

Case 2.
That vendor don't have a definition for that file in its packed format, so now they look at it (well, I hope they do).

Do I understand it right?

 

Moronish Bullshit, you are the BEST!!

Regarding the gateway thing, the infected password-protected files could be alerted, not just deleted so users who are submitting the files can deliver the samples.

 

Fanj:
The virus submission e-mail accounts are usually excluded from being scanned on their side. The reason why you have to put it in a pw protected zip is that most e-mail service providers either don't have a scanner capable of filtering out pw protected zips or have deactivated that feature. You'd be amazed to see how many e-mail ISPs use only ClamAV and no additional protection mechanisms, which in my opinion is one of the reasons why so many malware files end up on end user systems.