About 'Kryptik' detection

Discussion in 'ESET NOD32 Antivirus' started by stimulator32, Jan 1, 2010.

Thread Status:
Not open for further replies.
  1. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Hello,

    I have found that many trojans are detected by NOD32 as 'kryptik' trojans ..

    I searched in ESET's Threat encyclopedia about this category, but didn't found anything related..

    I would from ESET moderators to tell me some information about this detection, and what is the meaning of 'kryptik'?

    Many thanks in advanced ..
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It's same as if you asked what threat is NewHeur_PE. It's heuristic detection, there's nothing more to say. It can be absolutely any threat.
     
  3. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Hello Marcos,

    I would to ask, how it is heuristic detection and in the same time it has a specific signature like:

    Virus signature database updates:
    Win32/Agent.QOF (9), Win32/AutoRun.Delf.EL, Win32/Injector.AOE, Win32/Kryptik.BPG, Win32/LockScreen.ET, Win32/PSW.OnLineGames.NRD (2), Win32/PSW.OnLineGames.OKB, Win32/PSW.OnLineGames.OYY (4), Win32/PSW.QQFish.AT (2), Win32/TrojanDownloader.Small.OCS, Win32/TrojanDownloader.Small.OTX (2), Win32/TrojanDropper.Flystud.NAG
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Perhaps I ought to have better say it's heuristic detection coupled with generic signatures that are based on the results of emulation by advanced heuristics :)
     
  5. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Good answer :) ..

    Many thanks Marcos ..
     
  6. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Hi , i sent many samples to eset , still they are not added. When i download that sample ,it is detected as Kryptik with advanced heuristics .
    But samples in my pc are not detected by Eset.I know malwares downloaded will be scanned with AH.
    But still the samples i sent to eset are not detected.( Remember i also sent a sample to u ). Then whats the use of sending samples.??
     
  7. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hi,

    I don't know about you but I've been submitting at least more than half dozen samples (Fake AVs, Trojan Horses, etc.) to ESET on daily basis and the samples are added in the next signature update unless they are false positives. This is an extract of an e-mail sent to me by ESET acknowledging they received the samples I sent them and were added to their signatures:

    ~Private email removed per the TOS.~



    Best regards,

    Carlos
     
    Last edited by a moderator: Jan 1, 2010
  8. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    i uploaded my samples to rapidshare and sent that links to eset.
    But i didnt get any reply:doubt:
     
    Last edited: Jan 1, 2010
  9. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Unless you pay for premium membership, I suspect most people can't be bothered waiting for the Rapidshare delay counters.


    Jim
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I'm barely successful at downloading files from RS, most time I end up with the message "Unfortunately right now our servers are overloaded and we have no more download slots left for non-members. Of course you can also try again later."

    When submitting files, always follow these instructions. Also enclose as much information about the file(s) you submit as possible, ie. the url you downloaded the file(s) from or a log from SysInspector if the file was found on an infected computer.
     
  11. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,

    I was just wondering how difficult can be just download the samples to your own computer and packing them using either WinRar, WinZip, or 7Zip instead to sending them to RS?

    I run Windows Vista 32-bit SP-2 and the way I normally submit samples to ESET is jsut running the IE 8 in a sandbox. Then I navigate to the shady web sites and the majority of times I'm promted to download their garbage [drive-by-downloads] which I do in a sandbox.

    Then I recover them to a specific location on that PC and while rick-clicking the downloaded file I select Add to Archive (WinRar) and type in a password.
    I send the samples to ESET using my e-mail account and that is.

    To get rid of the original sample and the one in a .rar file I just right-click on them and select “Shred with Privacy Guardian” [using the algorithm US DoD 5020.22-M [8.306. E, C and E]] and that's all.

    Why send samples to RS when you know that if your are a so called “Free User” they will try to discourage you making you wait looooooong times before letting you download anything?

    Regards,

    Carlos
     
  12. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    i use gmail. Gmail doesnot allow me to send .exe files even if it is compressed and password protected for security reasons.:doubt: Thats y i uploaded those files to RS and sent those links.
     
  13. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Hi Marcos I PM u a site that daily updates new malware samples.
    That might help u to make Eset gr8:D
     
  14. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hi,

    Oh, I see. That may explain why you haven't been able to send the samples directly to ESET.

    I use MS Hotmail and it doesn't give any problems sending password protected .rar files.

    Carlos
     
  15. Hawk82

    Hawk82 Registered Member

    Joined:
    Feb 11, 2007
    Posts:
    29
  16. bradtech

    bradtech Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    84
    This is going on my limited understanding of how this works.. I have seen many many many Kryptik variants on the 2,000 Clients that run ESET.. I have noticed that many of them are fake anti virus variants. They all have different names any more, and the file names changes associated with them are changed.. Hash values are changed on the files of course.. If you look at the behavior and how they infect the machines it almost is always the same depending on what user level rights the logged on user has...

    If the computer has a limited local user account it mainly just infects the users local profile, and usually in the same exact paths as other fake avs.. Some do still copy executables to the system32 windows folder but most I see now just like to infect the current user profile, and if the user has local administrator machine rights it will infect system services, everyone elses user profiles and etc..

    Based on that same pattern of behavior I'm sure ESET has some Generic signature, and pattern based alerts that see this, and try to see if it is malware or not.
     
  17. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    in last couple of weeks i am seeing more and more of these nasty kryptik and rootkit(today it was rootkit.rustock .sys file in system32 dir) variants that nod32 v4.0.474 with AH, anti-stealth and self-defense enabled is, in some cases, not even able to detect (mostly "error opening" upon scanning) until MBAM points to the files and removes them after reboot.

    using winpe live cd i have moved couple of those files to separate folder and sent them latter to eset. in most cases, at that point nod32 detects and quarantines them witch means that this malware is running freely/undetected in memory :doubt:
    couple of months ago i warned about potential rootkit detection problem of nod32(and other AV's) and, if rootkit problem wasn't enough, now combination of rootkit and kryptik/encryption methods is appearing.
    is there any cure for this new trend?
     
Thread Status:
Not open for further replies.