another test:)

Discussion in 'other anti-malware software' started by jmonge, Feb 3, 2009.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ok i tested a rouge antispyware;) look at his
    ~VT link removed per Policy,~
    link:"http://spyblaster.com/"
    what do you think?
    tried it with Asquare Antimalware passed
    SuperAntispyware pro fails
    threatfire beta fails
    drivesentry fails too
     
    Last edited by a moderator: Feb 3, 2009
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Oh not another test, lol. I've heard of this spyblaster before, but haven't seen it installed on anything lately.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    man they want you to buy it even the trial just started after 5 minutes:D couple of pop ups trying you to buy it:)
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    Lol, isn't that every trial though? Hell, half the "freeware-with a paid option" apps I own do that to me :)
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you have a point there lol,but this one even the install just finish before welcoming you start giving you pop ups to buy it:D
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Twister doesn't catch this. Of course Comodo does. One can pass the installation in system32 as normal (he would put installation mode anyway).

    Once it's installed and you run the nice desktop shortcut it becomes obvious that it's malware. It tries to modify every legitimate windows process it can think of and mind you after a point (modifying winlogon) i was clicking "no" and it was keeping trying for the next one. At the end, it even showed me an interface! It can deceive newbies, that's for sure.

    http://img8.imageshack.us/img8/787/62969932we3.png

    http://img5.imageshack.us/img5/9920/63839530ii0.png

    http://img4.imageshack.us/img4/9476/80638345si2.png

    http://img12.imageshack.us/img12/3152/82424684du6.png

    http://img11.imageshack.us/img11/4574/41889819xe0.png

    http://img10.imageshack.us/img10/6231/67947094hy0.png

    http://img5.imageshack.us/img5/2307/55546330qm0.png

    http://img4.imageshack.us/img4/9514/92430641im0.png

    http://img11.imageshack.us/img11/6616/14539810hc1.png

    http://img8.imageshack.us/img8/3540/10gn1.png

    http://img11.imageshack.us/img11/4336/11no2.png

    ^ Great gui! :D

    Have to reboot to exit from Shadow Defender now, because at the end i did install it out of the Sandboxie.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    dont worry i have alot of &^%$#*&%^& stuff from lime wire ready to test;) i will find some time on saturday evening after giving familly some time :)
     
  8. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    This seems to be very unknown as a rogue when for example searching for it on Google... I wonder how come? o_O I've seen it here atleast a couple of times already.

    I've NIS09, TF (the new beta, which you mentioned) and Prevx Edge. Non of them reacted an inch to SpyBlaster's setup file. A-Squared is the only one showing this detection clearly, but a bit down when searching with the term "spyblaster". SpywareBlaster comes first and then even SpyBlaster's own homepage.
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Bah, that's what I hate about HIPS, if you don't know why programs would modify those areas, and if they need to, you're screwed. *scurries back on topic*...the interface looks crappy, lol. I'll keep an eye out for this thing on client computers.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    And can someone test it with Geswall
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i submit to virus total and 6 antimalwares flag it as malware;)
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the one that really impress me was asquare antimalware it deletes all files and traces from this suker:D
     
  13. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Well, i think the most "alerting" pop up, even if someone *thinks* that he is running a legitimate antispyware, is when he will arrive at the winlogon.exe pop up. I mean, no security application has to touch winlogon to work properly... On the contrary, it is known to be a very effective way for a malware to get awful control over your windows.

    I no see why an application modify smss.exe either, since that's the windows session manager. But the "winlogon", by its name only , should make someone suspicious...

    I mean, ok, the COM and startup folders, can fool anyone . But from that point on, for someone with basic knowledge of windows processes, must start wondering. After the 2 processes i mentioned, it becomes more and more obvious, with the peak coming at explorer.exe. Modifying explorer.exe is giving it power to wreak havoc. And if you add ALL the alerts from the beginning, the pattern is obvious. It's trying to take full control of your PC, from startup, to running as service, to controling your internet and explorer.exe. It MUST ring a bell!

    If every security application, in order to work, was to modify everything from winlogon, lsass, smss, explorer.exe, windows wouldn't boot probably or would crash every minute.
     
    Last edited: Feb 3, 2009
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the trick here is that this one you can even delete manually but you think you delete all but is not like that:D it left a type of keylogger sort of malware,acording to asquare;)
     
  15. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Keylogger too? Well, i am happy i didn't discover. I was running it in Shadow Defender, but for all i knew (since i had no idea of what its malicious purpose is), it could crash windows or send outbound info if i kept with the "allow". So from the winlogon and afterwards, i was blocking it.

    And after reboot, flushed from Shadow Defender. Anyway, it can sure fool many people. The installer looked quite "professional" too. :D (I mean, i 've seen worse). And it did have a GUI, a version and a "last update date". LOL! For all someone can know, it was an antispyware! This shows the beauty of classical HIPS, though, doesn't it... Where most scanners fail, here comes the classical HIPS to save the day...
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    A-Squared Free does not see this as a threat! What gives?

    TH
     
    Last edited: Feb 3, 2009
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i will test it again tonite and tomorrow mornig look for me in a pm and i will give the results full results from asquare antimalware:thumb:
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    do you have the latest version?
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree 100%
     
  20. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    Yes just checked again still undetected.

    TH
     
  21. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    a1 antimalware is not just signature based(blacklist scanner) like a2 free..has many many more proactive modules.
    cheers
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the paid version catch it;)
     
  23. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    What also impressed me, is , not that most scanners fail (they don't have the signature, they fail, that's the destiny of scanners...), but that also Threatfire did. And this, while this little bugger, is practically trying to put his hand on most critical windows core processes. I didn't expect that from Threatfire... Twister's FDDS failed miserably, but it's not at Threatfire's level, so i can justify it more easily. Also, Twister's registry protector failed, since this one doesn't use the "traditional" run keys (probably can hook to winlogon) to start. So the Registry Protector was out of the game too.

    I don't know how they managed to fool scanners and Behaviour blockers, but it sure shows an elaborate plan! The downside being, that by trying to control almost everything in Windows, it becomes very clear target for classical HIPS.
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    maybe the free version does not include the ikurus antivirus engine,to be honest dont know:D
     
  25. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    It does but even Jotti does not see it. A-Squared Found nothing

    Virustotal a-squared 4.0.0.93 2009.02.03 - Nothing!

    TH
     
Loading...
Thread Status:
Not open for further replies.