Another ZLOB variant (not detected)

Discussion in 'ESET NOD32 Antivirus' started by k!b?, Oct 2, 2008.

Thread Status:
Not open for further replies.
  1. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    Yesterday I googled Panasonic Cam "NV GS 17E driver" and downloaded file "Setup_ver1.1773.0.exe". XP SP3 and NOD32 v3.0.672 up-to-date and fully configured.
    When I started that .exe, it imedietly started spreading and changing Windows (disabled Task mgr, created 2 'security' icons on desktop, removed Control panel, Network conn. etc. from Start menu, and whole Network support(LAN, connections etc) of Windows after next reboot). Also, after reboot, NOD reported some error with http/network services/components...
    I had to restore Acronis image to get system working again.

    At VirusTotal currently 8 of 36 are reporting variant of Zlob.
    Last night I submitted that file for analisys but at this moment(databes ver. 3489) still NOD doesn't detect it :rolleyes:
    I have .exe file zip-ed and bookmarked link from which I downloaded it.

    I hope Eset fixes 'advanced heuristics' engine soon because it's obviously not effective (I too until recently had that 100% cpu usage problem mainly when opening video .avi files and Everest 4.5 utility on many machines of my customers.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Actually it is effective, advanced heuristics wouldn't scan other than executable files anyway so it's not reponsible for the problem with high cpu usage when scanning certain files.

    Some of you here have reported this problem with certain avi files, unfortunately they were so large that you could not submit or upload them. Anyone having a problem with high cpu usage when scanning avi files, please drop me a PM and I'll send you a tool that will help us pinpoint the issue.
     
  3. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    Question: How is it effective if it doesn't detect at least as 'suspicious' something that does such major changes to system like completely destroying network support, changing Start menu and disabling Task Manager, also closing both Firefox and IE as soon as I try to open them etc (it even managed to close ComboFix when I tried to run it).
    In all that time before and after first reboot, NOD didn't say anything except reporting that HTTP/network is not working (I don't remember what exactly it said).
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Judging the effectiveness on one particular file or a small group of malware doesn't seem to me correct given that there are dozens of millions unique threats. It would be a sort of perpetual motion if the heuristics could detect every single malicious file. Alternatively, one could flag avery single file as suspicious, but who would then use such a useless proggy?
     
  5. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    But this is not my first experience with NOD not detecting not-so-benign malware:
    -TrojanDropper.Agent.NHN
    -IRCBot trojan
    -AutoRun.GG worm
    -Agent.DBP trojan

    https://www.wilderssecurity.com/showthread.php?t=116111

    It took weeks for these to be detected/added to database.

    And unfortunately it's happening again :rolleyes:
    Every time I try to start Everest, it takes 2-3 minutes for NOD to 'let go' everest.exe (it's same with 4.10.1125 and 4.60.1500 version). Same thing with avi,mp4 etc files. This happens all the time on many machines I worked on.
    But it let's go this malware I dealt with yesterday in no time.

    When taking into account that before-mentioned suspicious samples manually submitted by email or NOD (and which are proven to be not-so-benign) were added to malware list only after couple of days and weeks, and also the fact that "Eset exchanges samples with several av vendors. Opposite statement is incorrect.".
    I wonder when will this Zlob (or whatever) variant be detected by NOD. And, in the meantime, how many machines will become infected, considering these are(or were) nod detected even as suspicious to NOD. And nobody is interested in asking for sample of that .exe file or url link.
    I won't comment anything but this - I used NOD32 for years now, but slowly I'm loosing confidence in it's ability to protect my customer's machines from new threats that really make significant damage to system when infiltrated.
     
    Last edited: Oct 2, 2008
  6. saberfox

    saberfox Former Poster

    Joined:
    Jul 23, 2008
    Posts:
    84
    I think you guys really need to give Marcos a break.

    He's an Eset employee, and I don't think his career at Eset is going to go smoothly if he admits on Eset's own official forum that their heuristics aren't up to snuff when it comes to the latest threats.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Regardless of whether I'm an ESET employee or not, advanced heuristics is sophisticated and very efficient. We just don't utilize all the features it offers yet, but this will certainly change as the development always takes some time. However, no heuristic technique will ever be efficient enough to detect 100% of all threats with a minimum number of false positives.
     
  8. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    well I just saw scrnshot on thread
    https://www.wilderssecurity.com/showthread.php?t=222304
    and remembered that the same *virus alert* appeared to me too.
    I just checked that file on virustotal again and guess what - now its 14/36 and majority name it as some variant of Zlob...
    still my NOD doesn't recognize it, sadly...
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please re-submit the file to samples@eset.sk in an archive file format such as .ZIP or .RAR with a password of "infected" with a link to this message thread.

    Regards,

    Aryeh Goretsky
     
  10. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    on October 2nd I manually submitted it for analysis via NOD32 GUI. Eight days later I was asked to submit via mail to samples@eset.sk
    finally after 11 days, it's detected as variant of Win32/TrojanDownloader.Zlob.CQR trojan

    so if it's a trojan (that is not-so-benign), I'm still wondering about effectiveness of current Advanced Heuristics & ThreatSense engines and whole Eset's system of detecting new malware...

     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If it wasn't against TOS, I could post here thousands of examples where NOD32 is the only or one of the few AVs to detect new variants of Virtumonde/Fakealerts. The heuristics is not a magic thing that will ensure 100% detection of all threats. Advanced heuristics is actually very effective from what we see.
     
  12. ASpace

    ASpace Guest

    Could you post some in the private forum , please :rolleyes: :rolleyes: :D I promose I will use them only for marketing purpose :p I need some fresh examples of Zlobby
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    sorry HiTech, I already asked once and got no response, so I have a hard time thinking it is true.
     
  14. Don johnson

    Don johnson Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    77
    I can catch some new zlob variants everyday,because I have some zlob sites,when I send them to eset's virus lab,they often give me response,and then they can add the signaturess in the next update.

    I agree with Marcos,no av can offer 100% protection,nod32 has good detection rate for FakeAlert.
     
  15. ASpace

    ASpace Guest

    Well , there is a slight difference . You wanted him post them in the public section , however I asked him post them in the private forum dedicated to ESET resellers (which you have no access to as far as I know) :)
     
  16. ASpace

    ASpace Guest

    Trjam , thanks to a user of ours I have a copy of a fake XP Antivirus variant -perhaps a new one , which is detected only by Microsoft and ESET .
    Both with heuristics. ESET Lab confirmed me a few hours ago it is a real one. I'll send you want a screenshot for confirmation ;)
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm familiar with such samples, but we should play fair all the time. If you say that the quality of detection cannot be measured on a small test set, you shouldn't use this approach to show that you're good at something either. Yeah, we see how many such threats are received via ThreatSense.Net and often we are the only one or one of the few AVs to detect them. On the other hand, we admit there are threats that we miss and that are detected by some other AVs, but this is true for any AV as we don't live in a land of dreaming.
     
  18. ASpace

    ASpace Guest

    And that is why I didn't post the results in public . Only me and trjam saw them .

    I agree that this approach is completely incorrect but as you know very well there are many "errant" people who rely on this obviusly wrong approach to prove something they think is true. They want us play that game , when I can do it , I'll do it and I am sure I won't lose ;) . Anyway...

    (Sorry for the off-topic)
     
Thread Status:
Not open for further replies.