Brontok-C worm defeated Avira?

Discussion in 'malware problems & news' started by Macstorm, Mar 17, 2008.

Thread Status:
Not open for further replies.
  1. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    To make a long story short: my neighbor asked me for assistance this morning, he plugged a sony mp3 player (borrowed by a relative) into his pc's usb port and Avira PE Premium alerted him to a threat (Brontok-C, according to avira events. How this worm arrived to the stick, it's another story). He said there were 2 alerts from avira prompting about the action to be taken, then he chose the 'deny access' option for the first prompt and the 'delete' option for the second one (these chosen selections matches with aviras event logs), then he removed the mp3 stick. At system restart he was alerted on the same threat again and his avira icon vanished from the systray.
    It wasn't difficult to me to manually fix the changes made by the worm (restore the registry editor, re-enable folder options, etc) and i can confirm that his avira managed to delete the threat from the usb stick (checked by my gdata av).

    But, what happened to his system? Was avira's engine indeed unable to stop infection from a simple worm? This one scares me A LOT :blink:
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Why should it? It happens multiple times on a daily basis.

    People really need to get over the preconception that AVs are rock-solid and impenetrable, even the ones that (somehow :cautious:) score an A+ at AV-Comparatives.
     
  3. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Wait a second.. are you saying that anyone can easily get infected by a specific threat even running an up-to-date AV containing its proper signature for that nasty?
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I'm saying that that's not necessarily what happened. This scenario you mention is relatively improbable, but there's no way for a random stranger over the internet (like me) to discern with any solid certainty.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you describe how this happened?


    ----
    rich
     
  6. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I would still like to know what happened there.
    In the meantime, i'll recommend that guy to stay away from that av :ouch:
     
  7. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    it's unknown at the moment. He's asking his relatives about origin of this (supposedly) new mp3 stick. No songs were found there.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you can get the stick to check, I would be interested in the contents of the drive, especially the AutoRun.inf file. It's probably hidden, as a lot of these exploits are set up.

    Did he or anyone else plug the stick into another computer first? That would explain how a USB virus might have been transferred to the stick.

    Another cause suggested at sans.org is if the device were purchased by someone else and then returned infected to the store, re-packaged and re-sold as new.


    ----
    rich
     
  9. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I know what you mean, i'm also suspecting that this case is related to the article posted here before.
    The logs indicate that two nasties were deleted from the stick (the same ones that were found on his pc afterwards). He said that alerts started after device was manually opened to see its contents, it wasn't an autoexec.
    He'll ask if the stick was plugged into another pc before.
     
  10. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Finding a threat and not being able to deal with it does not mean the av sucks. If it happens on regular basis then it sucks. As detection isn't 100% removal isn't either. The best thingh he could do is get support on avira forum.
     
  11. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    409
    This kind of scares me because i've just installed a trial of Avira.I don't know if this was possible in this case but I always tries to scan the contents of everything that's put in or hooked up to my comp like this.I guess this could've happened with a floppy or a cd.Can you scan the contents of a mp3 player this wayo_O?
     
  12. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    I'd post about this on the Avira forum - there has to be a logical explanation for it.
     
    Last edited: Mar 18, 2008
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    There are too many unknowns here.

    Something has to trigger the virus to execute. It could have been triggered as he accessed the drive. See

    http://www.viruslist.com/en/weblog?weblogid=208187475

    Until the contents of the drive are known, it's speculation as to what happened.


    ----
    rich
     
  14. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Thanks for the link, very useful info.
    Well i asked him again and he insists he just double clicked the drive after it was plugged in, nothing more nothing less. Then the alerts appeared.
    I'm told that, effectively, the stick was plugged into another 2 computers before it reaches his pc. Most likely device got infected there.
    As i said above, when i brought home the drive i scanned it with my gdata av and it came up clear, so avira succeeded in deleting the threat from the stick.
     
  15. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    The worm was indeed detected and deleted from the stick.
    The worrying thing here is avira was unable to stop it from spreading through the pc! :blink:
     
Loading...
Thread Status:
Not open for further replies.