ERA failed to detect USPSLabelDoc.zip (Oficla Trojan) ??

Discussion in 'ESET NOD32 Antivirus' started by EvilDave UK, Sep 28, 2010.

Thread Status:
Not open for further replies.
  1. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    Every user in our organisation was just sent a fake UPS email with the attachment "USPSLabelDoc.zip". Inside is an EXE weighing in at 36KB. Scanned it using ERA and EMSX 4.2, both came back as "not infected". Not convinced I sent it to VirusTotal, who say:

    ~ Virus Total Results Removed per Policy - ESET Will See Report ~

    According to their site it was first seen 2010-09-27 20:51:39 (UTC)... That's almost 12 hours ago!

    How come ESET haven't deployed virus defs yet? And why didn't your AH detect this either?
     
    Last edited by a moderator: Sep 28, 2010
  2. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Your link to VT will be snipped; ESET Wilders don't like links to VT as it shows how many virus scanners catch something that others didn't.

    I find AH to be pretty useless. UPS emails, DHL emails, XP SuperAntiVirus 2009type stuff; ESET lets them through without flinching.

    The ESET mods will probably reply here to say "how many other virus vendors detected it"....but that's not the point. We buy ESET because it's good, but lately it's not been as good as it needs to be.....

    We have 120 licenses and have no plans to change to anything else. But we still get hit by things that AH should be catching. After all, anything that latches onto winlogon.exe or lsass.exe or svchost.exe, or which disables the security centre etc, surely exhibit all the signs of unwanted softwareo_O?

    Just my 2p.



    Jim
     
    Last edited: Sep 28, 2010
  3. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    ESET MODS: If you plan on snipping my link, maybe you should sort out your software first, then there'd be no need for me to post stuff like this. Though it's amazing how vendors like Kaspersky and Symantec all detect the trojan, yet yours does not. Epic Fail.

    @jim: I agree with what you're saying. It's just yet another problem with their software; if it isn't virus defs that cause your PC to blue screen, it's virus defs that don't detect viruses! What a joke! Though all these issues will help me to consider whether we're going to re-invest another couple of hundred pounds when the renewal's due in November.
     
  4. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    I've been getting quite a few of these Win32/Oficla attachments recently and I've found NOD32 to detect a good percentage of them, often being 1 of less than 5 scanners at VT that do detect it. I check back at VT the next day and then almost half are detecting it.

    Obviously everyone who uses ESET products would want it to catch every variant of every type of malware, but that's not realistic. How many of these variants are released only after specifically testing them against the top AVs to ensure they are not detected? Plenty, I reckon.

    Submitting the sample to ESET (it will already have been submitted via VT) will mean that not only will this particular variant be detected, but it will likely help future unknown variants to be detected.

    PS the 'no VT results' policy is one enforced by Wilders, not ESET.
     
  5. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    Just checked our server logs and found the UPS emails we received this morning have now been tagged as containing Win32/Oficla.IN trojan after the defs were updated automatically this morning. Great.

    However I've noticed a few days ago the same trojan/revision was detected in a UPS email:

    24/09/2010 10:29:36 Mail Server filter email message from: UPS Service <directory@ups.com> to: <EMAIL> with subject UPS Services. Please get your parcel NR16345 dated Fri, 24 Sep 2010 18:28:31 +0900 Win32/Oficla.IN trojan contained infected files NT AUTHORITY\NETWORK SERVICE

    What makes no sense is why the trojan was being detected a few days ago, then a few days later it's no longer being detected?! It looks like ESET deleted the virus definition from the database and simply re-added it today.

    But why?!
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    It could simply be a newer version of the same Trojan you got a few days ago. But ESET uses the same name.
     
  7. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    I'll leave the technical explanation to the experts, but if you do a search of the signature database it shows Win32/Oficla.IN is included in several recent updates, so I'm assuming that although not all of the infected attachments have been detected, they are all considered to be of the same variant.

    Similarly, the latest update (5486) includes Win32/Oficla.IN (2), which I think means that signature detects 2 variants of Win32/Oficla.IN.

    See here: http://www.eset.com/threat-center/threatsense-updates/search?q=Oficla.IN
     
  8. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Which brings us back to AH. Shouldn't ESET be looking at the behaviour of code, and looking at the things it does, rather than looking for byte- sequences and fingerprints? That way it would catch nasty stuff even when new variants are released.

    ?


    Jim
     
  9. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    AH isn't a silver bullet, just one of several technologies that offer protection.

    ESET tweak it as and when they make changes/improvements, but it has to be be a balance between offering the best possible protection and not causing a huge increase in false positives.

    Different AVs handle it in different ways, I personally prefer the way ESET does it.
     
  10. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Don't get me wrong, I still think ESET is the best out there. BUT....as has been pointed out, several virus defs all looking for the same virus. So shouldn't they instead be looking at what the nasty stuff does not how it does it.

    I'm no AV expert, nor could claim to be (though I am a professional software developer), but looking for a code fingerprint seems like you're forever chasing a moving target. If the Realtime Protection module could instead intercept API calls such anything that tried to latch onto a system process were interecpted, that might be a better tack?


    ?
     
  11. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    I think that statement speaks volumes about the current state of the fight against malware.
     
  12. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    I know this isn't an answer to the problem ESET isn't able to pick-up the new virus right away, but it might solve your problem.

    Have you tried enabling SIDF/SPF filtering on your email gateway? At least you can trap those emails in a quarantine as they would not pass as a legitimate server that's allowed to send from ups.com.
     
  13. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    ESET responds very quickly to these types of spammed message attachment threats, but their virus lab does need to first get some samples in order to analyze what new countermeasures have been added to avoid detection by various anti-malware programs.

    Please submit undetected malware to the virus lab by following the instructions in this knowledgebase article if you come across any such malicious attachments in the future.


    Regards,

    Aryeh Goretsky
     
    Last edited: Oct 20, 2010
Thread Status:
Not open for further replies.