Is nod32 on top of Gromozon attacks?

Discussion in 'NOD32 version 2 Forum' started by tempnexus, Oct 6, 2006.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Yep, NOD32 has a very good generic/heuristics detection of these samples. At least from what I can see in my collection.

    EDIT: It detected "today's sample" as: Win32/Gromoz.H trojan
     
    Last edited: Oct 6, 2006
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What samples? Certainly not the ".com" infection starters. They are being constantly ahead of any AV; the best detection of these is (somewhat surprisingly) Symantec's these days, but they're not so great either. Most of AVs are being constantly ridiculed by these trojans just like they are by the Zlob trojans.
     
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Well, I may not have a too big collection - about 20 different unique www.(something).com samples. All of them (except 1) are detected by NOD32 as "Win32/Agent.XXX trojan" or "Win32/Gromoz.X trojan" or "probably unknown NewHeur_PE virus" or "a variant of Win32/Agent.XXX trojan". If I am not mistaken the last two count as heuristic/generic detection?

    I haven't checked every day, but the times I've tried downloading samples, NOD32 have either detected them or later added detection.
     
  5. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i emailed support asking them to look at the thread started by TNT (here: https://www.wilderssecurity.com/showthread.php?t=136452) and got a reply back that detection was being added for the existing threats (this was a couple of weeks ago) and that future threats should get variant detection. I believe they were also looking at adding the danger sites to the IMON block list.

    I don't imagine that all (past/present/future) gromozon threats will be detected by NOD32, but I think they are on the case with them.
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, the gromozon pushers are back putting out new versions every day (if not more), so it might be that those are detected, but every new one I see is being missed by most (if not all) the AVs on VirusTotal.

    PS: note that I'm talking about the "www.something.com" trojans/infection starters, I haven't tested the malware these are downloading/executing in a while.
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    As far as I've seen and tested, NOD32 detects many www....com samples, and out of those missed, after executing them it detects the files being dropped or downloaded. :)
     
  8. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Yeap tried of the new ones myself and Heuritics goes down the drain for them. None of the 29, 30, 31 and 32 are detected via heuritics, the system just gets hosed. (Yeap everything is set to max including the IMON. So far only AntiVir seems to be getting close but still nothing amazing.
    I guess Advanced Heuritics are down for that type of infection (Considering as far as I know 32 "special" samples and no AH detection none of them).
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've got some samples detected by the development version of AH. Feel free to submit the undetected samples to samples @ eset.com
     
  10. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Did that allready.
    The development version of AH? Is that the beta?
     
  11. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    It's NOD32's Advanced Heuristics; they probably test it in their labs before they push out an update to the public.
     
  12. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Oh I know what AH means. I was just wondering what he meant by development version of AH. I was wondering if there is a new version of AH on the horizon. Since this one is beginning to fail misserebly when placed against the newest level of threat (the ex CWS authors...aka Gromozon).
     
  13. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    While this maybe ot, could someone please explain where you get these type of threats and how they work. I don't mean url or specific sites but in general. While NOD and other AV/AT are hopefully catching up with this type of threat, is there any "behavioural" protection possible I can do as the first line of defence, ie avoiding certain types of sites, functions on sites or linkso_O?
     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Instead of taking a Nod support thread too far off topic....I suggest you take a look at our ongoing thread concerning this malware with an extensive discussion.

    This thread---> Dangerous trojans on the loose

    Thanks,
    Bubba
     
  15. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    AH is not a "finalized" product that gets replaced with new versions of NOD32 the way I understood it. AH is a module that gets continually "tweaked"/updated to deal with threats; meaning there have been many updates to it (almost monthly) and there will probably be many more in the future, until they find a new/better technology. Before the tweak is pushed out in an update to the user, I assume that ESET labs must test it first (the "development" version or "alpha" version or whatever you might call it), to make sure it meets satisfactory levels of detection vs false positives. They can't therefore just test it against Gromozon samples only, but also against other samples to make sure the AH performs at least as good as their previous tweak, without more false positives. It may take hours or days or whatever before this "development" version reaches the user (in the form of an update).

    If I am wrong, then somebody please correct me. :)
     
  16. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Good Evening folks,

    I come from the far side of the wonderful world of grozmon removal and the changes it makes to a system.

    In realtion to NOD32,I am uncertain of what exact com files are changed but grozmon has been seen removing various files,usually from Sys32 folder and replacing them with a 0 byte file.

    If it doesnt replace the com file (dll) it will add a .bak extension to disable it.

    In Nod itself,I believe it targets certain aspects of the Updater service.

    I cant confirm this since I havent installed with a NOD product active.

    I simply know because of 2 post I worked both of which had NOD32 and the grozmon rootkit.

    After manual removal of the rooter both users complain of Updater failing.

    The first user simply reinstalled NOD,the second is here somewhere posting a question about the issue.

    I agreed to enter here with user to explain what was done during the cleaning process.
     
Thread Status:
Not open for further replies.