Kraken botnet bypassed NG, Defence Plus

Sure it has been fixed. I'm neither upset nor surprised. It is quite natural approch to fix the fails when they come to light. I'm rather about testmypc credibility.

 

I must be missing something here.

If an unknown executable attempts to execute and my product alerts me to that fact why in the heck would I allow it to run in the first place. This does not make sense. What does make sense is to block it and not allow it to run. This effectively stops malware.exe from doing it's damage does it not?

 

There is nothing wrong it one program trying to execute another program, even in case the first one is unknown. For example it can execute default browser to link it to vendor site, or "uninstall why" form. The problem is the fact of starting itself tells nothing. But when you see, for example, that the first program starts your default brouser with very unusual or unclear commandline, this is a time for you to pay attention.

 

I guess I was not to clear on what I meant.

I realize there is nothing wrong with a program trying to execute another program. That happens all the time.

I was referring to the test pointed out by aigle in the comodo forum:

Why allow? The firewall is alerting to a possible problem. If it's an unknown, shouldn't you block the process from starting in the first place?

Edit: Especially if you know it's a Kraken botnet as in this case.

 

He allowed it to check what further alerts will his HIPS show. But if he didn't know that this is malware, but thought that this is a useful utility ? BTW, I do not understand what does mean "trying to modify itself". In case it is trying to modify its own memory, then what's wrong here ? Every program modifies its memory. Another story is file on the disk. But from alert itself it is unclear what does alert mean.

 

I used older vesrion that may be the reason.

 

I have a snapshot with that version, so used that. May try latest version later.

 

Hi aigle,

I am nearly sure that OA monitors executable creation already before build 95
Please could check this by taking a look at the advanced options screen.

Thanks

Regards,

MaB

 

Yes it does but this older version was bypassed. Anyway it has no importance as latest version is not bypassed in any way.

 

Is there any thread about this?

 

Hi Aigle,

Thanks for the sample. I´ve tested it and there´s nothing scary about this malware IMO. Yes it can for some reason create a file in the System32 folder, but after that, all malicious behavior is caught by NG. Like Solcroft said, what´s nice about TF is that (if you choose to quarantine the malware) it can rollback all changes to the file system and registry. That´s something I would like to see in other HIPS. On the other hand, executables (with associated registry entries) can´t do any damage unless they become active in memory.

Alerts about stuff like "modifying own memory" and "creating (copy) of files in C/Windows+System32", is not enough to know if a certain app is malware or not, it´s perhaps not that common, but I´ve seen this behavior with quite a few non-malicious apps.

 

@ Solcroft, were that the only alerts that TF gave? Especially the first one is not that clear to me, what is meant with "Windows System Startup"?

 

Indeed in german computer magazine comodo lost a essential malware test therefore zone alarm was rated nr.1 and comodo only nr.2.

Shark combines all methods of infection (rustock (ads), bifrost (rat), rootkit, firewall bypassing, full kernel unhooking..)
I am surprised that nobody discussed this.

 

Gimme, gimme. Where this nastie can be taken from ?

 

Shark is oooooooold. If it's true that Comodo can't stop this (which I seriously doubt, btw), then it shows how much they're really worth when it comes to real malware.

 

I must agree. I got the latest Shark copy lying around here someplace in my RAT zoo collection and while it used to be gloated over it's now old as a sock, and if today's HIPS or otherwise AV's with Proactives can't stop this relic then their just playing around with musical chairs security IMO.

 

It's a RAT, a bot, a spam proxy? Do you know of some writeup (Symantec, Sophos, etc) about it?

 

Loool, hey guys stop pm me or ask for download requests, search yourself for this most evil rat tool alive actually .
I am not willed to break rules of this board because you become greedy.

Yes very old it is so old that rustocks ads method is integrated. ;-) Full Kernel Unhooking very old... ;-)

I said hopefully they fixed this but I doubt. How should they fix complete kernel unhooking?
Online Armor seems to be on the brighter side related to this.

 

Those techniques have been theoretically available ever since Windows was created. Personally, I have no idea since when did they become "Rustock's" methods (at least according to you). Likewise, kernel unhooking and MBR-infecting are age-old techniques, they only became the "latest" fads when nicM's tests and Mebroot came to light.

As for Shark itself, it was created by the same (now defunct) group that wrote Poison Ivy IIRC, another old trojan that used kernel unhooking. They've been around for years, antiquated by today's standards.

 

Never underestimate old things. Easter tell me just one Remote tool with more features?

Old is always good because old is proven and effective, never forget that otherwise mbr & ads & co never had such a success and impact to the computer world. I know them too you don´t tell me new stuff
I know several of them it is a very old community and what amazed me that they are still active and up-to-date. I first thought like you that this scene became morbid but it is not so long ago when they implemented these ads techniques.

 

It doesn't have anything to do with features. No matter how exemplary and cutting-edge the code may be for its day, the fact remains that the older a piece of malware is, the more likely it's going to get detected. And missing such an antique would be a very good example of the incompetence of any security program.

Erm, "success"? What major success did Mebroot achieve, exactly?

You seem to be confusing success with notoriety. As for how many users it managed to infect, I think it'd be safe to say it ranks far below other current malware ATM. To be honest, Mebroot is nothing new, at least conceptually. Boot sector stealth viruses were a dime a dozen back in the good ol' DOS days.

 

I tried googling to satisfy my greediness !

Unfortunately, I was lost in the number of different "sharks"

May be you could be kind to provide at least more hints to help to identify the very "shark" we talk about ?

 

Yes but Gmer started a new hype since 2008 and the fact that it defeated all AVs was another quality I guess.

 

Pls DON,T break the rules, keep ur samples with u. No body needs anything from u.

 

According to easter it´s not worth downloading