Malware encounter log: when have attacked/infected?

Discussion in 'other anti-malware software' started by Windows_Security, Dec 30, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Just to get an impression of the actual risk, let's run this thread for a year.

    Please state your malware encounter in the wild. When possible mention some details of the event (e.g. malware name or action prevented)

    Categories
    ------------------------------------------------------------------------------------------------------------------------
    URL: one of your security mechanisms warned you for a blacklisted website
    MAL: one of your security mechanisms warned you for a blacklisted program
    POP: one of your security mechanisms warned you for a suspicious action/intrusion
    INF: one of your security mechanisms informed you of an infection (post mortum warning)
     
  2. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    This will be difficult since most security products are set to silently block.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    POP - Eset web filter detection:

    12/16/2015 11:53:07 AM HTTP filter file

    http://x1a0ran.blog.com/2012/09/23/writing-backdoors-to-bypass-anti-virus-and-app-whitelisting-for-fun-and-for-profit Win32/Agent.QKN trojan connection terminated - quarantined XXXX\xxx.

    Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
     
    Last edited by a moderator: Dec 30, 2015
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Maybe, but let's see how many or how few posts are added in 2016.

    Question: Let's keep this thread "clean" solely for reporting incidents for easy counting (thx itman)
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,775
    Location:
    Texas
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Posted this in another thread. Since posting it, I the zipped .js malware attachment emails have stopped, more than likely because they are completely blocked by the gmail system at this point. The main point of interest is that malware can be coded directly with javascript and using whitelisting script blockers like noscript and uMatrix is advisable these days. A modern browser is a javascript interpreter and javascript can be used to code malware just like any other programing language.

    https://www.wilderssecurity.com/threads/ransomware-protection.382452/page-2#post-2550955

    My AV just found one piece of malware in the past year. It was an unwrapper for Givewayoftheday files that carried a trojan and I should have known better than to download it in the first place. My bad. GOTD is not that great of a giveaway site these days anyway and it is better to look for free software licenses from giveaway sites that don't use technologies like Therimin to wrap their downloads.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    URL - Emsisoft Anti-Malware Web Protection

    Here's the entire log entry from mid-August.

    Emsisoft Anti-Malware - Version 11.0
    SP log

    Date PID Application Event Detection

     
    Last edited by a moderator: Dec 30, 2015
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    URL & MAL - Eset Web Filter

    12/21/2015 1:18:51 PM htxp://static.uniblue.com/media/spacecleaner/sc-post-script.min.js
    Blocked by PUA blacklist C:\Program Files\Internet Explorer\iexplore.exe 54.182.4.223​
    12/21/2015 1:18:51 PM htxp://static.uniblue.com/media/uniblue/loadjscss.js
    Blocked by PUA blacklist C:\Program Files\Internet Explorer\iexplore.exe 54.182.4.223​
    12/21/2015 1:18:51 PM htxp://static.uniblue.com/media/uniblue/js.cookie.min.js
    Blocked by PUA blacklist C:\Program Files\Internet Explorer\iexplore.exe 54.182.4.223​
    11/5/2015 6:54:37 PM htxp://www. google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=54&ved=0CCoQFjADODJqFQoTCN6dor69-sgCFUSZHgodu3oAiQ&url=htxp://www. nsanedown.com/?news=276335631&usg=AFQjCNF_2jJv1XH59dmdY8wKLk4rXrIEwA&bvm=bv.106923889,d.dmo
    Blocked by internal blacklist C:\Program Files\Internet Explorer\iexplore.exe 2607:f8b0:4009:807::1013​
    10/28/2015 6:08:36 PM htxp://www. amtso.org/check-desktop-phishing-page
    Blocked by Anti-Phishing blacklist C:\Program Files\Internet Explorer\iexplore.exe 185.67.201.35​
    10/20/2015 9:48:45 AM htxp://tds.finconst.ru/1934G?keyword=Dso+Exploit+Spybot+Patch&charset=utf-8
    Blocked by PUA blacklist C:\Program Files\Internet Explorer\iexplore.exe 46.29.160.147​
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Hi Kees

    I am not sure what you are trying to establish, but I have a hunch it will not produce anything meaning. Who is going to take the time to do this faithully through out the year. And then there is how to count. I got a lot of stuff I know is malware, but I never open it, so no count. Then at times I will test the malware against my set up, so I get four artificial detections. Both cases yield invalid data. Then the problem is if no one posts for a while the thread disappears, and I wouldn't recommend constant updating to keep it in the fore.

    I would suggest there are much better sources for this information then this type of thread.

    Pete
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    True as I can't remember the last time I was ever infected? Whatever Security Products that we might use the thing between our ears it the most important.

    Daniel ;)
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    My guess is that most of us prepare for something which is most likely not going to happen. So by only reporting real encounters (not self initiated tests), the number of post would reflect the real encounters.
     
  12. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    many years ago (in non malware-testing environment)
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    You might want to check out this web site: https://www.hybrid-analysis.com/submissions?page=1
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,177
    I get constant web sites blocked in antimalwarbytes but the program don't list them in it's logs.
     
Loading...