mamutu VS the four virus of king

Discussion in 'other anti-malware software' started by baerzake, Mar 12, 2008.

Thread Status:
Not open for further replies.
  1. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    first I am sorry for my poor enghlish, I cant translate my post to english. someone message me to post the test about mamutu. I try translate it use google, so maybe has many mistake.

    Test samples: 1, sample source

    ~Links removed. No links to malware or possible malware are allowed on the forums. - Ron~

    test1

    virus name:panda

    mamutu carcass was hidden virus installation(pic1-3)

    now we allow the opreation of install invisible, and check wheather mamutu can bloke it or pass.

    well done, mamutu alram that virus try to creat autorun(see pic4-5). this is a typical beheave of virus.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      13 KB
      Views:
      1,525
    • 2.jpg
      2.jpg
      File size:
      35.6 KB
      Views:
      1,529
    • 3.jpg
      3.jpg
      File size:
      35.5 KB
      Views:
      1,519
    • 4.jpg
      4.jpg
      File size:
      35.8 KB
      Views:
      1,516
    • 5.jpg
      5.jpg
      File size:
      35.7 KB
      Views:
      1,512
    Last edited by a moderator: Mar 12, 2008
  2. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    test2

    virus name:xiaohao

    mamutu carcasses at the same installation of hidden Xiao-hao

    6.jpg

    let's allow the install invisible, now I find mamutu no any react:gack: , the virus run seccusfully.

    7.jpg

    8.jpg

    mamutu can block the virus when the first alram, but mamutu will be passed if allow the install invisible. But hidden installation is a typical behavior of Trojan horses, I think mamutu carcasses or successfully intercepted a Xiao-hao.
     
    Last edited: Mar 12, 2008
  3. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    test3

    virus name:drives monster

    also install invisible(pic1-2)

    allow the install invisible, we can see the lsass.exe want install invisible, we can easy find this lsass is a virus file because it is wrong file path.(pic3)

    Successful interception, floppy drives are KO
     

    Attached Files:

    • 9.jpg
      9.jpg
      File size:
      41.5 KB
      Views:
      1,502
    • 10.jpg
      10.jpg
      File size:
      28.4 KB
      Views:
      1,482
    • 11.jpg
      11.jpg
      File size:
      34.8 KB
      Views:
      1,484
    Last edited: Mar 12, 2008
  4. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    test4

    virus name:crazy robdog

    mamutu carcasses reported on the first step to amend other processes, this is a dangerous beheave and need to be blocked.(pic1)

    and robdog will creat autorun entry when I allow the first step. typical trojam beheave.(pic2)


    Successful interception, the dog was KO

    From the above four simple tests, the virus mamutu interception capabilities beyond my expectations, even a 100% successful. It seems mamutu is a worthwhile beheave--base softwore.
     

    Attached Files:

    • 12.jpg
      12.jpg
      File size:
      41.5 KB
      Views:
      1,482
    • 13.jpg
      13.jpg
      File size:
      34.7 KB
      Views:
      1,501
    Last edited: Mar 12, 2008
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Bearzake

    Thanks for posting. Your English is way better than my Chinese ;)
     
  6. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Bearzake thank you for taking the time to do this test very well done indeed keep up the great work :thumb: :thumb:
     
  7. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
  8. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    thank you all guys ^_^
    but I found mamutu has some weakness that the self-protection of mamutu is not very good.
     
  9. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Well-worded, I tested a-squared Anti-Malware against oldie DFK Threat Simulator v2 a few months ago.
    Dead on arrival, only an infected adulteration was left behind.

    I posted my test in the german section of Emsisoft forums, no reply up to today.
    There seems to be room for improvement.

    Cheers
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What does invisible install by Mamutu means?

    I wonder how well TF and PRSC will stand against these viruses.
     
  11. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    If I remember correctly, on the same forum where Baerzake published his report,

    TF passed all four, same result as Manutu, while

    PRSC(or NAB) failed two of four.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Perman.
     
  13. Sportscubs1272

    Sportscubs1272 Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    340
    So A-Squared Anti-Malware would be able to block the same threats? I know it shares the same technology with Mamutu.
     
  14. emsisoft

    emsisoft Security Expert

    Joined:
    Mar 12, 2004
    Posts:
    312
    Location:
    Nelson, New Zealand
    The self protection has been significantly improved in version 1.5 that was published a few weeks ago. Could you please run another test like the one mentioned?

    I'm sorry that you didn't get a timely reply in our forum. Which thread do you mean?
     
  15. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    good news
     
  16. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    create auto start entry, invisible install, manipulate other process
    it is commonly seen and can be covered by any HIPS, you will see prompt if the HIPS is noisy, ask you whether allow this unknown exe, any action may change system key point or dangerous behavior is been notified.
     
  17. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    http://forum.emsisoft.com/Default.aspx?g=posts&t=2929

    Well, this is not easy to understand, because I remember your reply at Rokop Security about two months ago.
    I assume that was you.
    http://www.rokop-security.de/index.php?s=&showtopic=15829&view=findpost&p=226756

    As everyone can come round to another opinion, that's not an issue.
    An issue for every security program is a weak self protection, in my opinion.
    If there are improvement, I'll be the first to acclaim such development.
    Unfortunately baerzake's statement about mamutu's self protection was of a different opinion.

    Cheers
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Mamutu:thumb:
     
  19. s4u

    s4u Registered Member

    Joined:
    Oct 24, 2007
    Posts:
    441
    why is mamutu so good. What makes it better?
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    For now, it has done well in the tests I have seen, it is very easy to set up and maintain , especially with Intelligent Alert Reduction checked. It knows how to make most choices for you, compared to Threatfire. And the combo with Sandboxie and Avira is running very fast, since everyone here makes this a big deal. Is it the best, no. Is it good and getting better with a good support team. Hell yes.;)
     
  21. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    There are better products for free. I tried A Sqaured real time mode and it used 62K of memory. No need for such a big foot print. Comodo and OA can do the same for free. I also use Avira with all files selected.
     
  22. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    Intelligent alert reduction mode will reduce the detection qualiy almost 50% when I test:oops: , I dont recommaned use this mode, community-base mode is the best to use for arevage users.
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks
     
  24. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    wow,I found the self-protection of mamutu already improved right now:thumb:
    but is still not perfect. see the test pic.
    TEST1

    use "taskkill" to terminate the process of mamutu. we can see that mamutu is good, taskkill cant terminate the process.

    Snap1.jpg

    TEST2

    use advance process terminator to terminate the process of mamutu. we can see the process is not terminated by user-mode and crashing. well done:thumb:

    2.jpg

    and second I try terminate it by APT's kernel-mode, this mode use the drive to terminate the process, we can see that mamutu alarm when kernel-mode test, that is good:thumb:
    3.jpg

    BUT the weakness of mamutu' self -protection is the process "mamutu.exe".
    it can be terminated by APT's user-mode, it is dangerous. the most important of all is mamutu is dead when mamutu.exe be terminated, the a2service still running but no any reaction.:thumbd: . we can see that a2service.exe can be terminated by kernel-mode and no alarm after mamutu.exe had been terminated.
    5.jpg

    6.jpg
     
  25. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hi,

    I tested Mamutu against the TrojanSimulator, which is recommended by Christian Peters in this thread:
    http://forum.emsisoft.com/Default.aspx?g=posts&t=2939

    Mamutu 1.5.0.22 passed this test as you can see:

    tsim.png

    Therefore it should work as expected.
    Then, logged in as admin, I tried to end mamutu.exe in Windows Task-Manager, which can be done easily.
    Afterwards (only a2service.exe is running) the TrojanSimulator can install its trojan server TSServ.exe without any interrupts by Mamutu.

    BTW the Mamutu Service runs apparently as an ordinary service, as far as I can see the only protection is to restart if it fails.
    Simple run "net stop mamutu" and it will not restart again.
    This works even if Mamutu (mamutu.exe) is running, "net stop mamutu" kills both processes (mamutu.exe and a2service.exe).

    These findings are of course meaningless related to a "real maleware attack", but show a little impression about general self protection, in my opinion.

    Cheers
     
Loading...
Thread Status:
Not open for further replies.