MBAM hoax?

Discussion in 'other anti-virus software' started by yaslaw, Jun 30, 2011.

Thread Status:
Not open for further replies.
  1. yaslaw

    yaslaw Registered Member

    Joined:
    Feb 27, 2005
    Posts:
    167
    Location:
    Poland
    I would like to point you to this post
    http://www.anti-malware.ru/forum/index.php?showtopic=18301

    According to this post, MBAM detect some files based on their names and path only!
    Member of polish safegroup.pl also confirmed that by creating empty file called svchost.exe in windows directory. MBAM detected it as trojan-agent.

    topic started by him on mbam forum could be find here
    http://forums.malwarebytes.org/index.php?showtopic=88498&pid=447446&st=0&#entry447446

    more info in polish under this link:
    http://forum.safegroup.pl/viewtopic.php?f=44&t=4282&start=0#p113914
     
  2. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    this is known for long time.
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    I know this Yaslaw...but thanks for the info in this place. The arguments are clear and this looks like a hoax ... but with such a reputation? What next step MBAM? What comment give you us?
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Interesting... I wasn't aware of this. I need to pay more attention. :blink:
     
  5. LODBROK

    LODBROK Guest

    A good strategy for whatever one does. :)

    Anyhow...
    One would think a svchost.exe file anywhere outside of its proper locations would be suspicious (as C:\WINDOWS\system32, C:\WINDOWS\ServicePackFiles\i386 and C:\WINDOWS\$NtServicePackUninstall$ in XP) and should be detected in some manner. If not tagged as trojan-agent, logical IMHO, then as what??

    If I saw svchost.exe in the root of my C: partition, I'd tag it as WTcensored!!!!

    Looks to me like MBAM is doing its job.

    BTW, there is no such thing as an "empty file."
     
  6. yaslaw

    yaslaw Registered Member

    Joined:
    Feb 27, 2005
    Posts:
    167
    Location:
    Poland
    Indeed it's very sophisticated method to detect files based on it's file name.
    I'm sure that this is 6th generation cloud computing+super duper behavioral sonar system.

    ehhh.. I'm dissapointed by this cheap tricks... for me there is no excuses. It's simply wrong
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Perhaps because non-standard svchost.exes are usually trouble?

    I'm really not understanding what the problem here is.

    If Malwarebytes is a hoax,... then a lot of malware makers are in on it.
     
  8. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Can you name a situation where a user would legitimately want a fake svchost.exe?
     
  9. yaslaw

    yaslaw Registered Member

    Joined:
    Feb 27, 2005
    Posts:
    167
    Location:
    Poland
    Can you name other av that behave the same way?

    And way it's wrong? I don't trust any security vendor that determine if the file is malicious or not by it's name.
    Imagine that this could happen to legitimate files that are detected only because of this "rules"
     
  10. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    We employ a wide range of strategies and tend to use the hammer that fits the job. Sometimes it is a per download polymorphic infection that is always randomly named, sometimes it is as simple as svchost.exe in a foolish location.

    We do what needs to be done to keep you safe.
     
  11. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    What legitimate files?

    Trojans and other malware commonly install themselves outside of the system folder with legit sounding names, then set up various methods to have them run at system startup. It's great that Malwarebytes can detect these phony files, and it helps people who aren't capable of manually checking autoruns themselves.

    Why does it need to be a fancy method of detection to be valid - when cleaning someone's computer by hand, I'd have removed the obvious fake svchost.exe as well, no matter what size explorer reported it to be.

    Malwarebytes is 100% correct to detect this.
     
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    +1 THIS!!
     
  13. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    190
    Location:
    Oudenbosch
  14. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Avast uses similar techniques (among many other things, of course).
    But it doesn't directly alert on the file - instead, it just flags it as suspicious and optionally submits it to the virus lab for further analysis...

    I think this is actually pretty common these days.
     
  15. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    The only reason to have copies of svchost created by the user is to have a backup in case the real copy gets corrupted or infected. The same logic used in figuring out that svchost is a good file to backup would also dictate that %WINDIR% is a very poor location to put this backup.

    Even in this fictional situation no harm takes place.

    We do what needs to be done. We keep it safe and yes, do not go by 'the book' at times.

    A lifetime license is also not by 'the book', its kind of our thing :)
     
  16. yaslaw

    yaslaw Registered Member

    Joined:
    Feb 27, 2005
    Posts:
    167
    Location:
    Poland
    Vlk with all respect.
    I see huge difference with this approach. To detect a file as a Trojan and to take a prevalence, path, and so on to judge if the file is suspicious or not.
     
  17. yaslaw

    yaslaw Registered Member

    Joined:
    Feb 27, 2005
    Posts:
    167
    Location:
    Poland
  18. m0use0ver

    m0use0ver Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    81
    Maybe all the good softwares use this too some degree.

    Some cry hoax but do not understand the far bigger picture in the malware landscape.

    File pathway detection is just one of many different attack vectors available to the good guys.

    Dose not matter how the file is packed or encrypted..whether it has a million unique MD5's but if its pathway is unique then it is own3d from the moment it is written to disk :D

    Talk about rapid 0 hour protection with that type of foo

    It would be silly not to have as many tools available to get the job done as possible :thumb:
     
    Last edited: Jun 30, 2011
  19. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Not surprised, but Now I see why other vendors have this big problem with False Positives!. Such practices are not recommended
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,049
    Location:
    USA
    I wasn't aware of it either. :ouch:

    I have SRP set up to stop any svchost.exe from running that isn't in the correct location so it is not a worry to begin with.
     
  21. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    That was a 2 letter folder name, I would not have signed off on that.

    We are talking about the most commonly used reserved file name in the history of windows malware.

    We have only 2 rules when it comes to detection:

    1. Is it safe?
    2. Does it work?

    Other companies may have additional rules, that is their choice.
     
  22. LODBROK

    LODBROK Guest

    No. That's why I use MBAM Pro! ;)

    I've been following this in other threads also. This C:\svchost.exe has been referred to as empty, fake and dummy and there's all sorts of wailing that MBAM snagged it. I'd break down in laughter (as in ROFL) if all this weren't so pathetic.
     
  23. m0use0ver

    m0use0ver Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    81
    Yeah its odd...Malwarebytes is widely accepted as best in class yet these guys attack it for one of its many methods.

    What gives...it get the job done and real good.

    Are they secretly malware shills ?

    Script kiddys going ape as they keep unloading their toys or maybe even jealous competitors/fanboys.

    Eitherway the end results justify the means as they speak for themselves:thumb:
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Nice approach!! I follow a similar one, but with AppLocker, that in it's good days should work just fine. It isn't without its own glitches. lol

    But, my surprise was more like Does MBAM only verify malware that way?. I mean, if it worked only that way there could be a malicious file replacing the original svchost.exe in C:\Windows\System32\

    MBAM wouldn't beep, at all... considering that that svchost.exe is at the original location? That was my only surprise...

    But, nossirah mentioned:

     
  25. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Ok - and how can you explain that malwarebytes also whitelists just by name, not per hash f.e. ?? If the malware has the "correct" name MWB is blind - that problem exists since years...

    Example:
    - TDSS Sample - detected see attachment 1
    - Same file (see hash) only renamed to taskwitch.exe - MBAM detects it no more. see attachment 2

    So if you really do "what needs to be done to keep users safe", change whitelisting by filenames.;)

    Regards
     

    Attached Files:

Loading...
Similar Threads
  1. bellgamin
    Replies:
    10
    Views:
    780
Thread Status:
Not open for further replies.