MBAM hoax?

Re - SLE's post about File Name detection !

"If" that was the ONLY way malware was detected, by MBAM or Any other vendor, then that would be a disaster & lame But from what nosirrah has stated, it's just one out of various methods for detection, & an easy/quick one.

When malware is actually running, if that was the ONLY method, then on it's own ANY Anti...... would be useless in dealing with ALL the other files that get loaded etc.

So, yes it's a concern & initially alarming, but there is obviously more to it than just a one trick pony

 

I talk not about the detection by filename i talk about a non detection only because of renaming to whitelisted file... That's no serious way, cause there are other ways to identify and whitelist known clean files.

 

@ SLE

I see the distinction between the two Sorry for overlooking it.

But MBAM should still detect/stop it etc if it tried to run, surely ? Obviously if it had it in it's database !

 

If you think about it, you'll come to the conclusion it's 100% stupid not to detect a malicious file, just because you renamed it, isn't it?

So, the question is: Why not comparing by hash? It sure is a lot better than file names.

If I make a relative use MBAM, should I tell my relative to first run the file and with luck MBAM will stop it? This takes a person's faith to a whole new level.

 

Give real situations where someone has had an important file of theirs deleted by MBAM based on filename alone. As others have said, empty svchost file if it's not digitally signed, in the right location, named as a system file currently running (no one will ever save a personal document called this as it's not a common term or word), created recently etc. Should be detected and removed straight away.

Even just a text file could be used to store logged keystrokes etc.
Anyone even aware how google first started retrieving accurate results? Look into it. Many POS low end computers running out of a small space. It worked well, no different than searching today.

 

It all depends on the method. Surely you can understand that there are so many variants of each type of malware, that it's too much to ask for there to be a hash for each and every one in the database?

They must be doing something right on this system, when it caught a TDSS dropper as part of a fake.HDD package:
c:\Users\xxxx\AppData\Local\Temp\Low\ba9ff1f5.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

I doubt changing the file name would have altered that detection.

Why would you think they would only use a single method of detection?

If that were the case, Malwarebytes wouldn't be much use for the rootkits it was shown to be effective on in this recent paper:

Comparitive Analysis of Rootkit Detection Techniques, May 2011:
http://sce.uhcl.edu/yang/research/A Comparitive Analysis of Rootkit Detection Techniques.pdf

Rustock, Black Energy, and even Zeus/Zbot.

 

But, why are you folks narrowing this down to a svchost.exe file only?

There are way too many different names for a single file spread in websites. If MBAM is able to catch one based on the file name, when the user runs an on-demand scan with the free version, it's OK. But, what if the user downloads the same file with a different name? MBAM no longer will detect the same file, because it has a different name?

If that's how it rolls...

 

Re:SLE & M00nbl00d posts

Saraceno, what do think about the non-detection because of a whitelisted exe name?
I just d/l'ed a random popular PC game keygen.exe by P2P and an on-demand scan by MBAM (free version) gave me a 'Trojan downloader' warning.
After renaming 'keygen.exe' to 'Taskswitch.exe', a subsequent MBAM scan didn't give a peep.
Surely renaming malware to whitelisted program names should not be enough to defeat an AM program?

p.s. not meant as 'hoax' fodder, just a serious question.

 

I'm not really demanding anything. Just mere curiosity to know whether or not there's more to it than simply name verification. Which would be stupid, IMHO.

But, that means that MBAM was able to detect it... perhaps by verifying the path and file names, as someone already mentioned? I'm just asking, not affirming, by the way.

I don't think anything (regarding whether or not it only uses one or more methods). I'm just curious...

I can't comment on the paper, as I haven't read it. But, I will. Thanks.

 

Well it could be about any system file. The filename of 'svchost.exe' is commonly chosen for trojans so as to slip into the process list unnoticed, as even competent users mightn't notice anything amiss when they look at the task manager.

Other system files can be chosen for the same reason. Put any system file into a database like Threatexpert or Systemlookup, and you'll see countless trojans/worms that mimic them.

For this reason you can see that it's a very good thing that Malwarebytes will find these. If it didn't, I'd probably want a separate tool to automate the task!

At the very least, there must have been code within the file that matched some kind of pattern. It's possible they might have a grading method that marked it as extra-suspicious due to the randomness of the filename, but this would still need to be a detection primarily based on the file itself IMO.

Only Malwarebytes themselves (and possibly Iobit) will know how their detections work, but it won't be to their advantage to give it all away. The real world results are what matter.

Yeah it's quite a good read, and worth going back to. It certainly highlights why it's better to get at rootkits by mounting the HDD offline, but people have been doing that for years anyway.

 

Sure is a quick and lazy way of detection, but that creates false positives and negatives.

 

Thank you for pointing out about the whitelisted taskswitch. This will be fixed shortly in the next database update.

This was very early tech that was used. This is being phased out and a lot of new tech is coming online in the next few versions to replace it.

 

Re: SLE & M00nbl00d posts

Just did the same with with a Zeus variant, and as you say this defeats protection :/

Detected before no matter what I called it (e.g. fluffybunny.exe), but naming it taskswitch.exe leads to no detection. That is pretty serious, the whitelisting by filename needs to be scored lower than other checks.

Calling it svchost.exe still gives detection as Zeus though

Thanks Shadowwar, hope to see this fixed soon.

 

Good to hear.

 

So, just related to the taskswitch.exe name? Glad to know it's going to be fixed.

 

Ok, thanks. The problem should be known to MWB you at least since 2009.
But you know how it's coded in your programm and you know that it's not only taskswitch.exe and your filename whitelist is larger. So please fix the whole thing - I'll recheck.

 

Re: SLE & M00nbl00d posts

Good to see you mentioning this removed the whitelisting.

I'm not saying I don't believe other technologies are used, because they obviously are. But let's say, they weren't, and the naming of a file was the only way used.

Although it doesn't sound technologically advanced, it's still quite effective for the majority of users who have Windows stock standard, office, firefox, IE and some mp3s. If by chance they had 'keylogger.exe' or 'keygen', then surely it's a file that's A) been downloaded from the net B) isn't wanted/desired by the user. I mean, who would name their resume or uni assignment keygen?

To show other methods are used by MBAM, poster below has already put this to rest:

Best part of MBAM, developers watch threads like this, and improve their program right away. Other programs can sit stale for years on end. But I agree with you Baserk, I'd be disappointed if it was the only technology used in the program.

 

Out of curiosity to see if my AV alerted to a renamed nasty, i tried it with the fu RK. Disabled Avira whilst i renamed it & put in a new folder, & re-enabled Avira & opened the NF.



Obviously heuristics etc detected it I "presume" & would hope/think that MBAM would have something similar ?

 

Update:

Ok for taskswitch.exe you removed the whitelist entry, but you not removed the issue at all. MBAM whitelists files by name (search for WHITE= in process memory...), so if malware has this name you have no detection. So please be honest, don't try to fool your users with that and fix the real issue (the complete filename whitelist)!
If I would post the next example, will you then again only remove that one from whitelist, or will you begin to solve the real problem behind?
__

When filenames/part of names combined with paths are used for detection it's no great thing - but for whitelisting single filenames are a big problem.

 

Malwarebytes is a small fish when compared to the total security industry so any attempt to exploit this would not have any tangible gains for them. Malcoders concentrate on bypassing as many security applications as possible and as a result things like new custom packer technology is what we actually see. Creating static path malware in all likelihood would only increase the overall chances of their new malware being detected so this simply would not happen.

That being said this is an older technique that is being phased out.

 

Re: SLE & M00nbl00d posts

The issue is that if a user were to download a file named f.i. 'Scientificcalculator.exe', it depends on the whitelist it seems, whether it will go through detection routines or not.
An .exe file having a 'normal'/whitelist name, should not have such definitive meaning at all, as any file can be named 'normal'/'pick-a-whitelist-example-name'.

MBAM does take notice of threads/posts here indeed (as already has been shown in this thread also), so I am also pretty sure, this will be resolved quickly.
-edit; Actually, as nosirrah writes above, it's being worked on.

 

Just a moment ... I'm blind? ... I dreamed? ... I don't see posts about advanced "file name heuristic"

 

Malware Bytes has long been used to use very aggressive tactics that are highly FP-prone to detect malware. Thats how they've made a name for themselves, detecting stuff that most established vendors don't. But if you dig deep into the product, there are lots of sillinesses like this.

They used to have forum where you can view false positives. If you browse through that you will see a number of such "hacks".

Svchost.exe outside the windows folder. Hmmm. I wonder what would happen if you have taken a backup and legitimately have another copy in another folder ?

Thats whey I much prefer Norton Power Eraser over MBAM any day. It uses aggressive techniques as they say on their website, but a lot more intelligent.

In the world of security software, if malware bytes really did have a silver bullet that was reponsible for their "stellar" detection, wouldn't you think one of the big boys would have gobbled them up by now. I think the reason is that the big boys analyzed what the tricks they were up to and came to the conclusion that if they adopted these techniques in the main line product, chances were pretty good they would have a McAfee-style FP fairly soon.

 

Nothing as this is what user wanting to make a legit backup does. Put the copy in root or appdata and yes, it will be detected.

The few FPs reported on our forum are caused by odd build structures in 3rd party software where location and file name are irrelevant.

Google for Power Eraser and false positives, Ill let the results handle this one.

This implies that we would just say yes to any offer which is not the case. If we were in it for the money we would charge more and a renewal fee.

I am not sure how does anything but refute both points you are trying to make. The cause of what you brought up was the combination of AV heuristics and no hard coded protection of OS files. To answer your question here there are 0 chances of this FP happening to us. We would either catch it in QA or the app itself would refuse to destroy svchost.


Malwarebytes is not an AV and does use some non-AV tactics. Why is everyone hung up on 'the book' when 'the book' failing is the only reason we were able to create this company to begin with? If 'the book' was so great the help forums would not be flooded with people using software that goes by 'the book' having failed them.

 

Several months ago MBAM detected an empty C:\A folder as malware Detection by filename/directory name is ridiculous IMO