MRG Rogue Software Test

The main Q is, is the result same on the specific test samples used (verified in a unpublished test) or just generally in tests?

 

Could the Admins and Mods check this member's IP's, I bet he is from Greece, if not using proxies to hide his ID.

Well anyway, he was a trouble making member from SSUpdater and has more than a few screws loose. He was a supporter of our site and eventually got Moderator. Anyway, he was a complete trouble maker spreading false lies and causing other members to get into disputes.

I tried to work with him and would not change his ways. He made over 10 different users accounts and started to spam our forum with false lies.

I eventually had to ban all of his IP's from Greece to get rid of him.
He has never got over getting ban from SSUpdater, now he is doing the same thing here on Wilder's making his first post under a different user name in order to spread more lies and cause disputes.

Please ban his member from Greece and check for multiple user accounts.

Because if this member is from Greece, then you will know who is telling the truth.

Good Day.

 

I meant in this specific test with this methodology used, the result would be the same.

Regards,
Sveta

 

If it's methodology, the problem is that IS uses a deeper emulation on execution and chances are it would catch the samples based on that function, which isn't present in KAV (well, not used in the same way) as it can only use a smaller amount of emulation.
(P.S still getting redirected to "Cure"/graphic.php... wondering why? )

 

The truth is be tested both AV and ISS, the result was the same, we always do that in unofficial tests, we have tested many more applications, just didn't get the chance to publish the results yet.

You can't access the site?

 

That's what I wanted to verify, it's not the method but the samples used.

I don't know why (lazy to investigate), but I'm always presented with http://malwareresearchgroup.com/graphic.php , some kind of TOS/EULA but nothing that I can see to "verify" myself as a non-bot (captcha, etc.).

 

It can be the Project HoneyPot, we use it because of the problem with spammers (like the one who started this whole mess), they are a bit to aggressive so they might have your IP flagged by mistake, you can contact them and check, if that is the case they will unblock it asap.

Regards,
Sveta

 

I am also having the problem as u. Dono why that happen.

 

Hi Sveta,

Can you explain how HIPS got bypassed? When you said that the rogue was able to install...do you mean that the rogues pop-ups were able to transpire or do you mean that the rogues pop-ups were not able to transpire but malware traces were still installed in program files/program data and a few registry key entries?

Thank You

Toby

 

In this case HIPS didn't react as the files were suspicious, you would normally get a pop up window saying that the file is malicious, unknown or untrusted (attempting to do this or that).... but that simply didn't occur so the applications were able to install with no problems.
I was surprised that COMODO's D+ didn't react to the files it failed to block, Online Armor ++ is another story and you will find out about it pretty soon.

Regards,
Sveta

 

I think the reason D+ didn't react is because the apparent "rogue" software is actually safe software mate - that is, Comodo have added it into its white-list.

Can you please give me the programs of the "rogue" software that bypassed OA and Comodo? I want to verify that they are genuine "rogue" software. As you implied in a previous post, some of these "rogue" software were in the gray zone (and I suspect they aren't "rogue" software at all mate). Thanks very much.

 

Files already sent to the vendors and got mixed opinions as feedback, some say malicious others gray area.
I would wait a bit before I share the files as I am still getting various opinions from malware researchers. I will post everything a bit later in our forums as I do not wish to post any links to rogues here.

Regards,
Sveta

 

o u mean kinda like Max Zorin/Retadapuss and w/e other accounts that member made to do the exact same thing here?...

 

Max_Zorin appears to have been deleted from Ssupdater.com's forum. No fancy title of VIP, no posts. 21:15 gmt.

Strangely, 212eta seems to be saying exactly the things Max_Zorin said on the website yesterday lol.

 

I see mate, but there's just no way a classical HIPS (like Comodo's Defense+) will be bypassed by a simple piece of rogue software. Unless it had some wicked mechanism to get past the initial execution alert of the classical HIPS (and I've only seen this with a few POCs, which have since been fixed, and not genuine malware programs), it's just impossible that the HIPS doesn't give a pop-up.

So the reasons for Defense+ getting bypassed by rogue software would be either:
1. The rogue software has some amazing mechanism that allows it to be executed undetected by the classical HIPS

or

2. The rogue software is not rogue software, and is in fact a genuine program, which has been added into the classical HIPS' white-listing database.

Hope to get those samples soon.

 

the program culd seem like a rogue if its a dead project or incomplete in other words "vaporware" but it doesnt mean its ACTUALLY a rogue out to get ur money and provide ZERO functionality. so that culd be 1 reason it wasnt deteced cuz it culd be whitelisted.

 

I didn't say that I disagree with you, with gray area software there is always a chance that some applications will be flagged as safe by some but they will be flagged as unsafe by others. I am positive that that is the case with COMODO and D+, but like I said, I wasn't the one who put these applications on the rogue software list.
I believe that HIPS is one of the most advanced and most aggressive method of prevention/detection, it wouldn't be pretty if they missed easy targets like these, so it has to be something else.

Regards,
Sveta

 

Sure thing mate. It sounds like you need to get a more reliable list of "rogue" software next time haha.

 

Not posting any links, but this one should be the most reliable one, but like I said gray area is gray, not white, not black, somewhere in the middle so that is what makes it hard to detect

Regards,
Sveta

 

Well mate, I guess the fact that Comodo have white-listed the programs means that based on their research, these programs are not "malware".

 

Yes, but that was what COMODO did, lets see the others, shouldn't take long

 

One of the main reasons why a rogue may get past a HIPS is that it may literally not do any malicious things on the system besides try and socially engineer money from the user. A HIPS isn't going to warn if a program just displays red text, but many users are gullible and it isn't easy trying to prevent people from being gullible (a word, by the way, which when pronounced slowly, sounds like "Green Bell").

 

Dude, why do you seek to cloud the issue haha.

You of all people will know that the rogue will not get past a HIPS unless it's been white-listed, and therefore deemed safe. A classical HIPS will always give (at least) an initial execution alert for any program that tries to run (unless it's been white-listed).

 

Let's not forget false postives for those black-listers/behaviour-blockers.

 

Do classical HIPS today really warn on every new execution That sounds more like anti-executable software than protection that should be compared against other products - you couldn't say that a program that blocks every non-whitelisted program has passed a detection test because that would be 100% user dependent