MRG Rogue Software Test

Discussion in 'other anti-malware software' started by LoneWolf, Aug 16, 2009.

Thread Status:
Not open for further replies.
  1. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    The main Q is, is the result same on the specific test samples used (verified in a unpublished test) or just generally in tests?
     
  2. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    Could the Admins and Mods check this member's IP's, I bet he is from Greece, if not using proxies to hide his ID.

    Well anyway, he was a trouble making member from SSUpdater and has more than a few screws loose. He was a supporter of our site and eventually got Moderator. Anyway, he was a complete trouble maker spreading false lies and causing other members to get into disputes.

    I tried to work with him and would not change his ways. He made over 10 different users accounts and started to spam our forum with false lies.

    I eventually had to ban all of his IP's from Greece to get rid of him.
    He has never got over getting ban from SSUpdater, now he is doing the same thing here on Wilder's making his first post under a different user name in order to spread more lies and cause disputes.

    Please ban his member from Greece and check for multiple user accounts.

    Because if this member is from Greece, then you will know who is telling the truth.

    Good Day.:D
     
  3. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    I meant in this specific test with this methodology used, the result would be the same.

    Regards,
    Sveta
     
  4. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    If it's methodology, the problem is that IS uses a deeper emulation on execution and chances are it would catch the samples based on that function, which isn't present in KAV (well, not used in the same way) as it can only use a smaller amount of emulation.
    (P.S still getting redirected to "Cure"/graphic.php... wondering why? ;))
     
  5. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    The truth is be tested both AV and ISS, the result was the same, we always do that in unofficial tests, we have tested many more applications, just didn't get the chance to publish the results yet.

    You can't access the site?
     
  6. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    That's what I wanted to verify, it's not the method but the samples used. :)

    I don't know why (lazy to investigate), but I'm always presented with http://malwareresearchgroup.com/graphic.php , some kind of TOS/EULA but nothing that I can see to "verify" myself as a non-bot (captcha, etc.). :p
     
  7. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    It can be the Project HoneyPot, we use it because of the problem with spammers (like the one who started this whole mess), they are a bit to aggressive so they might have your IP flagged by mistake, you can contact them and check, if that is the case they will unblock it asap.

    Regards,
    Sveta
     
  8. Criss

    Criss Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    186
    I am also having the problem as u. :mad: Dono why that happen.
     
  9. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Hi Sveta,

    Can you explain how HIPS got bypassed? When you said that the rogue was able to install...do you mean that the rogues pop-ups were able to transpire or do you mean that the rogues pop-ups were not able to transpire but malware traces were still installed in program files/program data and a few registry key entries?

    Thank You

    Toby
     
  10. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    In this case HIPS didn't react as the files were suspicious, you would normally get a pop up window saying that the file is malicious, unknown or untrusted (attempting to do this or that).... but that simply didn't occur so the applications were able to install with no problems.
    I was surprised that COMODO's D+ didn't react to the files it failed to block, Online Armor ++ is another story and you will find out about it pretty soon.

    Regards,
    Sveta
     
  11. ssj100

    ssj100 Guest

    I think the reason D+ didn't react is because the apparent "rogue" software is actually safe software mate - that is, Comodo have added it into its white-list.

    Can you please give me the programs of the "rogue" software that bypassed OA and Comodo? I want to verify that they are genuine "rogue" software. As you implied in a previous post, some of these "rogue" software were in the gray zone (and I suspect they aren't "rogue" software at all mate). Thanks very much.
     
  12. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    Files already sent to the vendors and got mixed opinions as feedback, some say malicious others gray area.
    I would wait a bit before I share the files as I am still getting various opinions from malware researchers. I will post everything a bit later in our forums as I do not wish to post any links to rogues here.

    Regards,
    Sveta
     
  13. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    o u mean kinda like Max Zorin/Retadapuss and w/e other accounts that member made to do the exact same thing here?... :cautious: :rolleyes:
     
    Last edited: Aug 19, 2009
  14. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Max_Zorin appears to have been deleted from Ssupdater.com's forum. No fancy title of VIP, no posts. 21:15 gmt.

    Strangely, 212eta seems to be saying exactly the things Max_Zorin said on the website yesterday lol.
     
  15. ssj100

    ssj100 Guest

    I see mate, but there's just no way a classical HIPS (like Comodo's Defense+) will be bypassed by a simple piece of rogue software. Unless it had some wicked mechanism to get past the initial execution alert of the classical HIPS (and I've only seen this with a few POCs, which have since been fixed, and not genuine malware programs), it's just impossible that the HIPS doesn't give a pop-up.

    So the reasons for Defense+ getting bypassed by rogue software would be either:
    1. The rogue software has some amazing mechanism that allows it to be executed undetected by the classical HIPS

    or

    2. The rogue software is not rogue software, and is in fact a genuine program, which has been added into the classical HIPS' white-listing database.

    Hope to get those samples soon.
     
  16. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    the program culd seem like a rogue if its a dead project or incomplete in other words "vaporware" but it doesnt mean its ACTUALLY a rogue out to get ur money and provide ZERO functionality. so that culd be 1 reason it wasnt deteced cuz it culd be whitelisted.
     
  17. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    I didn't say that I disagree with you, with gray area software there is always a chance that some applications will be flagged as safe by some but they will be flagged as unsafe by others. I am positive that that is the case with COMODO and D+, but like I said, I wasn't the one who put these applications on the rogue software list.
    I believe that HIPS is one of the most advanced and most aggressive method of prevention/detection, it wouldn't be pretty if they missed easy targets like these, so it has to be something else.

    Regards,
    Sveta
     
  18. ssj100

    ssj100 Guest

    Sure thing mate. It sounds like you need to get a more reliable list of "rogue" software next time haha.
     
  19. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    Not posting any links, but this one should be the most reliable one, but like I said gray area is gray, not white, not black, somewhere in the middle so that is what makes it hard to detect;)

    Regards,
    Sveta
     
  20. ssj100

    ssj100 Guest

    Well mate, I guess the fact that Comodo have white-listed the programs means that based on their research, these programs are not "malware".
     
  21. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    Yes, but that was what COMODO did, lets see the others, shouldn't take long;)
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    One of the main reasons why a rogue may get past a HIPS is that it may literally not do any malicious things on the system besides try and socially engineer money from the user. A HIPS isn't going to warn if a program just displays red text, but many users are gullible and it isn't easy trying to prevent people from being gullible (a word, by the way, which when pronounced slowly, sounds like "Green Bell").
     
  23. ssj100

    ssj100 Guest

    Dude, why do you seek to cloud the issue haha.

    You of all people will know that the rogue will not get past a HIPS unless it's been white-listed, and therefore deemed safe. A classical HIPS will always give (at least) an initial execution alert for any program that tries to run (unless it's been white-listed).
     
  24. ssj100

    ssj100 Guest

    Let's not forget false postives for those black-listers/behaviour-blockers.
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Do classical HIPS today really warn on every new execution o_O That sounds more like anti-executable software than protection that should be compared against other products - you couldn't say that a program that blocks every non-whitelisted program has passed a detection test because that would be 100% user dependent :doubt:
     
Loading...
Similar Threads
  1. Peter2150
    Replies:
    41
    Views:
    3,451
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.