New sample of Rogue AV?

Discussion in 'other anti-malware software' started by Stubborn, Oct 9, 2008.

Thread Status:
Not open for further replies.
  1. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Hi there,

    I was testing Sandboxie in my machine, and as the search process was evolving, I've reached the especif domain: 100webspace.

    Some windows warnings, the same bullshit as usual, then I was readed to download this specific file:

    A9installer_77025301.exe.

    Virustotal Link:~Link removed per Policy. - Ron~ EDIT: Thx.

    While running on demand, neither NOD32 (as expected) or Malwarebytes were able to catch it.
     
    Last edited by a moderator: Oct 9, 2008
  2. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    And?

    Since you obviously found something quite new, why not report it to where it matters? That would be the vendors themselves :)
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Wow microsoft and sophos was the only detection.o_O That sucks. please send samples to other vendors
     
    Last edited by a moderator: Oct 9, 2008
  4. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Lordpake,

    I thought I was on the right place. Isn't it the subforum where you can post your experiences with other anti-malware software?

    Sandboxie kept my OS secure and I wish to share my first good impressions on this software.

    Please, report to the MODs if you feel bothered, so they can do their jobs.

    Best Regards.
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    As far as I am concerned its always nice to see how well sandboxie holds up and yet nothing new about AV or 100webspaces.A very good place to land on for security testing.:eek:
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    These rogues are constantly morphing so as to be undetectable.

    You could post any new threats at the "Newest Rogue Threats" section of Malwarebyte's Forum

    Have an A9 installer in my collection and MBAM flags it.
    Files Infected:
    c:\Users\administrator\Desktop\a9installer_77052204.exe (Trojan.FakeAlert) -> No action taken.
     
    Last edited: Oct 9, 2008
  7. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Thank you, Franklin.

    Kinda nice of you to give me an explanation on the right place to post, instead of being rude or sarcastic. I appreciate that.

    I will report this thread to de MODs so they can close it, if they wish to.

    I didn't post it with bad intentions.
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    I think that even if the installer might not be flagged by MBAM that the heuristics may kick in at an attemted install?

    Oh and best if you mung or remove your link to Virus Total as they're not allowed, meaning change the http to hxxp so as it's not live.

    Dunno if munged links are allowed either?
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    did you send the file to the other main av vendors?
     
  10. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Not yet, but I would like to. I send it to NOD32 only. If there are other e-mails that I can send the samples, just let me know.
     
    Last edited: Oct 9, 2008
  11. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,981
    Location:
    U.S.A.
    Stubborn, the file shown on the VirusTotal results is A9installer_77039001.exe, a different file than stated above. Were there several files attempting to download?

    In Franklin's post, the sample file was a9installer_77052204.exe which is part of Antivirus 2009 but you could have found a variant of the same bug. Looks like you have reported it to NOD32 and MBAM; thank you for letting us know that Sandboxie worked as expected!

    Edit: Instructions for AVG - What to do when I suspect any file it is infected?
    Please try to update your AVG system and run the whole computer scan again. When the file is not detected and you are still in doubt, put the file into password protected archive (WinZip, WinRar, PowerArchiver etc.), attach this archive to an e-mail and send it to virus@avg.com. Describe why you send the file and write password for the archive into e-mail. And send the e-mail.
     
    Last edited: Oct 9, 2008
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    for Avira submit here
     
  13. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
  14. rolarocka

    rolarocka Guest

  15. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    I didn't try to be sarcastic or rude :)

    Like already said, there's nothing strange that signature-based (blacklist) software let something by, and sandboxie contains it. Both are doing their jobs, it's just that for new pests the signatures usually are lacking. Hence it is important for all of us to submit samples around :) It's the responsible thing to do.


    There's a thread about where to post malware samples.

    https://www.wilderssecurity.com/showthread.php?t=132843
     
  16. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Well, despite the name of the file that I've downloaded, when sended to VirusTotal, it recognizes its name differently.

    I've decide also to run the file in the sandbox. Allowed firewall to receive installation packet, then:

    - Zemana kindly pointed every single action of it;
    - NOD32 recognized it as XpAntivirus and send it to quarantine.

    Although I'm a noobie at this matter, I've got some questions:

    - The fact that NOD32 acessed the file in the sandboxie, it means that the opposite way was also possible (the sandboxed environment reach the "outter" environment)?
     
  17. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Done.
     
  18. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,981
    Location:
    U.S.A.
    I have to defer your question to someone who has NOD32 installed, since I have AVG, and I'm a Sandboxie newbie as well. Yet, I'll be curious to read how could NOD32 pull that file out of the sandbox to quarantine it?

    I thought only when you "recover" a file, via Sandboxie, is when that file is transferred outside the sandbox. Am I wrong in that assumption? Experts please chime in!
     
  19. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    did you submit to anyothers at the thread with all main vendors?
     
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    In simple words, AV can access the sandbox for scanning, but stuff inside the sandbox can't escape. No worries there;)
     
  21. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,981
    Location:
    U.S.A.
    HURST, thanks for your pithy explanation. :thumb: Stubborn stated "NOD32 recognized it as XpAntivirus and send it to quarantine" which I took to mean that the file was extracted from the sandbox, so I'm glad to learn that nothing can escape from it, unless you do it yourself.
     
  22. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    If NOD32 were sandboxed then NOD32 quarantine will be also sandboxed but NOD32 was not running sandboxed so malware appear in real quarantine... very simple
    Every action made by sandboxed application (and its children) will be sandboxed, every action that is made by non-sandboxed application will be real
     
    Last edited: Oct 10, 2008
  23. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Avira and NOD32 only. Awaiting contacts to send it to other vendors.
     
  24. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Thanks for the explanation.

    As I've said before, I'm newbie at this questions.

    Also took a few print screens about the infection. If there are reasons to post it, just let me know.
     
  25. Stubborn

    Stubborn Registered Member

    Joined:
    Apr 7, 2008
    Posts:
    22
    Location:
    Brazil
    Sample sent to the following list:

    v3sos@ahnlab.com; virus@arcabit.com; virus@avast.com; virus@grisoft.cz; virus@avira.com; virus_submission@bitdefender.com; virus@ca.com; vms@drweb.com; submit@emsisoft.com; esafe.virus@eAladdin.com; samples@eset.com; submit@ewido.net; submitvirus@fortinet.com; viruslab@f-prot.com; samples@f-secure.com; hauri98@hauri.co.kr; analyse@ikarus.at; newvirus@kaspersky.com; vsample@avertlabs.com; avsubmit@submit.microsoft.com; analysis@norman.no; virussamples@pandasoftware.com; viruslab@quickheal.com; samples@sophos.com; avsubmit@symantec.com; virus_doctor@trendmicro.com; newvirus@unasoft.com.ua; newvirus@anti-virus.by; virus@virusbuster.hu

    -----------------------


    Also, Avira feedback.

    "Welcome back, Mr Edward!

    We received the following archive files:
    File ID Filename Size (Byte) Result
    25156099 sample.rar 68.94 KB OK

    A listing of files contained inside archives alongside their results can be found below:
    File ID Filename Size (Byte) Result
    25156100 A9installer_77025301.exe 149 KB MALWARE


    Please find a detailed report concerning each individual sample below:
    Filename Result
    A9installer_77025301.exe MALWARE

    The file 'A9installer_77025301.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/FraudPack.akv. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.07.21."
     
    Last edited: Oct 10, 2008
Loading...
Thread Status:
Not open for further replies.