New SpyEye/ZeuS Trojan

Joe, does Prevx protect against this? I would assume it does but confirmation would be nice.
Discussed here:

https://www.wilderssecurity.com/showthread.php?t=291655

 

Yes And the newest discrete Zeus variant is covered as well (which uses legitimate VNC to connect to the PC remotely). They are certainly getting sneakier... but not sneaky enough for us

 

I found a variant of this malware that Prevx didn't detect on scan but after 15 minutes it was added, so the cloud is fast to react to new variants and not waiting for and update and I didn't send in to Prevx only scanning the file!

[BP] c:\users\daniel\downloads\awemba.exe [PX5: 853C390A001F667A14DE0254A7E8C500F55BF1FA] Malware Group: High Risk Cloaked Malware

TH

 

I'd be afraid of a FP under those circumstances.

 

I never knew what Zeus does
Can anyone enlighten me

Anyways, i once had to clean a friends PC that was infected with like 2 variants of Zeus and like 100 malware LOL
He downloaded lots of cracks and "hacks" hahahaha

 

Did you install the file? So was Zeus running on your system?

 

No I didn't run the file just did a standard scan! I wasn't in the mood today to infect 1 of my VM's

TH

 

On VT now 36/43 now detect this file I have! On VT NOD32 detects it as Win32Spy.Zbot.YW and AntiVir TR/PSW.Zbot.136192.Y so I doubt it is any kind of FP!

TH

 

Be glad for that. I just rechecked something from an article I saw sometime ago (I'm being kind by saying "sometime"; more than a year has passed.), and a few still don't detect the malware in question, and one being the security application we're discussing in this thread.

I know this isn't the place, but come on... more than year and still no detection Prevx isn't alone on this one, though.

Did the sample got lost in the way, since it first was upload to VirusTotal

 

I don't know if it's the malware in Question I just found a sample and checked to see if Prevx detected it and at the time it didn't so 15 min later it did and then I check it with VT and it said first seen Dec 27 2010! I was just making a comment that it only took 15 min so the whole Prevx community was protected and nothing more!

TH

 

Oh, sorry. I'm not talking about Zeus. I was looking through an year old (a bit more) article, and I decided to recheck how many antimalware engines were now detecting this malware; after all, more than a year has passed, right?

To my surprise, not all of them were detecting it; actually only 25/36, Prevx excluded from those able to detect it.

I wonder if it takes more than year to detect a threat? Specially considering that VirusTotal shares malware samples with security vendors that figure in their service. Prevx figured VirusTotal back then, so why doesn't it detect it, after 1 year?

 

The VT detection is not from the normal Prevx product - it uses a small commandline scanner which functions very differently so you'll see dramatically different results. I'd be surprised if we still didn't find it, but if you could send me the sample, I'll take a look

 

OK. I guess that explains it, then. By the way, I forgot to mention they are two samples, uploaded to VirusTotal at the same time, and both not detected by Prevx... even if using only "a small commandline scanner".

I don't have the samples in my possession, but can't you request them to VirusTotal, by providing the hashes, and see if you do detect them? *Edit* Otherwise, I could have just tested it for myself.

I'm not trying to make any sort of bad critic; I wasn't aware that VirusTotal version wasn't the one your costumers have.

I could give you the hashes? PM or here at the thread?

 

If you PM me the hashes, I'll be able to look them up No product on VT is the one used by consumers - they are all very different and not meant to be representative of what the real product would find. I'd estimate that the VT scanner has 1/10th the detection of the actual Prevx product and 5x as many false positives just because of the limitations of the environment.

 

Yes, you're right. I have no idea why, but I've never seen this part in their FAQ.