New SpyEye/ZeuS Trojan

Discussion in 'Prevx Releases' started by Dark Star 72, Jan 26, 2011.

Thread Status:
Not open for further replies.
  1. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes :) And the newest discrete Zeus variant is covered as well (which uses legitimate VNC to connect to the PC remotely). They are certainly getting sneakier... but not sneaky enough for us ;)
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I found a variant of this malware that Prevx didn't detect on scan but after 15 minutes it was added, so the cloud is fast to react to new variants and not waiting for and update and I didn't send in to Prevx only scanning the file!

    [BP] c:\users\daniel\downloads\awemba.exe [PX5: 853C390A001F667A14DE0254A7E8C500F55BF1FA] Malware Group: High Risk Cloaked Malware

    TH :D :thumb:
     
    Last edited: Jan 26, 2011
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'd be afraid of a FP under those circumstances.
     
  5. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I never knew what Zeus does :rolleyes:
    Can anyone enlighten me :D

    Anyways, i once had to clean a friends PC that was infected with like 2 variants of Zeus and like 100 malware LOL
    He downloaded lots of cracks and "hacks" hahahaha
     
  6. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Did you install the file? So was Zeus running on your system?
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    No I didn't run the file just did a standard scan! I wasn't in the mood today to infect 1 of my VM's ;)

    TH
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    On VT now 36/43 now detect this file I have! On VT NOD32 detects it as Win32Spy.Zbot.YW and AntiVir TR/PSW.Zbot.136192.Y so I doubt it is any kind of FP! :p

    TH
     
    Last edited: Jan 26, 2011
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Be glad for that. I just rechecked something from an article I saw sometime ago (I'm being kind by saying "sometime"; more than a year has passed.), and a few still don't detect the malware in question, and one being the security application we're discussing in this thread.

    I know this isn't the place, but come on... more than year and still no detection o_O Prevx isn't alone on this one, though.

    Did the sample got lost in the way, since it first was upload to VirusTotal o_O
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I don't know if it's the malware in Question I just found a sample and checked to see if Prevx detected it and at the time it didn't so 15 min later it did and then I check it with VT and it said first seen Dec 27 2010! I was just making a comment that it only took 15 min so the whole Prevx community was protected and nothing more!

    TH
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh, sorry. I'm not talking about Zeus. :D I was looking through an year old (a bit more) article, and I decided to recheck how many antimalware engines were now detecting this malware; after all, more than a year has passed, right? :D

    To my surprise, not all of them were detecting it; actually only 25/36, Prevx excluded from those able to detect it.

    I wonder if it takes more than year to detect a threat? Specially considering that VirusTotal shares malware samples with security vendors that figure in their service. Prevx figured VirusTotal back then, so why doesn't it detect it, after 1 year?
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The VT detection is not from the normal Prevx product - it uses a small commandline scanner which functions very differently so you'll see dramatically different results. I'd be surprised if we still didn't find it, but if you could send me the sample, I'll take a look :)
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. I guess that explains it, then. By the way, I forgot to mention they are two samples, uploaded to VirusTotal at the same time, and both not detected by Prevx... even if using only "a small commandline scanner".

    I don't have the samples in my possession, but can't you request them to VirusTotal, by providing the hashes, and see if you do detect them? *Edit* Otherwise, I could have just tested it for myself. :D

    I'm not trying to make any sort of bad critic; I wasn't aware that VirusTotal version wasn't the one your costumers have.

    I could give you the hashes? PM or here at the thread?
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    If you PM me the hashes, I'll be able to look them up :) No product on VT is the one used by consumers - they are all very different and not meant to be representative of what the real product would find. I'd estimate that the VT scanner has 1/10th the detection of the actual Prevx product and 5x as many false positives just because of the limitations of the environment.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, you're right. I have no idea why, but I've never seen this part in their FAQ.

    :thumb:
     
Thread Status:
Not open for further replies.