New Windows Protection Suite in the wild now

Discussion in 'ESET NOD32 Antivirus' started by bradtech, Sep 15, 2009.

Thread Status:
Not open for further replies.
  1. bradtech

    bradtech Guest

    Got on a machine today... Only 2/41 products detected it on Virustotal.. Very new variant, I took the hash off it, and added it to my Software Restriction Policy. I sent in the variant, sysinspector information, and screenshots to ESET labs.. Just thought I would let the community know. I hope you guys are looking out for me and sending in variants to eset!

    :thumb:
     
  2. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    I'm too lazy to jump through the hoops with the way they want you to submit.If they just took it the way of the right click and submit through the NOD32 program, I would be submitting every new undetected thing I find !

    They way they have you submit is whats keeping them in the number 3 ( or 4 ) spot in the antivirus world.The other vendors make it easy to submit a file, so people actually bother with it, then that vendor catches the virus frst and makes every other antivirus vendor look bad.....
     
  3. bradtech

    bradtech Guest

    I don't think it's that tough to submit.. I just take a sysinspector snapshot, and collect the variant, put it in a password protected file/send it in.. The variant I uploaded to Virustotal is still not being caught by anything hardly.. One vendor is now detecting it as low risk malware (PrevX).. I have never uploaded anything that Symantec caught that NOD32 did not..
     
  4. bradtech

    bradtech Guest

    Hello I have the Virus running in a secured VM setup.. I have found out a lot of information about it, and what it tries to do in the background.. It keeps trying to dial home to a ~ snipped ~ which goes to Russia.. I have the IP address, and additional information for ESET if they wish to have the information along with the samples I sent in today.
     
    Last edited by a moderator: Sep 16, 2009
  5. bradtech

    bradtech Guest

    NOD32 now detected this with 4430 virus signatures woohoo!

    Only 12-24 hours after reporting good job ESET!
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I sent in another submission of PersonalAV yesterday
    The PAV has been out for what, over a year now?
    Same exact C:\Program Files\PersonalAV\PersonalAV.exe for months and months.

    Eset didn't even squeek at it, even when right clicking the directory and executable itself and scanning. Yet MalwareBytes, as it has ever since PAV came out, cleaned it right up.

    :cautious:
     
  7. bradtech

    bradtech Guest

    PAV changes as soon as they add detection for it. The virus maker just goes in, and rebrands it, makes little changes, and gets past signatures added for it in the past. I had a new PAV.exe that came out, and it was detected by 0/41 vendors when I uploaded it.. I used Spyware Doctor, and it's Anti Virus zero day found it and removed (threatfire). It's almost seems as easy as changing the MD5 hash value of the file, and it gets past AV makers.. Because the code seems the same.
     
  8. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I know the rogues have new variants each day, 3 to 4 new variants per day. We deal with usually several new ones per day across many clients. But what's amusing about it, the program directory and the executable name are the same...since like...last Christmas. And MalwareBytes always..always..without fail, cleans that puppy up on the first sweep. This lady had it on her system for 2 days until I could get there. Even on the 2nd day when I got there, NOD didn't even care about it, yet MWB gobbled it right up.

    I can clean PAV manually, by hand, going by memory. A human being knows how to clean it by heart...since he has been doing it (this rogue) for almost a year now. Yet an AV program can't? A human can, an AV program can't...hmmm.
     
  9. bradtech

    bradtech Guest

    I don't know enough on what ESET does to add signatures to detect these.. I understand how hard it may be to detect these, but you would think that maybe they could find some kind of common heuristic that the PAV makers use, and make it as to where it can be detected with new releases until the virus maker completly rewrites the code from the ground up.. At this point I am wondering if all the virus makers are doing is recompiling, and changes the hash values.. I manage around 4000 machines and I've had PAV get by a couple of times, and also Windows Protection Suite.. A lot of the time Malware Bytes does not detect these for me.. I upload them, and at the most 2/41 or 3/41 vendors may catch.. I think the main reason I can weather the storm on a lot of these is because I am not lazy/I am pro-active and see it was my job to submit these to ESET, Symantec, and Kaspersky which are the three makers we use.. ESET on Servers/Clients, Symantec/Kaspersky email filtering..

    I have this variant at home, and last night I threw everything at it, and all that detected it was Spyware Doctor With Antivirus with it's zero day behavior based Threatfire module.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    As far as I know, web protection module should intercept new variants of PAV upon download. Detecting files just by the file name is not safe and, as soon as AV programs would started doing that, the malware authors would use different tricks to evade detection.
     
  11. bradtech

    bradtech Guest

    Thanks for all your help in the past.. Marcos literally saved ESET 2,000 licenses with his help! :)
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Just make sure that web protection is enabled :) It provides additional protection, including blocking of websites known to host malware.
     
  13. bradtech

    bradtech Guest

    I traced the variant back to a Russian Domain name, and IP address. Should I have included that information in my report to samples@eset.sk?
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Not necessary. A brief analysis is always carried out on each sample.
     
  15. bradtech

    bradtech Guest

    Just found a new personal anti virus variant.. File name is PersonalAV.exe instead of PAV.exe.. I got it off a turnpike authority machine.. Will be sending it in.

    3/41 detecting it

    For those who block these parasites using a AD Software Restriction Policy

    File size: 1335296 bytes
    MD5...: 49b30cedef1a6fafe4b1f95d4095fb24
    SHA1..: 2e2ef7b38063be9e1702c054cba4f4290b4651f0
    SHA256: b51340aab49a549563ce68c155f85d57cea41e67acdeadbcf546a26730260245
     
Thread Status:
Not open for further replies.