Newer Virus samples, escaping most scanners

Discussion in 'other anti-virus software' started by dan_maran, Mar 22, 2005.

Thread Status:
Not open for further replies.
  1. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Newer Malware, escaping most scanners

    Ok, first off I am no expert in this field, nor do I claim to be. But for the last few days I have been "surfing without protection" and I picked up a few nasties along the way which as you all will be able to see by the screens escaped most scanners, yes even Kaspersky. I am in the process of submitting them as I type this.
    I am only going to post the screens of the Virus total scans as they are roughly the same as Jotti's. I did scan some more files but you all get the picture, be careful!
    Just some food for thought.

    http://www.zer0-tec.net/likuidkewl/22mar/vscan01-22mar.png
    http://www.zer0-tec.net/likuidkewl/22mar/vscan02-22mar.png
    http://www.zer0-tec.net/likuidkewl/22mar/vscan03-22mar.png

    And yes Avast missed them all. :(
     
    Last edited: Mar 23, 2005
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @ likuidkewl- Interesting & disturbing data. Thanks for posting it.

    @ All- I note that Sybari did well in these 3 cases. Is it true that Sybari has been bought by Microsoft? Is the Sybari AV available for trial & purchase? Does anyone here have experience &/or further information concerning this relatively unknown AV?
     
  3. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    If I am not mistaken...Sybari was bought by Microsoft, however, it is for the "enterprise" versions. I am not sure IF or WHEN Microsoft will begin rolling out their version OR if it will be available for the SOHO home user.
    As noted here
    Hope that helps
    Cheers :)
     
  4. ncs_

    ncs_ Guest

    Sybari donot produce AntiVirus for Desktop.
    However, they actually licensed 8 AV Engines in their products (E-Mail Gateway Products)
     
  5. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    For Sybari, you can see it's KAV & McAfee component in action in the 2nd two screenshots. No idea which engine Sybari used in the first screenshot though.
     
  6. 434563

    434563 Guest

    Can you test these samples for 1 week again?

    Just to see who would add them!
     
  7. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    I will submit them again this coming weekend.
     
  8. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    The third Sybari detection was propably detected by VET engine. Here is a former version of that "Win32.SillyDI" by VET.

    Best regards,
    Firefighter!
     

    Attached Files:

  9. jtjrttr

    jtjrttr Guest

    I see you're submitting them inside rar files. You're really only testing the program's ability to scan inside rar archives.
     
  10. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Also the file in the 3rd screen cap was not caught by anything on Jotti's page, even the Norman Sandbox had no idea what it was. Although, the Sandbox did pick up most of the others. I was amazed that NOD missed so many, un-archived samples, the archives I am not surprised about. As I am also surprised with BD's Heuristic check.

    EDIT//
    Seems we were posting at the same time:
    I submitted them first without any archiving, and then again with them archived, and the results didn't change.
     
  11. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    How did GData fare against them?
     
  12. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Haven't tried yet as the test machine, was a fresh image with only BD7.2. But from the ScreenCaps I think we can conclude it would have missed the last one atleast, as now the virii have been submitted it might be a mute point to check them against GData, but I will try to later tonight anyhow.
     
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Why did you said that avast! missed them all? Like thats a bad thing. Just look at heavy weights like DrWeb or Symantec. They both missed all samples too.
    So,whats the deal?
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    the deal is that new samples are being missed and our PCs are at risk!
     
  15. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Signatures databased. Happens to all antiviruses - sometimes one runs behind, sometimes another. Submitting the files to all vendors does help.

    Here's a random (in the meanwhile outdated) example:

    Wolfe
     

    Attached Files:

  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah i got that point,but why pointing out avast! ?

    This sounds like something very negative for avast!,but it isn't if Norton and Dr.Web (for example) miss all og them too.
     
  17. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Could have been any antivirus.


    This is no contest; next time someone will post one and the same about NOD32, Dr.Web or Kaspersky.

    Wolfe
     
  18. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    "Trojan.Downloader.XX", " TrojanDropper.Win32.Agent.XX", etc. sounds like Adware. It is almost surely adware samples. Symantec 8.0 {the version used in the online test} does *NOT* detect Adware. So this is hardly a fair test for Symantec, IMHO. I wish the online test would upgrade to the latest version which does include Adware, Spyware, Expanded Threats. ;)
     
  19. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    @Wolfe
    I'm very aware of this trust me.

    I just wanted to point out that instead:
    He should just use:
    Sounds different doesn't it? Much more neutral? I think so.
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Yes I agree...but the big deal here is that many new samples are being missed by many AV vendors. This is BAD, real bad.
     
  21. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Yes but did anyone notice my previous comment? Several of these "new" samples are not classic viral samples, or they don't appear to be; they appear to be adware or spyware. Not all the AVs detect this class of malware in their normal bases or signatures; some, like Symantec and I suspect others, have added signatures for these but only the latest engine will use those added signatures to detect the expanded threats. One must be careful not to compare apples and oranges. Just my humble two cents .. ;)
     
  22. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    I stated Avast! missed them also due to the fact that most AV's over-lap between the two test sites, except for Avast and MKS I believe. And because I was using avast as a scanner on one of my pc's at the time. There is no attack on any AV vendor, just simply pointing the fact out due to the fact that I did not post the screen caps of a Jotti scan. I don't care who you choose as a AV vendor these being missed is not a good thing, and hopefully soon the definitions will be updated soon.

    //EDIT//
    Also normans sandbox stated most if not all of these executables will download a file to the system32 dir replacing a windows file and executing a process at the system start, a regmon will catch most, but this was simply an example as I stated in the very first paragraph of this thread.
     
  23. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    hey Ran,

    I think your right...It does seem to be Spyware more than Adware to me...One must see what comes up with the newer and extended bases.

    Thanks a lot for clarifying me.

    Regards,
    Firecat :)
     
  24. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    But if it is an expanded threat, the engine-version for Symantec used in the online test {your screenshot} won't detect it even if it is already in the signatures, or even if it is later added to the signatures after you submit the sample. That is my humble point. I suspect some other AVs may treat different classes of malware differently as well. ;)
     
  25. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    I just checked this out, and they are still missed by SAV 9.03.1100 (MP1) with 3/23/2005 rev. 9 defs. I know they have not had time to update more than likely, so this is not suprising. :)
     
Loading...
Thread Status:
Not open for further replies.