Newer Virus samples, escaping most scanners

Newer Malware, escaping most scanners

Ok, first off I am no expert in this field, nor do I claim to be. But for the last few days I have been "surfing without protection" and I picked up a few nasties along the way which as you all will be able to see by the screens escaped most scanners, yes even Kaspersky. I am in the process of submitting them as I type this.
I am only going to post the screens of the Virus total scans as they are roughly the same as Jotti's. I did scan some more files but you all get the picture, be careful!
Just some food for thought.

http://www.zer0-tec.net/likuidkewl/22mar/vscan01-22mar.png
http://www.zer0-tec.net/likuidkewl/22mar/vscan02-22mar.png
http://www.zer0-tec.net/likuidkewl/22mar/vscan03-22mar.png

And yes Avast missed them all.

 

@ likuidkewl- Interesting & disturbing data. Thanks for posting it.

@ All- I note that Sybari did well in these 3 cases. Is it true that Sybari has been bought by Microsoft? Is the Sybari AV available for trial & purchase? Does anyone here have experience &/or further information concerning this relatively unknown AV?

 

If I am not mistaken...Sybari was bought by Microsoft, however, it is for the "enterprise" versions. I am not sure IF or WHEN Microsoft will begin rolling out their version OR if it will be available for the SOHO home user.
As noted here
Hope that helps
Cheers

 

Sybari donot produce AntiVirus for Desktop.
However, they actually licensed 8 AV Engines in their products (E-Mail Gateway Products)

 

For Sybari, you can see it's KAV & McAfee component in action in the 2nd two screenshots. No idea which engine Sybari used in the first screenshot though.

 

Can you test these samples for 1 week again?

Just to see who would add them!

 

I will submit them again this coming weekend.

 

The third Sybari detection was propably detected by VET engine. Here is a former version of that "Win32.SillyDI" by VET.

Best regards,
Firefighter!

 

I see you're submitting them inside rar files. You're really only testing the program's ability to scan inside rar archives.

 

Also the file in the 3rd screen cap was not caught by anything on Jotti's page, even the Norman Sandbox had no idea what it was. Although, the Sandbox did pick up most of the others. I was amazed that NOD missed so many, un-archived samples, the archives I am not surprised about. As I am also surprised with BD's Heuristic check.

EDIT//
Seems we were posting at the same time:

I submitted them first without any archiving, and then again with them archived, and the results didn't change.

 

How did GData fare against them?

 

Haven't tried yet as the test machine, was a fresh image with only BD7.2. But from the ScreenCaps I think we can conclude it would have missed the last one atleast, as now the virii have been submitted it might be a mute point to check them against GData, but I will try to later tonight anyhow.

 

Why did you said that avast! missed them all? Like thats a bad thing. Just look at heavy weights like DrWeb or Symantec. They both missed all samples too.
So,whats the deal?

 

the deal is that new samples are being missed and our PCs are at risk!

 

Signatures databased. Happens to all antiviruses - sometimes one runs behind, sometimes another. Submitting the files to all vendors does help.

Here's a random (in the meanwhile outdated) example:

Wolfe

 

Yeah i got that point,but why pointing out avast! ?

This sounds like something very negative for avast!,but it isn't if Norton and Dr.Web (for example) miss all og them too.

 

Could have been any antivirus.

This is no contest; next time someone will post one and the same about NOD32, Dr.Web or Kaspersky.

Wolfe

 

"Trojan.Downloader.XX", " TrojanDropper.Win32.Agent.XX", etc. sounds like Adware. It is almost surely adware samples. Symantec 8.0 {the version used in the online test} does *NOT* detect Adware. So this is hardly a fair test for Symantec, IMHO. I wish the online test would upgrade to the latest version which does include Adware, Spyware, Expanded Threats.

 

@Wolfe
I'm very aware of this trust me.

I just wanted to point out that instead:

He should just use:

Sounds different doesn't it? Much more neutral? I think so.

 

Yes I agree...but the big deal here is that many new samples are being missed by many AV vendors. This is BAD, real bad.

 

Yes but did anyone notice my previous comment? Several of these "new" samples are not classic viral samples, or they don't appear to be; they appear to be adware or spyware. Not all the AVs detect this class of malware in their normal bases or signatures; some, like Symantec and I suspect others, have added signatures for these but only the latest engine will use those added signatures to detect the expanded threats. One must be careful not to compare apples and oranges. Just my humble two cents ..

 

I stated Avast! missed them also due to the fact that most AV's over-lap between the two test sites, except for Avast and MKS I believe. And because I was using avast as a scanner on one of my pc's at the time. There is no attack on any AV vendor, just simply pointing the fact out due to the fact that I did not post the screen caps of a Jotti scan. I don't care who you choose as a AV vendor these being missed is not a good thing, and hopefully soon the definitions will be updated soon.

//EDIT//
Also normans sandbox stated most if not all of these executables will download a file to the system32 dir replacing a windows file and executing a process at the system start, a regmon will catch most, but this was simply an example as I stated in the very first paragraph of this thread.

 

hey Ran,

I think your right...It does seem to be Spyware more than Adware to me...One must see what comes up with the newer and extended bases.

Thanks a lot for clarifying me.

Regards,
Firecat

 

But if it is an expanded threat, the engine-version for Symantec used in the online test {your screenshot} won't detect it even if it is already in the signatures, or even if it is later added to the signatures after you submit the sample. That is my humble point. I suspect some other AVs may treat different classes of malware differently as well.

 

I just checked this out, and they are still missed by SAV 9.03.1100 (MP1) with 3/23/2005 rev. 9 defs. I know they have not had time to update more than likely, so this is not suprising.