NOD32 AMON and IMON not detecting Dropper.pakes

Discussion in 'NOD32 version 2 Forum' started by MFB, Sep 4, 2006.

Thread Status:
Not open for further replies.
  1. MFB

    MFB Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    8
    Hi,

    Going to this http://www.eset.com/support/faq1.php?id=1066 will give you info on how to test if AMON or IMON is working. Im glad it works and the protectionis comforting. Going to a site known for trojans disguised as keygens http://www.seriall.com/?s=dropper.pakes , click on the file. Ideally, NOD32 (AMON or IMON) should block the download as its a trojan. But, it allows it to be downloaded on your pc. If you run the exe file, NOD32 still allows it.

    Is this a bug or is it just that NOD32 doenst recognize this? After downloading it and scanning the file, NOD32 doesnt detect its a trojan. Using ewido, it declares it as dropper.pakes and cleans it.

    Let me know if you get the same result with NOD32.
     
    Last edited by a moderator: Sep 4, 2006
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Please be cautious when posting links to sites such as that. We ask that you make certain links un-clickable so as not to possibly infect others Please.

    contents of 35.js script
    contents of 35.html:
    Thanks,
    Bubba
     
  3. MFB

    MFB Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    8
    Sorry about that.


    So why isnt it being detected by NOD32?
     
  4. ASpace

    ASpace Guest

    Generally NOD32 has excellent detection rate for all kind of threats . NOD32 is more that perfect when dealing with unknown malware .
    ESET does adds malware on priority bases (more here ) and I think they give droppers lower priotity than other malware because all dropped files later are detected either by signatures or by Threat sense (R) (Advanced Heuristics)

    Moreover , keygens are not important at all because only user who is or intends to use illegal software is downloading/using keygens

    I would recommend you to check your NOD32 settings and later , please write an email to ESET's Tech Support support@eset.us
    Provide them with details about what you have tested and also with a link to this thread


    Good luck ! :thumb:
     
    Last edited by a moderator: Sep 7, 2006
  5. MFB

    MFB Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    8
    Hi,

    Thanks for the reply. Im just posting a vulnerability I found with IMON and AMON. I will be following your advice, thanks for the links.


    Mark
     
  6. ASpace

    ASpace Guest

    You are welcome !
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I downloaded the file in question. It's apparently a new variant of the trojan dropper Pakes.
    I'll try to see if dropped malware is detected by NOD32. If it's the case, then add detection to the dropper itself isn't so important.
    PS: I sent malware to Eset labs.
     
  8. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Boy I am glad that not everyone thinks like that.
    Since, now I will take this file and send it as an attchment to 5000000 people and call it, mywetsweet18yearoldbody.exe and see how many people will execute this with intent to use illegal software?

    All malware should be treated with equal weight or else what's the point of haveing an anti-malware system. How certain are you that this given malware will be limited to keygen only siteso_O?
     
  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    ^ Agreed.
     
  10. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    detecting keygens is not important but if it contains any real malware (like a trojan) then that should be detected.
     
  11. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Agreed too. Malware need to be detected even if it's only published on a illegal site.
     
  12. Suggers

    Suggers Guest

    I also agree. I notice that eset don't always add Trojan-downloaders that I submit, either through quarantine or samples(at)eset.com, probably because the file that the trojan downloads is already detected. But I'd rather see everything detected because the trojan-downloader can still spread if it is not detected, and it is still sitting dormant on a PC.
     
  13. MFB

    MFB Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    8
    Thanks for those who particapted on this thread. I hope ESET takes action on this new variant.
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've just dig a little into this malware and after running it I found it drops a .dll in Windows/system32 and it creates 2 .tmp files in Docs and Settings.

    Here is the scanning result from Avira which found the Trojan.PCK.Klone.G
    NOD says nothing about them. :(
     

    Attached Files:

  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Please submit the files for analysis and they will be added according to priority - you know the procedure :D (mostly dll's are nothing without something to operate them)

    Cheers :)
     
  16. Suggers

    Suggers Guest

    See post 7, samples have already been sent.

    Cheers
    Suggers
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    This thread is 4 days here.... I think ESET knows about it already. I"m sending them right now... but according to their priorities it will be added in about 2 weeks perhaps. :rolleyes:

    And there are 2 .bat files there except for those .tmp and .dll file. ;)

    EDIT:I"ve seen post 7 also now. Thanks Suggers.
     
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    No one can be absolutely certain that any samples they have are exactly the same as what another has already sent.

    If you have something that isn't detected that you think should be then it's always better to send it for analysis anyway with as much relevant information as possible including a link to any thread where it is discussed. That way even if it is the same it gives ESET a better idea of how prevalent a threat may be and helps them to better prioritise.

    Even using 'Submit for analysis' from within quarantine must at least register a count even if ESET already have a sample exactly the same already.

    Cheers :)
     
  19. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've sent it. Let's see what happens....
    EDIT: They have been added. See here...
     

    Attached Files:

    Last edited: Sep 8, 2006
  20. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    and the .dll being dropped.
     

    Attached Files:

  21. ASpace

    ASpace Guest

    This is great news !
     
  22. MFB

    MFB Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    8

    I dont see the .dll warning. Imon though blocks the site all together. I just adjusted compatibility to maximum efficiency.
     

    Attached Files:

  23. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288

    Check your threat log for AMON entries with the intrusion, you may have it setup to "clean automatically". You can check this by going to AMON > Setup > Actions and determining where the tick is placed under "If an infiltration is detected".
     
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I ran this file into my sandbox and it dropped the .dll. You won't see it because NOD32 already blocks the .exe generating the .dll. ;)
     
  25. MFB

    MFB Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    8
    I hope in the future Eset will just act on quarantine files sent to them rather than having to resort to getting help from the forums.
     
Thread Status:
Not open for further replies.