NOD32 Disabler Undetected for 6 months!

NOD32, (and not only-almost ALL AV products),are not able to detect it:
it's an AV killer specifically targeting NOD32,it circulates on the Net for at least 6 (!) months...
and even more,it has it's source code publicly available!
I really don't want to make guesses about "private" versions...

Personally,it took me LESS than half an hour to find it:just followed some links found in the Chasenet forum,
probably the most widely-known trojaner's forum,since they are the developers of Bifrost...

I wonder,not just for Eset...(their product is WAY better compared to others),
but for all major AV companies...do they ever EVEN use Google?
Because my experience has shown me that most of them,don't keep an eye on what's going on,
not even in the major VX/trojan/exploit boards and sites...
I've even seen sample trojans posted over at PacketStorm,to go undetected for years...

VirusTotal Results - 03.17.2007:
Ikarus T3.1.1.3 - Trojan-PWS.Win32.Delf.JS
All others,NADA...

(And no,I'm not advertising "Ikarus":there's been a lot of other samples that went undetected under it...)

Check here - Use Google Translate or whatever,it's in French:
hxxp://fahde.free.fr/bug/IPB/index.php?categoryid=8&p13_sectionid=3&p13_fileid=27
Also,this paper might be of interest...
hxxp://fahde.free.fr/bug/IPB/index.php?categoryid=11&p2000_articleid=8

P.S:Eset has been notified for this issue,by it's "Technical Support Request" web page.
I made the info..."public" here,because I believe that customers also have a RIGHT,
of knowing what's going for...over 6 months,
not only malware writers...(wouldn't call them "hackers" not even in their wildest dreams).

 

Yeah, sometimes I think AV providers are so focused on outdoing the next company, achieving the next VB100, and the like that they can fail to take care of business in their own back yard.

Every security vendor should be on the look for expoits designed to take specific advantage of their product. We have all busted on Microsoft about not doing this years.

Am aside to all this, if Microsoft did do a better job, there wouldn't be a security software industry...

 

Since a complaint has been posted here that we do not detect Trojan-PWS.Win32.Delf.JS detected by Ikarus, I take liberty to post here scan results from VirusTotal as an evidence that we actually detect it (perhaps it's a different file detected under the same name). Should a particular sample be undetected (no AV detects 100% of all threats), send it to samples[at]eset.com.

AhnLab-V3 2007.3.17.0 03.16.2007 no virus found
AntiVir 7.3.1.43 03.16.2007 DR/Delphi.Gen
Authentium 4.93.8 03.17.2007 no virus found
Avast 4.7.936.0 03.16.2007 Win32: Delf-DRV
AVG 7.5.0.447 03.16.2007 PSW.Generic3.NYW
BitDefender 7.2 03.17.2007 Generic.Malware.SB.5E3B8878
CAT-QuickHeal 9.00 03.15.2007 no virus found
ClamAV 0.90.1 03.17.2007 Trojan.Spy-450
DrWeb 4.33 03.17.2007 DLOADER.Trojan
eSafe 7.0.14.0 03.16.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3486 03.16.2007 Win32/Dowque!generic
Ewido 4.0 03.17.2007 Trojan.QQShou
FileAdvisor 1 03.17.2007 no virus found
Fortinet 2.85.0.0 03.17.2007 QQPass!tr.pws
F-Prot 4.3.1.45 03.17.2007 no virus found
F-Secure 6.70.13030.0 03.16.2007 W32/Malware.KJB
Ikarus T3.1.1.3 03.17.2007 Trojan-PWS.Win32.Delf.JS
Kaspersky 4.0.2.24 03.17.2007 no virus found
McAfee 4986 03.16.2007 PWS-QQPass.dll
Microsoft 1.2306 03.17.2007 no virus found
NOD32v2 2122 03.17.2007 probably a variant of Win32/Spy.Delf.PG
Norman 5.80.02 03.16.2007 W32/Malware.KJB
Panda 9.0.0.4 03.17.2007 Suspicious file
Prevx1 V2 03.17.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 no virus found
Symantec 10 03.17.2007 Trojan.Adclicker
TheHacker 6.1.6.076 03.15.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.16.2007 suspected of Embedded.MalwareScope.Backdoor.Hupigon.10
VirusBuster 4.3.7:9 03.16.2007 no virus found

 

AntiNod32.exe has been uploaded to the offensivecomputing.net web site (a web site that all anti-virus developers should be aware of), locate the sample using the following info:

MD5SUM: 6ab22252dbd67d4080755118f053b552
SHA1SUM: c22d2ed9bcd2fc8edcc9426bda55f5af5f8a0a72
SHA256SUM: d2d2141f8aa1d670413795a25ff2a3f97af638ba47cdbdc0763c05ff252d6bb8

And I've also uploaded it to VirusTotal, Jotti's malware scan and Virus.Org. And in none of these sites, NOD32 is shown to detect this sample (nor any other program/vendor, except for Ikarus: "Trojan-PWS.Win32.Delf.JS" and Panda: "Suspicious file").

Anyway, ESET should have received the sample from these 3 sites (since they are all supposed to submit undetected samples), and if they for some bizarre reason haven't, they can easily find it at the Offensive Computing web site.

 

~Screenshot removed - See this post https://www.wilderssecurity.com/showpost.php?p=818225&postcount=2 - Ron

...yeap,MD5 and SHA-1 are the same as the ones posted by kjempen.
Didn't bother also checking the SHA-256 though...

I really don't see where's the problem for Eset to get a link of this sample...
the .rar file that contains the executable(along with it's source code),
is listed in the page/link that I posted in the very beginning of the thread...
Maybe there's a bit of confusion,because I changed the http prefix to hxxp?

Anyway,here's the full http directory index of the site,
it contains quite a few more..."interesting" vx-tools...
Seems like they know how to code stuff,but not how to tighten up their php... ;-)
(Unless of course they didn't care about it...on purpose).
hxxp://fahde.free.fr/bug/
Again,the http prefix is changed to hxxp,
in order to prevent people from directly clicking/linking to it...