NOD32 Disabler Undetected for 6 months!

Discussion in 'NOD32 version 2 Forum' started by sowhat, Mar 17, 2007.

Thread Status:
Not open for further replies.
  1. sowhat

    sowhat Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    31
    NOD32, (and not only-almost ALL AV products),are not able to detect it:
    it's an AV killer specifically targeting NOD32,it circulates on the Net for at least 6 (!) months...
    and even more,it has it's source code publicly available!
    I really don't want to make guesses about "private" versions...

    Personally,it took me LESS than half an hour to find it:just followed some links found in the Chasenet forum,
    probably the most widely-known trojaner's forum,since they are the developers of Bifrost...

    I wonder,not just for Eset...(their product is WAY better compared to others),
    but for all major AV companies...do they ever EVEN use Google?
    Because my experience has shown me that most of them,don't keep an eye on what's going on,
    not even in the major VX/trojan/exploit boards and sites...
    I've even seen sample trojans posted over at PacketStorm,to go undetected for years...

    VirusTotal Results - 03.17.2007:
    Ikarus T3.1.1.3 - Trojan-PWS.Win32.Delf.JS
    All others,NADA...:thumbd:

    (And no,I'm not advertising "Ikarus":there's been a lot of other samples that went undetected under it...)

    Check here - Use Google Translate or whatever,it's in French:
    hxxp://fahde.free.fr/bug/IPB/index.php?categoryid=8&p13_sectionid=3&p13_fileid=27
    Also,this paper might be of interest...
    hxxp://fahde.free.fr/bug/IPB/index.php?categoryid=11&p2000_articleid=8

    P.S:Eset has been notified for this issue,by it's "Technical Support Request" web page.
    I made the info..."public" here,because I believe that customers also have a RIGHT,
    of knowing what's going for...over 6 months,
    not only malware writers...(wouldn't call them "hackers" not even in their wildest dreams).
     
    Last edited: Mar 17, 2007
  2. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    Yeah, sometimes I think AV providers are so focused on outdoing the next company, achieving the next VB100, and the like that they can fail to take care of business in their own back yard.

    Every security vendor should be on the look for expoits designed to take specific advantage of their product. We have all busted on Microsoft about not doing this years.

    Am aside to all this, if Microsoft did do a better job, there wouldn't be a security software industry...
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since a complaint has been posted here that we do not detect Trojan-PWS.Win32.Delf.JS detected by Ikarus, I take liberty to post here scan results from VirusTotal as an evidence that we actually detect it (perhaps it's a different file detected under the same name). Should a particular sample be undetected (no AV detects 100% of all threats), send it to samples[at]eset.com.

    AhnLab-V3 2007.3.17.0 03.16.2007 no virus found
    AntiVir 7.3.1.43 03.16.2007 DR/Delphi.Gen
    Authentium 4.93.8 03.17.2007 no virus found
    Avast 4.7.936.0 03.16.2007 Win32: Delf-DRV
    AVG 7.5.0.447 03.16.2007 PSW.Generic3.NYW
    BitDefender 7.2 03.17.2007 Generic.Malware.SB.5E3B8878
    CAT-QuickHeal 9.00 03.15.2007 no virus found
    ClamAV 0.90.1 03.17.2007 Trojan.Spy-450
    DrWeb 4.33 03.17.2007 DLOADER.Trojan
    eSafe 7.0.14.0 03.16.2007 suspicious Trojan/Worm
    eTrust-Vet 30.6.3486 03.16.2007 Win32/Dowque!generic
    Ewido 4.0 03.17.2007 Trojan.QQShou
    FileAdvisor 1 03.17.2007 no virus found
    Fortinet 2.85.0.0 03.17.2007 QQPass!tr.pws
    F-Prot 4.3.1.45 03.17.2007 no virus found
    F-Secure 6.70.13030.0 03.16.2007 W32/Malware.KJB
    Ikarus T3.1.1.3 03.17.2007 Trojan-PWS.Win32.Delf.JS
    Kaspersky 4.0.2.24 03.17.2007 no virus found
    McAfee 4986 03.16.2007 PWS-QQPass.dll
    Microsoft 1.2306 03.17.2007 no virus found
    NOD32v2 2122 03.17.2007 probably a variant of Win32/Spy.Delf.PG
    Norman 5.80.02 03.16.2007 W32/Malware.KJB
    Panda 9.0.0.4 03.17.2007 Suspicious file
    Prevx1 V2 03.17.2007 no virus found
    Sophos 4.15.0 03.13.2007 no virus found
    Sunbelt 2.2.907.0 03.16.2007 no virus found
    Symantec 10 03.17.2007 Trojan.Adclicker
    TheHacker 6.1.6.076 03.15.2007 no virus found
    UNA 1.83 03.16.2007 no virus found
    VBA32 3.11.2 03.16.2007 suspected of Embedded.MalwareScope.Backdoor.Hupigon.10
    VirusBuster 4.3.7:9 03.16.2007 no virus found
     
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    AntiNod32.exe has been uploaded to the offensivecomputing.net web site (a web site that all anti-virus developers should be aware of), locate the sample using the following info:

    MD5SUM: 6ab22252dbd67d4080755118f053b552
    SHA1SUM: c22d2ed9bcd2fc8edcc9426bda55f5af5f8a0a72
    SHA256SUM: d2d2141f8aa1d670413795a25ff2a3f97af638ba47cdbdc0763c05ff252d6bb8

    And I've also uploaded it to VirusTotal, Jotti's malware scan and Virus.Org. And in none of these sites, NOD32 is shown to detect this sample (nor any other program/vendor, except for Ikarus: "Trojan-PWS.Win32.Delf.JS" and Panda: "Suspicious file").

    Anyway, ESET should have received the sample from these 3 sites (since they are all supposed to submit undetected samples), and if they for some bizarre reason haven't, they can easily find it at the Offensive Computing web site.
     
    Last edited by a moderator: Mar 17, 2007
  5. sowhat

    sowhat Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    31
    ~Screenshot removed - See this post https://www.wilderssecurity.com/showpost.php?p=818225&postcount=2 - Ron

    ...yeap,MD5 and SHA-1 are the same as the ones posted by kjempen.
    Didn't bother also checking the SHA-256 though... ;)

    I really don't see where's the problem for Eset to get a link of this sample...
    the .rar file that contains the executable(along with it's source code),
    is listed in the page/link that I posted in the very beginning of the thread...
    Maybe there's a bit of confusion,because I changed the http prefix to hxxp?

    Anyway,here's the full http directory index of the site,
    it contains quite a few more..."interesting" vx-tools...
    Seems like they know how to code stuff,but not how to tighten up their php... ;-)
    (Unless of course they didn't care about it...on purpose).
    hxxp://fahde.free.fr/bug/
    Again,the http prefix is changed to hxxp,
    in order to prevent people from directly clicking/linking to it...
     
    Last edited by a moderator: Mar 17, 2007
Thread Status:
Not open for further replies.