Prevx and fake AVs

Discussion in 'Prevx Releases' started by shadek, Apr 29, 2010.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Okay, I've been running tests the past few days with Prevx, and it indeed blocks most of the viruses and worms. But what's up with the Fake AVs? Any comments about these? The protection seems to be lacking here. Prevx only detects at most 1 out of 10 new samples. Shouldn't the age/popularity criteria (both set at max) stop these new samples from compromising my system? And in most cases you won't even see Prevx working down in the right corner of screen (it seems the fake AV passes right through the protection).

    Here's an example: WARNING!! DO NOT CLICK LINK!!!!! ~Link removed. No links to malware on the forum.~

    It just went right through, with all heuristic settings at max. That fake AV even managed to shut down Prevx.exe. I'm very concerned about this.

    Oh, and yeah, I did report the very same sample via e-mail to Prevx.
     
    Last edited by a moderator: Apr 29, 2010
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    That one(123.exe) is either removed or has been changed to zaz.exe and definitely is a nasty bugger. Unfortunately, not a peep from prevx during the install and from a scan after install.

    And please don't say Eset's motto - "nothing covers 100%"
     
    Last edited by a moderator: Apr 29, 2010
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @shadek

    Well, interesting www :D :D

    @tobacco

    zaz.exe seems to have gone now, when i just checked. Couldn't find it or ANY other nasty in the parent directory either ? Those girls, err boys, must be good at something :D

    Yeah not on that www :D
     
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yeah, it is one nasty bugger. I wonder what Prevx' response to this one is, as Prevx didn't even scan it before it was installed. :(
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Fake AV's is a billion dollar a year business there are lots of people paying for this scareware it's been said that once the file has been detected they change the code enough and test it against Popular AV's to make sure they are not detected so it goes on and on!

    Have a look at this site: http://roguedatabase.net/RogueDL.php

    See I didn't say that no product is 100% Oh I just did :D

    TH
     
  6. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    It doesn't matter to me what you say Triple Helix :). The application just bypassed "World's strongest, fastest, most powerful security solution for those who want to be safe online" without any notification at all.

    And I, as a paying customer, would like to know how the malware wasn't even scanned by the "World's strongest, fastest, most powerful security solution for those who want to be safe online". :)
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Believe me I do understand how you feel I wish that Prevx would stop all this stuff to but I'm just being realistic! I'm a paying user of Prevx & NOD32 & VIPRE for my VM's and I would love that even one of them would stop all malware it's just my opinion! Just think of the people out there that buy all this Fake stuff I really feel sorry for them 1 for buying it and 2 getting there computer hosed! At least we have common sense! ;)

    Regards,

    TH
     
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yeah, I agree. I simply want to make Prevx an even greater program than it already is! :)

    Normally, I'd never be fooled install a fake-AV anyway, but sometimes I'm just curious if my anti-malware catches it (of course, running in a virtual environment).
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our research team is currently looking closer at the samples but without sounding unnecessarily pessimistic, ESET is correct in saying that no product is perfect. Prevx sees more than 250,000 new programs every day and more than 30,000 brand new infections every day. Because of this, most of our resources are dedicated to finding threats before they emerge, which is quite a difficult task.

    Our goal is 100% detection and prevention but it is logically impossible to achieve,, although we can get very close :)
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The sample was definitely scanned, but it was likely scanned fast enough that the authenticating files screen wasn't shown. Rogue AVs are particularly difficult to identify by behavior as theyvgenerally don't exhibit malicious behavior, however we're working on a new behavioral engine which actually looks at the warning messages shown to determine if they appear to be excessive FUD, which can let us find rogue AVs very accurately.

    More on this in the near future... ;)
     
  11. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I am glad you recieved the sample I sent you. And I am also very happy you have something working under the radar for us, the users! I love your program, even though I attack its flaws from time to time. But I guess that makes me a good user. :) Keep up the good work.
     
  12. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    PrevxHelp is right in that by their very nature rogue AVs/system tuners et al are often by themselves not malware. At most, they may contain buggy code. The one thing that is common to all of these is they want your money.

    It is extremely difficult and time-consuming to add these to a database in the normal way, but more and more anti-malware programs are playing catch-up. It's hard because the cybercriminals keep changing the executables. :/

    We're getting there. At one time, adware/spyware wasn't part of an AV's detection routine; now they all nearly have signatures for this category. The same is true for fraudulent security programs now, although the difficulty is in detecting something that isn't malicious per se.

    The best thing to do if you believe the program to be definitely a fraud is to submit it to the anti-malware vendor, which in this case is Prevx.
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Your right Tony but there are many out there that have Trojans and other malware included as in 1 case I was testing and it killed all of the processes for my security programs for I wasn't able to use them or could not start them at all so I had to delete that copy of the VM that I was using!

    TH
     
  14. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Maybe your mind was preoccupied :p HeHe

    I still have that malware sitting on my D partition and was trying to upload it again to virustotal to check for new detections but Antivir keeps blocking me :(
     
  15. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    What an excellent idea,great thinking outside the box there.:thumb:
     
  16. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yeah, but to summarize what I meant; this malware sample I posted about was a one of the meanest buggers out there. It went straight past the HIPS, PAC and Prevx. It terminated all those processes plus more and the only way to recover was to reboot and shut down the virtual machine.

    Once again, I am glad Prevx are working on a solution for these rouge AVs.
     
  17. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    O boy, all these rouge AVs at Malware Domain list keep getting right through all protection! Thought the age/popularity heuristics would stop them eventually! :ninja:
     
  18. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Do you know by saying that you just complimented the malware writter. Just imagine the kind of satisfaction and pride he or she would have just by reading your post. :D

    Thanks.
     
  19. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I think most security companies are ignoring the significance of the rogue threat. If memory serves me right I remembered during the stone age all security companies were ignoring the spyware threat and they slowly moved and created a new product separate from their antivirus offerings. Customers, during that time, were able to buy two different products anti-virus and anti-spyware. Now they integrated these same products into one engine.

    Now back to the modern age. Some companies for example Symantec and TrendMicro have learned their lessons from the stone age and come up with an igenious :D way to combat malware especially quite powerful against rogue. Such a technology is called file reputation. Of course I tested these two products already in my VM with a sample of about 30 rogues and NIS 2010 was able to deal with them all. TrendMicro was able to block them at the source itself, their domains.

    Thanks.
     
  20. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yeah. But Prevx also has this 'reputation'-system going. But it does not seem to help at all against these rouge AVs. I thought Prevx was supposed to have a age/popularity criteria before execution of file. Even these criterias set at max won't help. Is it a bug? New files for the Prevx-cloud, shouldn't these be stopped with these settings?
     
    Last edited: May 1, 2010
  21. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    normaly yes. you can try it :)
     
  22. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I did, on every new rouge AV posted on Malware Domain list.
     
  23. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    sorry i understand it wrong.
     
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    what I dont understand and yes they are dangerous. They can kill your internet connection bad. But when you click on a site that has one, it has to install something. Should Prevx at least not warn you that something is being or getting ready to be installed and give you the choice to stop it. Most could be defeated this way.
     
  25. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Enter the AntiExecutable.
    I have played a bit with these rogue/fake AV/AM and most have got past everything except an AE which stops them dead. Prevx will run alongside Returnil 2010 without problems and OA can also be configured as an AE.
    Zemana has hips which alert you to anything trying to install, Prevx needs something on those lines in my opinion.
     
Thread Status:
Not open for further replies.