Rogue Antivirus Still getting through

I know we've been over this before, but I have to raise the alarm again. I have a running copy of ESS 4.0.467 with current definitions 4989, that got another drive-by download of ave.exe. This particular version is detected on VirusTotal by Symantec, F-Prot, and Avast! among others, but not by ESS (see ~Virus Total link removed per Policy.~ for report).

In this case the user in question must've hit an infected site he found thru a Google search. He swears he never saw a popup; he's running IE 8 on a fully-patched XP SP3, and he is NOT and admin-rights user (or even a power user). This is a true drive-by download, behind a corporate firewall (though no proxy), and his first indication of a problem was when pdf files wouldn't open in Acrobat without throwing a weird error on the screen (which, sorry to say, I forgot to record).

I have submitted the sample to ESET (hey Marcos), but the broader issue remains: ESS is dropping the ball rather badly on rogue AV programs which display remarkably similar behavior. All of the snarky clean computing comments aside (and I know they're coming), our security software should do better than this. I just bought 135 licenses of the &^%$ thing, and I'm getting pressure from higher-ups for having sold them on an inadequate product. It's high time the development team take this recurring threat seriously instead of engaging in the usual "nobody's perfect" and blame-the-victim games.

 

Hi,

Before trying to help you let's make something clear: VT links are not permitted here per policy.

Secondly, each ROGUE AV [ Fake AV or whatever you may call it] is not just the same installer over time. The people who wrote these sneaky programs constantly keep changing the MD5 of these programs which translates to NEW VARIANTS of the same Fake AV.

For example, for the last two months I have been submitting to ESET the installer for a Rogue AV named “SECURITY TOOL”. The thing is that even from the same IP Address where this Malware can be downloaded everytime you click on the link, a NEW variant is downloaded with a totally different MD5.
This translates to thousands of variants of the SAME Fake AV.

It's nearly IMPOSSIBLE to keep up with so many variants of these nasties.
So, my approach would be a layered protection that should start by Sanboxing your web browser [e.g.: using Sandboxie, DW, GW or ZA Forcefield], using Mozilla Firefox with NoScript extension and installing a dedicated free antispyware application [ the free version of MBAM should do the trick here].

So, try starting to implement these suggestions and I strongly believe you will minimize the chances of getting hit again by these Fake AVs.

By the way, I have seen Avira, Avast!, Norton, McAfee and other AVs also missing some Fake AVs, not just ESET NOD32.


Regards,

Carlos

 

And this is the very sort of response that is why many users are still upset. This computer is in a corporate environment, and unfortunately requirements from some of our major suppliers require that we use Internet Explorer because they have some bogus ActiveX controls that are required. SandboxIE won't even work, because some of these controls require access to the local drive for downloading and uploading of files. For geeks like me and you (and I use the term "geek" as a compliment), this sort of strategy works. For corporate users in a corporate network they do not.

I understand that the MD5 changes, but the BEHAVIOR is similar in several significant ways--which is theoretically why heuristics are supposed to add protection that signature-based scanning cannot.

And I wonder about so many ESET users advertising MBAM. If MBAM is so &^%$ good, then why not buy it instead of ESS? And if MBAM can find the badware, why can't ESS?

I'm not enough of a programmer to reduce this stuff to the level it should--but ANY browser-spawned process that attempts to write to the registry should be blocked, or at least interrogated. In this day and age, ANY antivirus/antimalware program should do this, and I haven't even heard a bad excuse, let alone a good one, why ESS doesn't. And don't start in on social engineering. Some of my users are that dumb, but the one who was affected today is not. If he told me there were no popups, then there were no popups.

It's time to stop issuing excuses and have some serious answers from ESET staff as to why they ignore this obvious and ongoing threat in their heuristic engine.

 

I'm not saying they don't. I bought ESS because it's supposed to be BETTER, not merely as good as, these guys.

Have you seen MBAM miss them?

 

Hello,

When you come across a piece of malware which is not being detected properly, it is best to submit a copy of it to ESET's virus lab so that it can be added to the software.

Undetected fake antivirus programs are treated as a high priority by the virus lab. If you review the threat signature updates over the last year or so you will note that almost every update contains updated detection for these rogue programs.

For instructions on on submitting undetected malware to ESET's virus lab, please see ESET Knowledgebase Article #141, "How to submit virus or potential false positive samples to ESET's labs." It would also be helpful if you ran ESET SysInspector on the computer which the malware was found and include that in your submission.

Regards,

Aryeh Goretsky

 

MBAM cannot be compared to EAV/ESS in every aspect as it works on different principles. I'd bet that MBAM developers wouldn't claim they detect every single threat that ESET does and are able to clean files infected with viruses as ESET does.

Thanks to advanced heuristics and generic signatures, ESET is able to cover dozens of thousands of new variants with a specific signature. No matter how heuristics or other detection techniques are good, there is no security solution that recognizes and blocks 100% of malware without blocking clean files. If you come across an unrecognized suspicious file, submit it to ESET per the instructions mentioned by Aryeh above like users of other security solutions do and submit suspicious files to their vendors.

 

I did. Waiting for acknowledgment.

I also recognize (and do not dispute) that no security solution can catch everything the bad guys throw at it. But given that this particular family of threats is so prevalent, it seems to me that the ESET development team should make some level of effort to modify the heuristic engine to address it. "We're no worse than the other guys" is not a satisfactory answer, and frankly, with the number of complaints I've seen on this board from others besides me, I know it's not a unique problem. I'm not asking for the world here. I'm asking for a threat that I see repeatedly, that ESET fails to detect, to be placed on your radar. Why are you guys so quick to defend ESET's inaction, and so flatly unwilling to consider expanding your threat detection heuristics to address a common security risk that is obviously not going away?

 

Incidentally, I see this morning that the sample I submitted yesterday is now detected by current definitions. However, AGAIN, it was done with no acknowledgment of the submission, or notification of update, being sent to me. Marcos' protestations notwithstanding, submitting a sample to ESET may result in work behind the scenes, but the submitter receives no help or communication.

 

Well, since you have tested the submitted file AGAIN as you say and saw that it has been added since it is now detected.
Then YOU already know it has been added and there's no need for ESET to focus on sending out emails and clarify everytime.
That's just a waste of resources on ESET's side.

Then it's better for you to re-check and see if detection has been added and if not, then you can take contact with ESET.

 

Agreed.

I do on occasion receive an email after submitting a sample, but I don't expect them and am not bothered about getting one. The only time I would want a response is if I submitted a support query.

 

I disagree completely. In this day of automation, ESET should have an automatic ticket system that (1) acknowledges receipt of any submission and (2) sends a report when the item is closed. Marcos has implied as much to me in other communications. This is part of any responsible case management system. "Trust me, we're working on it" may have worked for the Bush administration , but not for I.T. professionals.

 

I only send for "samples@eset.sk" and i get various answers from Daniel, Dalibor and others analysts...

 

Interesting. "samples@eset.com" which is the address in the knowledgebase, gets no such response.

 

ok, well i worked in support for 9 years and we ended up introducing an automated system that would cover your (1), but it's like getting an email delivery receipt. Great, the email with sample arrived.

As for (2), well I don't really see it as an 'item' that needs to be 'closed'. It's a file you've sent; the sort of file that gets sent through Threatsense.net that doesn't (necessarily) get a response.

I'll give you (1), because if people like to know their sample is received then fine. I personally don't need it, because it means as much to me as not getting an automated response back saying it wasn't received.

As for (2), i guess swings and roundabouts come into play. if people want to see a 'closed item notification' once a sample has been analysed and added as a signature, then maybe it's something to think about. If NOT getting such a confirmation would put people off submitting samples, then maybe it is worthwhile.

The customer is always right, unfortunately.

 

I agree to! I have the same experience to when it comes to submitting a sample sometimes I get a response and a Thank You for your submission and most times I don't it's no big deal for me!

@ dwmtractor: No one security product will detect 100% of all malware that's why I always suggest the layered approach to anyones security!

TH

 

I feel your pain my friend, especially economically speaking when you are getting pressure from higher-up like you said. Most AVs have difficulties handling most rogues. the reason for that is most rogues mimic the installation of a legit, true software behavior.

The only way to successfully defend against such a plague is to have a security software that implements a file reputation analysis. And such file analysis engine is way beyond what Eset's heuristic engine can handle right now. By saying this I'm in no way bashing Eset; but one has to be honest in realizing that Eset as it stand today, with the state of its current technology, cannot cope well with some if not most zero hour threats including rogues.

Eset has no cloud nor file reputation analysis, maybe I'm wrong and stand to be corrected; and to be honest the same is true for a lot of security software like BitDefender for example. In that way Eset is not alone. Nonetheless, if Eset does not shape up with version 5, they will lose a big piece of their market share, unfortunately.

What I could suggest if it is not to late is to install an anti-malware product like Malwarebytes or SuperAntispyware alongside Eset in order to buffer your defenses. ~Off topic comment removed.~

Good luck to you.

Thanks.

 

Thank God the customer is NOT always right, fortunately.


Thanks.

 

I have posted on this topic before and in general I agree with most of dwmtractors views.

Lets at least hope ESET have the honesty to change their claim to have never missed an in the wild virus from May 1998 to October 2009

http://www.eset.co.uk/Compare/Competition

I was certainly seeing rogue AV programs getting through ESET smart security/Nod32 in septemeber 2009 and I am still seeing many cases each day.
Had two phonecalls today 04/04/2010 with users infected with rogue AV, both had ESS 4 installed and fully up to date and also a fully patched Windows 7. I can't even get a rest on an Easter bank holiday

 

This is completely true. Whic of the ITW threats listed here was missed by ESET if you claim the contrary? You can read more on that site about what is considered an ITW threat.

I for one have not heard about a single security solution that would protect the user against every single threat (including rogue sw).

 

Well I must admit I didn't know the "In The Wild Viruses! list meant it was a limited list.
I took it literally as meaning that it had not missed an in the wild virus.
Since the fake AV programs are clearly in "In The Wild" Perhaps they should be added to the list and then they can remove the claim to detect them.

Or maybe they should change it to

Nod32 has never missed an in the wild virus except the fake AV programs which are not on the outdated list of In The World viruses

Whilst I can understand that no solution is going to be 100% my main gripe with Eset is that they don't seem to be doing as good a job as much of the Free software available.

I have managed to take copies of most of the ones I've cleared up, and run them on my test machine.
If I had been using the Free Microsoft security essentials together with the free SuperAntiSpyware and Malwarebytes programs none of them would have got through.
Also the eracleaner.exe program from eset has failed to detect any of the infections I've seen.

If they don't get a grip on this soon I shall be recommending people take the free products instead of my usual recommendation of ESET.

 

But what Ronjour, and Marcos, and Agoretsky, and several others seem to be ignoring in this thread (and many others like it) is one simple question:

Rogue antivirus programs are an ongoing, frequently-observed threat. We all realize some things get through the best barrier, but it is patently obvious that standard signature-based scanning, and ESET's current heuristics, are powerless against the threat. What, if anything, is ESET's development team ever going to do about this besides making excuses?

We are not asking for perfection here. But what I, at least, AM asking for, is that you guys take this threat seriously, and candidly engage with us about modifications or enhancements that might address a threat that is clearly not going away. We understand that no product catches everything, and you DON'T have to keep telling us. But are you trying to get better, or aren't you?

 

Per my observation, the rogue AVs we get from different sources ESET is actually one of very few security programs to detect them. If something is not detected, detection is added quickly, often before other vendors.

 

I'm going to post this article as it is On Topic! http://www.networkworld.com/news/2010/031010-scareware-will-be-most-costly.html

I still says it's up to the user not to download something that they don't know and if you pay money for it well being in a security forum you should know better!

I download quite a few of them on my VM in shadow mode to test and ESET is up there with the best in detecting them but the malware writers are quick to change the code to be not detected so if you come across some Fake AV's that are not detected send them to ESET so we all can benefit as I do! samples@eset.com

TH

 

That is not the point. It's good you add them quickly, but I'm tired of being a zero-day detector. I'm begging for you to analyze what can be done heuristically to intercept these puppies before they have a detected signature. I know you're not the only one. . .when I used Symantec I wondered if their heuristic engine was even on too. I just wish "heuristic detection" would become an element of practice instead of a slick marketing slogan!