threatfire fails to detect a malware

Discussion in 'other anti-malware software' started by sach1000rt, Sep 3, 2007.

Thread Status:
Not open for further replies.
  1. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    I got a virus yesterday in a flash drive so i just copied it to my hard disk to test it against threatfire. I tested threatfire with many malwares and threatfire detected all so far.But yesterday it was a surprise. treatfire didnt detect anything or any malicious behavior.
    I know that no software has 100% detection or somthng like that but the virus was strong. It disabled task manager, folder options ,regedit.exe, firewall.
    i just got RTL utility which enables all these. and then i just got rid of that virus which slowed down my pc. And thanks to FirstdefenseISR pc is alright now.

    Does anyone kow how to submit it to threatfire team?
     
  2. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
  3. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    sach1000rt,

    Do you have the name of the virus that bypassed Threatfire? It's always useful for testing :shifty:

    ~interact
     
  4. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    avira detects it as w32.sohanand.r, its a hidden file and has windows folder icon.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Hi,

    Can you perhaps send me this malware, I would like to see how other HIPS react, TIA. ;)
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    No malware trading on the forums. Use email for such activities. Thanks.
     
  7. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    sach1000rt,

    I think I've found 3 variations of the virus you found. I tested it against a number of different types of HIPS solutions as per Rasheed187 comment. The results you found with Threatfire match the results from one of the strains I had (Sohanad.T)

    MD5 -

    Win32.Worm.IM.Sohanat.B = 9164574425915be7f47dd17cab810a5d
    Win32.Worm.IM.Sohanad.B = 6488c49886e1546de04e823b6f64fba5
    Win32.Worm.Sohanad.T = 8879f9425df0be833559107616f00219

    Safe'n'Sec Pro (latest) -

    Win32.Worm.IM.Sohanat.B = blocked
    Win32.Worm.IM.Sohanad.B = blocked
    Win32.Worm.Sohanad.T = allowed

    Sana Security Primary Response (latest) -

    Win32.Worm.IM.Sohanat.B = blocked
    Win32.Worm.IM.Sohanad.B = blocked
    Win32.Worm.Sohanad.T = blocked

    ProSecurity ProSecurity v1.40 Public Beta 2 -

    Win32.Worm.IM.Sohanat.B = allowed
    Win32.Worm.IM.Sohanad.B = allowed
    Win32.Worm.Sohanad.T = allowed

    DriveSentry V3 (beta) -

    Win32.Worm.IM.Sohanat.B = detected / blocked
    Win32.Worm.IM.Sohanad.B = detected / blocked
    Win32.Worm.Sohanad.T = detected

    *detected = malware warning as soon as file copied to disk.

    PrevX V2 - o_O

    Win32.Worm.IM.Sohanat.B = ?
    Win32.Worm.IM.Sohanad.B = ?
    Win32.Worm.Sohanad.T = ?

    * Couldn't evaulate as error message displayed "license out of date".

    PC Tools Threatfire 3.0.4.0 (Beta 2) -

    Win32.Worm.IM.Sohanat.B = blocked
    Win32.Worm.IM.Sohanad.B = blocked
    Win32.Worm.Sohanad.T = allowed

    There maybe more variations but I thought 3 was enough to get started :)

    ~interact
     
  8. sach1000rt

    sach1000rt Registered Member

    Joined:
    May 29, 2007
    Posts:
    171
    Location:
    india
    i sent the sample yesterday and their reply was very quick(in a minute).
    their reply is on attached images, but how it will be included in threatfire as its not sig. based?
     

    Attached Files:

  9. PSDeveloper

    PSDeveloper Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    93
    Thank you very much for your testing!
    If possible, could you please to send those worms to support AT proactive-hips.com?
    What type of warning you got while testing it with other HIPS software?
    Thanks!
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I can see the pattern, add the custom rules mentioned of ThreatFire in this forum and you will get a prompt.
     
  11. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    The one concerning *.exe, etc section?
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    wow those are some worrying results there interact :)

    do you still have samples of that virus? if so i wonder how it would fair against sandboxes like sandboxie or geswall.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ interact, can you perhaps send me the malware by email? And when you say "allowed", do you mean that HIPS didn´t warn you about any suspicious behavior after executing the file? I think it´s a bit strange that PS performs so badly, it´s hard to believe. :rolleyes:
     
    Last edited: Sep 5, 2007
  14. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Guys - I've uploaded the three viruses (zipped) to Speedyshare what is the policy for posting the URL on this forum?

    ~interact
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  16. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Ron,

    Thank you for the response. It would be really beneficial if we could have an area to share malware samples. I think most of the vendors could quickly plug holes in their products if you allowed the group to examine the new techniques that are coming out. This is not a criticism just a recommendation.

    ~interact
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK, I did some quick testing, and both SSM Pro and Neoava warned me about suspicious behavior triggered by Win32.Worm.IM.Sohanat.B and Win32.Worm.IM.Sohanad.B, but I didn´t get any warning about Win32.Worm.Sohanad.T, so what is this worm trying to do exactly? I kept it running, and it did seem to use the CPU, but I got no warnings. The other two tried to modify some registry settings, add a startup entry and tried to create a Window Explorer plugin.
     
    Last edited: Sep 10, 2007
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK, so I used the PCTools threat-expert system, and they generated a report about Win32.Worm.Sohanad.T, the problem is that it´s pretty useless, I still don´t know what it tries to do. I also don´t know why HIPS stay quite, did anyone investigate it? Here´s the report:

    http://www.speedyshare.com/168452152.html
     
  19. ylssky

    ylssky Registered Member

    Joined:
    Sep 12, 2007
    Posts:
    9
    dose ProSecurity can defense the worms proactively?
    what is the difference with other hips?
    for example :ssm!
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry for the late reply yes
     
  21. PSDeveloper

    PSDeveloper Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    93
    I'm sorry I haven't got these worms until now...
     
  22. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO

    Sorry about the delayed response. Thanks for submitting the sample.

    As far as we've seen in the labs, Threatfire detects not one malicious behavior from the sample (md5 681b9f300a41b68347052c36f2708ee5) you provided, but if you clicked on "Allow" everytime you saw a warning, you would see 11 dialog warnings. In other words, Threatfire prevents all of the Sohanad family effectively.
    If the user quarantines the sample based on the first malicious behavior that Threatfire detects (on a "VERY HIGH" warning), the sample would perform no malicious behavior on the system whatsoever.

    I am not sure why you did not see the same results. Did you have the product suspended, perhaps?

    Thanks much,
    Kurt
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    @Cyberhawk Support

    Thank You for such a really good Host Intrusion Protector & 0 day watcher.

    .......But please try to ask the Team to investigate the bootup delays. I too am noticing a marked delay with ThreatFire installed. My first assumption is that it's a driver stack placement order or the drivers themselves that load on start up which is making for this rather frustrating occurance.

    Still, the program is as sweet as ever in it's monitoring abilities. Keep up the good work, i know coding a perfect medium takes great effort, but you have a real useful product here to perfect on.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.