Trojan.Dropper.ExeBundle.AC MISSED by NOD32

Discussion in 'NOD32 version 2 Forum' started by Kobra, May 23, 2004.

Thread Status:
Not open for further replies.
  1. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Appears to be a rebase or repack of the following variant. Only 3 products found it, NOD32 missed it, even in /AH operations.. Ugh I uploaded the file to my website, if anyone wants to take a look, let me know in PM and i'll send you a link so not to swamp my bandwidth allotment.

    AKA: (probably a rebased variant of dropper?)

    MultiDropper-FD
    Win32:Trojan-gen. {UPX!}
    Trojan horse Dropper.ExeBundle.AC
    Trojan.Muldrop.660
    TrojanDropper.Win32.ExeBund

    So far:

    NOD32: Missed (including /AH command line option for Advanced Heuristics)
    BitDefender: Missed
    BOClean: Missed
    TDS3: Missed
    Ewido: Missed
    Trojan Remover: Missed
    Trend Online: Missed
    Panda Full Edition: Missed
    Antivir(H+Bdev): Missed (Including their new deep heuristic engine)
    Symantec Corporate: Missed (yes, super heuristics were ON)
    PCcillin(trend): Missed
    eTRUST: Missed

    Dr.Web: Found
    McAfee: Found
    KAV5: Found (note, their online scan MISSED, but installed product got)
    EDIT: F-Secure also nailed this guy, and the baddies INSIDE this guy!
     
    Last edited: May 23, 2004
  2. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    ExeBundle probably refers to a program that can do a silent dropping/execution of files. It's not malware in itself, and some might use it for a good purpose..

    I'm not sure it should be detected. Whatever it is dropping might be malware, and detected as such, though.

    Best regards,
    Anders
     
  3. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Oh its a real threat all right.. Kevin over at BOClean dissected this badboy, and found that indeed its nasty. Not only is the packed thingy a problem, but inside that, are a few undefined "Mystery Meats" as he calls them. I don't have permission to repost Kevins email to me describing the exact makeup of this new threat, perhaps he will surf past here soon. But needless to say, i've sent this file off to most of the AV/AT products out, and only BOClean has responded with detailed analysis of it, including adding protection from it. o_O

    Sadly, NOD32 missed BOTH the packer AND all of the badguys INSIDE the packed file (Rebased). This is a big-time miss, but NOD32 isn't alone, most products missed it as I said above, only 4 AV's picked it up.

    I'm rather puzzled to hear that you think NOD32 might shouldn't detect a program that is OFTEN used to drop trojans according to what I read, and in fact, in this case, its being used to drop a few NEW REBASED trojans at the same time? (which were missed by NOD32 as well)

    Download the file I PM'd you, run it, then come back and tell me if you feel that NOD32 shouldn't detect it.. That is if your test system still boots.
     
    Last edited: May 23, 2004
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Kobra,

    I'll take it from your posts, you do have submitted the file to (amongst others) Eset as well?

    As for Kevin: no problem. I'll contact him on this issue myself ;)

    regards.

    paul
     
  5. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Eset has had it for 24 hours. Kevin had it for maybe an hour, and issued some updates to fix this up nicely, and responded with more data on the file. Currently, I have 2 tech-friends testing it more on virtual machines.

    Ewido also has this file, no word back from him yet, but Ewido update today didn't change its lack of detection. TDS3 doesn't have it yet, I don't know where to send it.

    BitDefender has it as well, and I think a couple others, I forgot.

    You also have a PM with information on how to get it from me, but PLEASE don't post that publicly, as I just slapped it up on my website because its too large to email. (Its shareware anyway).
     
  6. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Kobra


    Try Here:- submit@diamondcs.com.au
    Take Care,
    TheQuest :cool:

    Sorry mail Link not a Link :oops:
    Fixed
     
    Last edited: May 24, 2004
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks for the update ;)

    Don't worry: we'll take care if it.

    No doubt, they will examine the file{s) and act accordingly.

    Thanks. we do respect our members and their requests; no need to worry here ;).

    regards,

    paul
     
  8. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Update: its been sent to TDS3
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Good to see the common goal is to make sure all different software users will benefit ;)

    regards,

    paul
     
  10. Redd Harvest

    Redd Harvest Registered Member

    Joined:
    May 23, 2004
    Posts:
    2
    Just as a matter of interest you've already included some definitions for ExeBundle in your product:

    NOD32 - v.1.539 (20031022)
    Win32/TrojanDropper.Exebundle.131, Win32/TrojanDropper.Exebundle.131.dropper, Win32/TrojanDropper.Exebundle.22, Win32/TrojanDropper.Exebundle.23, Win32/TrojanDropper.Exebundle.272, Win32/TrojanDropper.Exebundle.28,

    What this says to me, as a layman, is that you've considered Exebundle a threat before, which seems to be in contradiction to what you've just posted here.

    What it also suggests to me is that you're not able to dynamically detect newly repacked versions (because you cannot unpack them to check the contents) and can only detect the versions you've had submitted to you in the past.

    Again, purely as a matter of interest, exactly how many packers and archivers does your product support? I obviously don't want you to list each one, as that would only highlight which tool to use to repack and circumvent your product, but a ballpark figure of the number of supported methods would be appreciated.

    Redd.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,764
    Location:
    Texas
  12. Redd Harvest

    Redd Harvest Registered Member

    Joined:
    May 23, 2004
    Posts:
    2
    Yeah, thanks but that's a 'such as', I want figures of all to get some idea of just how seriously they're covering base on the repacking thing.
     
  13. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Last edited: May 24, 2004
  14. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
  15. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Bad Kobra, bad. ;)

    LMAO. :D

    "Trojans? Bah! We will kill them all, God willing."

    (oh don't get me started. LOL)
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    lmao, well done Kobra :D

    Cheers :D
     
Thread Status:
Not open for further replies.