Trojan Zlob

...either that or detection is added later on priority basis

 

Well, do you know me the one praising NOD32 for things it doesn't do?
I've always posted whenever they missed something that I thought might be detected...anyway it's just a supposition that those files are corrupted.
Taking into consideration the big number of defs for Zlobs ESET added and the heuristic engine they should detect them because they are anyway old...for 5-6 days.

 

What do you mean by they are old for x days ?

 

Firecat said his samples are older.... he found them immediately as this thread "died" = no screenshot posted.

 

Yep, my samples are older. Confirmed that few of the samples are corrupted; very few are undetected though. IMO its nothing to worry about since these older variants can no longer be obtained as all the files have been updated with the latest variant.

I've had word that all variants of Zlob are not known to anybody; it is only important to detect the latest variants.

 

No comment:

I am writing to you on behalf of DIGITAL MEDIA DEVELOPERS.
Why does your AV detec our software as
"Win32/TrojanDownloader.Zlob.UR"? There must be mistake.

 

The Inspector got a similar message from the developer. Maybe someone should give him a nice, angry reply and tell him to get his lawyers ready!

 

LMAO, the hide of some people

 

Of course, a big mistake. They should have been in jail, but they're not. (just joknig of course)
It's sad they are pushing AV companies to remove detection for their software.
Maybe "producers" of MyDoom or Netsky will have the same brilliant ideea in the future.

 

Don't be putting ideas in their heads!

 

There is no way he'll ever push a vendor successfully to remove detection. This is because he knows he'll get himself wiped on the floor if he threatens legal action, and since the files are really malware, no vendor is going to remove detection unless legal action may be threatened.

In this case, the malware writer is trying to play the dummy, but is having really bad luck.

 

I doubt any body could legally make any AV or security software vendor remove detection of any file,malware or not!because in the end whether or not that detection is heeded or acted on is at the discretion of the end user(if Nod detected parts of windows as malware I doubt even Microsoft would threaten legal action!)

 

If what you say is correct, there is a certain WGA tool I would like to see detected as spyware....

 

One thing are false positives and another are correct detections.

 

What would that be I wonder lol

 

@ Tony.D.,

I have split your post and other posts concerning this matter to a separate thread. Please follow the below link for further details.

This thread---> Detection of our software by Nod32

 

Inspector's MAXIMUS is doing a very good job in detecting zlob trojans.
AntiVir seems to have the secret too.
I would like to see a good heuristic detection on NOD32 too.

 

Yes, Antivir seems to have had the secret for weeks, now F-prot has been doing really good lately.
I haven't seen many generic detections by nod32 for awhile with the zlobs, so perhaps they are just adding signatures for the zlobs they receive now instead of making a generic?

Suggers

 

Basically pretty much every good AV is detecting all the Zlobs on regular basis.

Some vendors like BitDefender and Dr.Web are collecting Zlobs and adding signatures for all those only every 2-3 days, so you don't see detection immediately. Some vendors are able to detect it heuristically or generically. NOD32 is getting detection via variant detection and separate signatures which is good enough.

 

The problem is the sites distributing zlobs usually change the versions/variants they are distributing up to several times per day, so by the time signatures are realased that variant won't even be downloaded anymore. But it's the same for most AV's; a constant game of catch-up.

 

What is this provoking good for? It's a matter of fact that Zlobs are modified on a daily basis to evade detection. However, IMON BLOCKS the urls with Zlobs so you are fully protected unless you intentionally run cracks with Zlob embedded!

I could post here a couple of screenshots where NOD32 is one of the 3 or 4 AVs to detect Zlob proactively without update.

 

PROVOKING?!?!?
A common sense answer to my question : We do not heave a generic detection for Zlobs but we are workink on it !
Are you sure IMON BLOCKS the urls with zlobs ?
I sent you on 15.09.2006 the url for strcodec.414.exe and a few seconds ago I was eable to download a brand new one without any reaction from NOD. Should I post a virustotal analyse about it ? Of course no. My post will be imediately deleted beacose it is not a HIP HIP URAAA for NOD32.
This is not the reaction I expect from someone working for ESET when it is clear to all there is a problem.
What you do not seems to realise is that people (like me) are postig here only beacose they DO CARE about NOD32 , eventualy PROVOKING it to be the best on the market.
Best regards.

 

This thread is widely participated in and very interesting, but I've noticed there are comments around the site relating to zlobs with other antiviruses and the issue of zlobs is interesting to all, not just nod32 users.

Also, what can now be posted on this thread is heavily controlled/moderated with comments and screenshots being deleted and modified, to me the only purpose of this thread being in an official support forum would be to discuss detection, but we can't do this anymore; so perhaps it could be moved to a more appropriate forum, e.g. "other anti-virus" or "malware problems" ??
Regards,
Suggers

 

To all:

With respect to the posting of individual snapshots in time of detection, the site policy on this is clear, see here. With those comments in mind, a relocation of the thread is not the answer.

Blue

 

I apologize, I could not open that url with Strcodec so I've been under the impression that it's already blocked, but it was apparently for another reason. I'll look into it and make sure this is accomplished ASAP.

ESET creates generic signatures for all Zlobs, but we do not detect the envelope as some others do, and subsequenlty produce false positives as well on legit installers (a well known is HP codec if I reckon well). Our detection is based on real analysis of the code, and we do not flag just the installers themselves that may be used for legit files as well. As you might know, we always strive for not producing FPs.