Trojan Zlob

Discussion in 'NOD32 version 2 Forum' started by ugly, May 27, 2006.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    don't forget Dr.Web. ;)
     
  2. Benvan45

    Benvan45 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    556
    Yes, so true, but I got hit around noon today without Nod detecting anything......so.....it's just very short this party.
     
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    F-Prot is doing terribly. :thumbd: Microsoft, I expected that. Norton too. :p
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    hxxp://www.v-codec.com/getcodec/SVideoCodec4_01a.exe :'(
     

    Attached Files:

  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    It's all good here :)
     

    Attached Files:

  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Aren't you forgetting something?
     

    Attached Files:

  7. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Bridging the gap while generic detection is improved :)
     
  8. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    and again...
    With IMON correctly configured it is not possible to download these files...
    Same for digikeygen.com etc...
     

    Attached Files:

  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ops, sorry, I don't use NOD so I didn't know that. Good job on that though, but the signature needs to be updated anyway IMHO. :)
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    The internet filter needs an update actually.. Last update was in 2004.
    Without that enabled, we would have been screwed...
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I thought these were added to the list quite recently?
     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Well if they did, they forgot the update the version number...

    Internet filter version: 1.002 (20040708]
    Internet filter build: 1013
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    heheh
    Details, details - I really don't know :)
     
  14. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    But I like details .. awww :p
     
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    And by the way the last sample is Version 102 of this "codec".

    I just took a look into it and it's easy to calculate it:

    Search for "VERID" (This should be at the end of the file) After this take out the next 2 bytes ala "66 00" ---> Flip them ---> 00 66

    Now start the calculator and switch into advanced mode and enter with HEX activated 66. This will result in 102 dec which represents the version number :D

    So basically you could even add a detection which gives you the "version information" of this trojan :D This last 2 bytes are changed directly on the webserver before downloading - so basically it creates the version based on the URL Request :D
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hello Inspector,
    Nice to hear from you :)
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... you mean the server creates the executable at the moment of the http request? Are you sure of this? I'm under the impression that these are created dynamically yes (obviously), but through a cron job or something similar, not at download time.

    On a side note, this "ever changing" technique seems to be the upcoming trend in malware. New sites that keep changing malware urls every 10 minutes or something (along with the obfuscated javascript that runs the exploits). All this is clearly dynamically "scripted" on the server. See http://cut-thecrap.blogspot.com/2006/05/what-to-donet.html (it's in Italian, but it should be pretty clear). These are, in fact, probably the same people, the infamous "iframecash" scammers. I would go so far as saying that right now, given their continuous creation of fake codecs, hacking of vulnerable forums (http://isc.sans.org/diary.php?storyid=1375), blog spamming, "referer" spamming, etc, these are right now the most active and annoying (or perhaps even "dangerous") of all the malware creators around. More, they seem to be buying dozens of new domains every day.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Internet filter is actually the packet worm scanner - another part of IMON that serves to intgercept dangerous packets. It has nothing to do with blocking sites.
     
  19. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Well it's still old.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Because there's nothing to update :)
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    sorry to dissapoint you guys but I was able to download the file with no problem. IMON gave me no warning. Perhaps I should check Higher efficiency for FF, otherwise in Higher compatibility mode it let you download the file. So NOD should add detection for it. ;)
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Tell it loud...maybe ESET will hear you and add this detection faster. :D
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Nope, it works in both HE and HC mode. I've just tried that url and it was blocked by IMON fine. Didn't you turn off this option in the IMON setup by chance?
     
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, here's a screenshot....see if something's wrong... but wnyway a signature will be useful. ;)

    EDIT: Now IMON works fine....it sows me that warning about the websites being on the list of malicious websites... but what happen if the malware is on another website that NOD32 doesn't block ?
     

    Attached Files:

  25. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    AFAIK - this submodule is for detection and blocking of things like automatic network worms like Slammer. I've read some documentation so suggest this.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.