Zero Day-How's your AV

Still using those blacklist scanners eh.Oh well,happy reinstalling.

http://www.pcworld.com/article/id,130686-page,1/article.html

 

Actually, if you don't know how to interpret the scanner results, it helps to not publicly make a fool of yourself. Scanning a password-protected zip archive and making a fuss because scanners don't detect it? Goodness gracious!

 

I did not understand this password issue described in the article.

 

Don't shoot the messenger.

http://www.f-secure.com/v-descs/email-worm_w32_bagle_hr.shtml

 

AV's will not be able to scan inside the archive if the password is unknown.

Blue

 

yes, but some will flag certain flavours of executables in password protected files, for example kaspersky (in that VT screenshot f-secure uses that verdict, password-protected-exe)

 

Well, nowhere in the article do I see PC World wishing readers "happy reinstalling" because they're using a blacklist scanner.

 

That,s why i wonder why they scanned it on VT. Was there a way for AV scanner to know the password and then scan in in the scenario discussed?

 

It would be in the quote if it was Hmnn,seems a few were hit quite hard.Your AV mentioned below solcroft?

Hope not as you will be reinstalling if you got hit.
From the F-Secure link:

 

sure it can un-install scanners

but only IF it gets through the real-time protections of the software.

 

Looks like it's STILL a toss as to who's more uninformed, you or the article's author.

 

To all,

Discuss the article or subject of the article, not each other.

Regards,

Blue

 

Franklin -- Is there any reason you say you will be re-installing in relation to the StormWorm?
The Bagle varient is a whole different family....

Stormworm removal is not so hard, a few rootkits(2 actually) and deleting the hidden files, fixing the LSP...

 

So how can it delete those Kav files if it said that Kaspersky was one of 3 that detected it.

 

http://www.symantec.com/enterprise/security_response/weblog/2007/04/trojanpeacomm_spam_run.html

"In response to the mass spamming of unsolicited password-protected zip files, Symantec Security Response will be releasing a Trojan.Peacomm!zip detection."

 

Well if you AV.exe is deleted you will have to reinstall.

@trjam, probably very quick database updates which Kav is best at.

 

Hello Forum,
Well Dr.web detects Storm Worm variants,This is the response I received from there support.

 

So far, no one has commented on the implications of the opening of the article:

Because for "storm worm" you can substitute any virus, since a search of scans during the first several days of any outbreak shows that not all AV have the file in their database. Even the "big companies" often fail to snag something. This especially true of the so-called Zero Day occurrences.

At least as far back as November, 2005, isc.sans.org commented:

http://isc.sans.org/diary.php?storyid=880

And regarding the Storm Worm:

http://isc.sans.org/diary.html?storyid=2618

AV certainly has a place in most people's security setups, but preventing zero-day attacks is not one of them.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

From an initial look at the article, I have a feeling of deja vu because I have received this email. I may have the sample with me, lets upload to VirusTotal now and see. At that time, both AVIRA and AVG were detecting it.

 

Okay, I received an email with the exact same message text as described in the PC World article. There was a password protected archive attached with the message by the name of "patch-52867.zip". A password is supplied in the message body. Upon extraction, there is a single file named patch-52867.exe. I scanned this EXE file on http://scanner.virus.org and got the following result:

ArcaVir - Trojan.W32.Lager.Dp88
AVG Anti Virus - Downloader.Tibs.4.AL
BitDefender - Trojan.Peed.Gen
ClamAV - Trojan.Small-1641
Dr.Web - Trojan.Packed.86
F-Prot - Result not clear at Virus.org though I think its a heuristic detection (will test again at Jotti's)
McAfee - Win32/Nuwar@MM
NOD32 - Win32/Nuwar.Gen worm
Norman - W32/Tibs.gen81
Panda - W32/Nurech.Z.worm
Sophos Sweep - Troj/Dorf-B
Trend Micro - WORM_NUWAR.AOP
VirusBuster - Trojan.Tibs.Gen!Pac.96
Avira - Not clear (but I think AVIRA detects this)

AVs that did not give any detection on virus.org:

Avast, QuickHeal, F-Secure, VBA32 (seems strange so I'll test again on Jotti's)

PC World decided to scan the entire password protected ZIP archive at VirusTotal, which IMO is total BS. No scanner at VT can scan password protected archives. You need to extract the archive and run the exe file in order to get infected. But as soon as you extract the archive, the resident guard of your AV/AS/AT will pick up this malware. So this article is totally useless in my opinion.

 

yeah,

i think they have done this aswell, scanning password protected archives is abosolute BS, how can these give infections?

just for curiousity firecat, did the results on uploading the patch differ between jotti and VT?

 

Three days later I guess all AVs would have updated their blacklists.

Zero day is a different story.

 

I didn't realise that, I only skim-read the article. The only scanner I have ever seen detect malware in password protected archives is virusbuster (and it always detects them as variants of Bagle), but it also detects many harmless zipped and password protected files as Bagle variants..

If this is true then the article is totally useless.

 

I received this e-mail too. Avira was detecting it from the first day I've downloaded the attachement. (on Friday).

Here's the log:

With all respects to PCworld website uploading a password-protected archive to virustotal.com and expecting to be detected it's non-sense and it makes me think whether those guys know something about antiviruses...

 

This happens to be a very well-known and acknowledged fact. This particular piece of malware changes nothing, nor does any other.