Zero Day-How's your AV

Discussion in 'other anti-virus software' started by Franklin, Apr 14, 2007.

Thread Status:
Not open for further replies.
  1. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Still using those blacklist scanners eh.Oh well,happy reinstalling.:rolleyes:

    http://www.pcworld.com/article/id,130686-page,1/article.html
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Actually, if you don't know how to interpret the scanner results, it helps to not publicly make a fool of yourself. Scanning a password-protected zip archive and making a fuss because scanners don't detect it? Goodness gracious!
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I did not understand this password issue described in the article.
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    AV's will not be able to scan inside the archive if the password is unknown.

    Blue
     
  6. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    yes, but some will flag certain flavours of executables in password protected files, for example kaspersky (in that VT screenshot f-secure uses that verdict, password-protected-exe)
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s why i wonder why they scanned it on VT. Was there a way for AV scanner to know the password and then scan in in the scenario discussed?
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    It would be in the quote if it was:cautious: Hmnn,seems a few were hit quite hard.Your AV mentioned below solcroft?

    Hope not as you will be reinstalling if you got hit.
    From the F-Secure link:
     
  10. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    sure it can un-install scanners

    but only IF it gets through the real-time protections of the software.
     
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Looks like it's STILL a toss as to who's more uninformed, you or the article's author.
     
  12. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all,

    Discuss the article or subject of the article, not each other.

    Regards,

    Blue
     
  13. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Franklin -- Is there any reason you say you will be re-installing in relation to the StormWorm?
    The Bagle varient is a whole different family....

    Stormworm removal is not so hard, a few rootkits(2 actually) and deleting the hidden files, fixing the LSP...
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    So how can it delete those Kav files if it said that Kaspersky was one of 3 that detected it.
     
  15. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Well if you AV.exe is deleted you will have to reinstall.

    @trjam, probably very quick database updates which Kav is best at.
     
  17. Badcompany

    Badcompany Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    752
    Location:
    RUNCORN UK.
    Hello Forum,
    Well Dr.web detects Storm Worm variants,This is the response I received from there support.
     

    Attached Files:

  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    So far, no one has commented on the implications of the opening of the article:

    Because for "storm worm" you can substitute any virus, since a search of scans during the first several days of any outbreak shows that not all AV have the file in their database. Even the "big companies" often fail to snag something. This especially true of the so-called Zero Day occurrences.

    At least as far back as November, 2005, isc.sans.org commented:

    http://isc.sans.org/diary.php?storyid=880

    And regarding the Storm Worm:

    http://isc.sans.org/diary.html?storyid=2618

    AV certainly has a place in most people's security setups, but preventing zero-day attacks is not one of them.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: Apr 14, 2007
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    From an initial look at the article, I have a feeling of deja vu because I have received this email. I may have the sample with me, lets upload to VirusTotal now and see. At that time, both AVIRA and AVG were detecting it. ;)
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Okay, I received an email with the exact same message text as described in the PC World article. There was a password protected archive attached with the message by the name of "patch-52867.zip". A password is supplied in the message body. Upon extraction, there is a single file named patch-52867.exe. I scanned this EXE file on http://scanner.virus.org and got the following result:

    ArcaVir - Trojan.W32.Lager.Dp88
    AVG Anti Virus - Downloader.Tibs.4.AL
    BitDefender - Trojan.Peed.Gen
    ClamAV - Trojan.Small-1641
    Dr.Web - Trojan.Packed.86
    F-Prot - Result not clear at Virus.org though I think its a heuristic detection (will test again at Jotti's)
    McAfee - Win32/Nuwar@MM
    NOD32 - Win32/Nuwar.Gen worm
    Norman - W32/Tibs.gen81
    Panda - W32/Nurech.Z.worm
    Sophos Sweep - Troj/Dorf-B
    Trend Micro - WORM_NUWAR.AOP
    VirusBuster - Trojan.Tibs.Gen!Pac.96
    Avira - Not clear (but I think AVIRA detects this)

    AVs that did not give any detection on virus.org:

    Avast, QuickHeal, F-Secure, VBA32 (seems strange so I'll test again on Jotti's)

    PC World decided to scan the entire password protected ZIP archive at VirusTotal, which IMO is total BS. No scanner at VT can scan password protected archives. You need to extract the archive and run the exe file in order to get infected. But as soon as you extract the archive, the resident guard of your AV/AS/AT will pick up this malware. So this article is totally useless in my opinion.
     
  21. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    yeah,

    i think they have done this aswell, scanning password protected archives is abosolute BS, how can these give infections?

    just for curiousity firecat, did the results on uploading the patch differ between jotti and VT?
     
  22. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Three days later I guess all AVs would have updated their blacklists.

    Zero day is a different story.
     
  23. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I didn't realise that, I only skim-read the article. The only scanner I have ever seen detect malware in password protected archives is virusbuster (and it always detects them as variants of Bagle), but it also detects many harmless zipped and password protected files as Bagle variants..

    If this is true then the article is totally useless.
     
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I received this e-mail too. Avira was detecting it from the first day I've downloaded the attachement. (on Friday).

    Here's the log:
    With all respects to PCworld website uploading a password-protected archive to virustotal.com and expecting to be detected it's non-sense and it makes me think whether those guys know something about antiviruses... :rolleyes:
     
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This happens to be a very well-known and acknowledged fact. This particular piece of malware changes nothing, nor does any other.
     
Loading...
Thread Status:
Not open for further replies.