Zero Day-How's your AV

The goal of the Storm/Nuwar/Zhelatin/Peed autors was to bypass gateway detection with the password protected ZIP. The reason for this is that companies focus the protection on the gateway and don't really care for the client computers, as those can be easily restored with images. So it makes sense to be able to block those specific ZIP archives on the gateway.

Also note almost every new variant of Storm/Nuwar/Zhelatin/Peed gets "optimized" until no antivirus product detects it anymore. So testing AV programs only with this single piece of malware is basically useless - almost everyone will fail to detect a new variant, no matter which detection method is used.

 

Hi FRug,

Somehow that seems for me to be in contradiction to what Mike posted in reply # 43:

 

Please take note that compressed archives and packed executable are two rather different things. A compressed archive encrypted with a password is designed to scramble its contents so that anyone without the "key" (aka password) is unable to read its contents (at least, that's how it's supposed to work). A packed executable, on the other hand, comes complete with its own decompression routine that automatically decrypts and then launches the executable code, all you need to do is execute it like any normal file.

 

I said the submission addresses of AV vendors are not getting scanned by AVs since that would be blocking any suspicious/infected file. IC was referring to "normal" companies out there which want to have hundreds or thousands of e-mail accounts protected.
If a company receives 100.000 virus samples an hour, which is not that uncommon for large outbreaks, they want to filter the infected files as fast as possible, breaking passwords will be avoided if a quicker detection can be made.
Anything else would not be in the interest of larger companies.

 

https://www.wilderssecurity.com/showthread.php?t=171562
I posted this warning here about this last Thursday. The VirusTotal scans of both the zip file and its unzipped contents are linked there for scan performed last Thursday. Of the 31 scans of the unpacked file, 13 identified a specific pest. 4 labelled it suspicious. 14 reported the file as clean. Including the "suspicious" results, a 55% detection rate at that time. Interestingly, Symantec detected the trojan in the zip file at VT, but at Yahoo mail, which uses Norton, it reported it clean.

The password protecting of the zip file served 2 purposes.
1, Defeating most AV scanners.
2, Social engineering. This isn't something the average user expected to see. Yes, most of us here know that patches and virus fixes do not come as unsolicited e-mail. But the fact that the worm is spreading only demonstrates that the average user either doesn't realize this or was coerced into trusting it by the "password protection". In the common sense vs social engineering battle that's part of this ongoing war, common sense isn't winning out.

Whether your AV detected the zipped trojan at download matters more than the discussion here admits, starting with the fact that you're trusting the e-mails statement that the attached file truly is a password protected zip file. Most users do not know how to examine such a file to determine if it's truly a zip file or an executable with a fake file extension. When 45% of the AVs reported the unzipped file as clean the day I scanned it, the e-mail could just as easily have been a deception and the file an executable.

It doesn't matter much which AVs detect it now. It's already infected lots of PCs, and most of their owners don't know it. They only know their security apps crashed, not why.
Rick

 

Is this the malware being discussed?
April 13, 2007 / 15:20:32 (GMT+2)
F-Secure Anti-Virus detects Zhelatin.CQ with this update.

Thanks,
Jerry

 

There's a politically twisted definition if there ever was one. Malware and zero day attacks come from all over, including the USA. Both come from the criminal element and most aren't particular about the location, nationality, or politics of the target PCs owner.

This is not a zero-day attack. It's just another variant and a slightly new twist put on a long established delivery method, e-mail attachments.
Rick

 

Hi solcroft and FRug,

Obviously I misunderstood Mike and you, FRug.
Yes, I know the difference between password-protected zip-file and packed executable. But I did not read good enough Mike's and FRug's postings.
Sorry

There was a special reason why I did keep coming back to the topic.
Something that happened to me recently after having submitted some nasties (no, it wasn't about F-Prot).
I leave it to that.

 

And they might not figure out why if they don't know that a rootkit was involved. I got one to test (courtesy of Firecat - thanks!) and posted here yesterday:

http://www.dslreports.com/forum/remark,18160227~start=20#18172593

If you remember the "Microsoft Patch" scam from a couple of years ago, people didn't even need the "password protection" element to be coerced:

http://www.urs2.net/rsj/computing/imgs/patch-help_Agent.gif
________________________________________________________________________

Here, many users were fooled by the fact that the executable didn't use .exe; even more, the exploit used the double-extension trick, so depending on how their Zip program displayed, might not have even seen that it's really a .pif (executable) file:

http://www.urs2.net/rsj/computing/imgs/patch-help_AE.gif
__________________________________________________________________________

Not only that, even if a user has a HIPS or simple execution protection as in the above example, if she/he is fooled - common sense breeched - permission will be given to let the file run.

Why not? You would think the "patches and fixes by email" exploit would have been put to rest two years ago.

Well, it was put to rest with all of the users that I help. This is not to get on the high horse, but as I've written before, if everyone here (you knowledgeable people) would take one or two people you know and and point things like this out, just think how many more people would not become a part of the statistics of those who were coerced.

It seems to me time would be better spent doing that than arguing about whose AV is better, or why AV doesn't catch these things, since it's becoming obvious that AV is not the solution in these types of cases:

http://isc.sans.org/diary.html?storyid=2618

Do you remember this comment?

What AV does the experts here use?
https://www.wilderssecurity.com/showpost.php?p=529369&postcount=13



regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

That's not good. How does one protect a malware sample if you need to send it as an email attachment if some AVs are detecting password protected archives? Can you double password protect it or something?

For that matter, I don't think my ISP should EVER enter a password protected file. I would be very angry with Road Runner if they did that. I don't like having Road Runner check email incoming and outgoing but I can live with it. I certainly don't want them tampering though with a password protected file that I have emailed. I am not the enemy! If I have password protected a malware file to mail to someone there is legitimate reason why I did that and my ISP should honor that.

 

Hi Mele,

This is a good point, and was brought up in a discussion with some at sans.org

My ISP (local here in town) feels the same way. His filter will strip an executable attachment,

http://www.urs2.net/rsj/computing/imgs/agent_attachment.gif
____________________________________________________________

but does not look inside .zip files, since he understands the legitimate need of his customers to send executables.

At least the patch_.exe executable can't run by an inadvertant click: it has to first be extracted.

However, evidently Yahoo web mail does filter zip files, and password-protected zip attachments are deleted. This a couple of days ago:

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I don,t like it. It must be optional I think.

 

Geez. I'm glad I don't use Yahoo mail. They don't even attempt to break the password...just delete the attachment if it has a password? I think that is awful. What if the major ISPs start doing that? Of course, not all of them even scan at their gateways, but mine, Time Warner's Road Runner, does and that is a big USA cable ISP. They scan all mail incoming and outgoing at the gateways. Currently, they let password protected zips through but what if they decide to just delete them like Yahoo?

 

No, I've tried sending messages with password protected archives myself on Yahoo Mail. The attachment was blocked every time.

 

If Yahoo is blocking passworded zip archives, that's a new policy. I've received 2 copies of the "zipped patch" in my Yahoo mailbox, one on Thursday, one Saturday. Yahoo mail is one of my more reliable sources of viruses, rootkits, etc. They show up there constantly, their AV (Norton) misses most of them on the day they arrive, and their AV is easy to defeat for harvesting them.
Rick

 

You would think it should have been by now. For my clients, it has. As for their kids, kids friends, etc, it gets grey there. As for the average user, the ones who make up the statistics, I'm at a loss to explain it. Maybe they just don't like being told how to handle a given situation.

Too many people think software is the solution, especially the new tools like HIPS, sandboxes, etc. The software, especially HIPS is meaningless without a basic security policy to base the decisions on. If you don't recognize it and didn't ask for it (unsolicited e-mail attachments), deny it. Why is default-deny so hard for some users to accept?
Rick

 

so having read through this entire thread, I still wonder what the most secure setup is. None 100 percent but lets face it, times have changed. For me, in the long run, it will more then likely be, Prevx, Antivir PE and Comodo BoClean.

 

I use my frozen snapshot as zero day scanner/remover, it doesn't recognize them, but that doesn't matter. They are gone anyway along with the not-detected viruses. A frozen snapshot doesn't detect/remove false/positives.

If a scanner has a detection rate of 95% in the av-comparatives, my frozen snapshot takes care of the missing 5%.
My advice for scanner-fans : find a second scanner that takes care of the missing 5% and you will sleep better.

 

Regardless of what you use as a primary defense, make sure you have some form of system backup software. Whether it's frozen snapshots or images of your system made while clean, what matters is that you have a way to undo any damage, infection, or hard drive failure that happens. My primary defense is SSM and a firewall. Should that ever fail, Acronis will fix the problem.
Rick

 

Do you use a AV?

 

in that case i only need to find a solution for the less than 3 percent of this 97,89%
common sence is and will always be the best way to avoid malware and other threats.

 

Give a hint, but the words Frozen Snapshot are forbidden

Give a hint

Gerardo

 

With a properly-configured HIPS, an antimalware scanner is unnecessary.

I still can't find myself to completely rely on SSM though, due to its lack of a file defense module. I go with EQSecure instead, also comboed with a firewall and frozen HD snapshot.

 

That's right, better no malware at all on your computer. Prevention is priority number one.
If a scanner finds a virus on your computer it's already TOO LATE, nothing to be proud of.
My frozen snapshot is also TOO LATE but complete, that's why I still need security softwares to stop the installation and certainly the execution, which is the worst part of malware.
I use my frozen snapshot to remove all the infections that passed through my security softwares like butter.

 

Hello,

I'm really having a hard time to understand this phenomenon:

Receive email, ok.
Bother to open and actually read email labeled: security alert, not ok.
Get convinced that what is written in the email is logical, crazy.
Download the attachment, abnormal.
Use the password to open the archive, super-moronic.
Execute the attachment, total idiocy.

Analogy:

Take a pair of M18 Claymore anti-personnel mines.
Take duct tape (reinforced, yellow, 2").
Strap mine 1 to left cheek and fasten with tape around cranium, double roll.
Strap mine 2 to right cheek and fasten with tape around cranium, double roll.
Attach fuses.
Place a pair of 1.5V AA batteries into the detonator.
Connect fuses with detonator.
Self-destroy.

C'mon, honestly. This is ridiculous. As if AV would really help such people. As if they would bother updating the definitions.

Mrk