Re: [stop ignore MalwareDomainList.com] October-2010 pack

Niko233 · ‎06-25-2010

small comment:

all malware samples are not detected by nowadays updated Norton 2011 with aggressive switch of heuristic engine.

Norton which is in VT detect 2010-10-08 MDL trojan SpyEye setup.exe but cammed from my hard drive is not.

apparently WS.Reputation.1 detection method based on original location of files (where it is came from) too.

I saw another examples of that.

thats why such files heuristically detected on VT, but on user's computers are not - not enough heuristic/suspicious characteristics to suppose that this file can be malware

Niko233 · ‎06-25-2010

[Rolling back...]

We have processed your submission (Tracking #18214173) and your submission
is now closed. The following is a report of our findings for the files in
your submission:

File: setup.exe
Machine: Machine
Determination: This file is detected as 'Trojan.FakeAV!gen29, ' with our
existing Rapid Release definition set.

Nice Wares is not so nice...

( http://community.norton.com/t5/Norton-Internet-Security-Norton/Threat-Called-quot-Nice-Ware-quot-Wit... )

!self-appeared! on my desktop (Win XP SP3 all updates installed + updated Norton with both heur. and SONAR engines in aggressive modes, 14-Nov-2010)

Your submission has been sent Sun Nov 14 23:16:02 PST 2010.

Tracking #18214173.

Niko233 · ‎06-25-2010

[More than a month ago, tens of users]

Tracking #18250731

Niko233 · ‎06-25-2010

Now teasty.exe detected as Trojan.Spyeye

Niko233 · ‎06-25-2010

In [stop ignore MalwareDomainList.com] October-2010 pack

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Retail-Submissions-Tracker/m-p...

was sended 3 PDF documents, using vulnerabilities in all Adobe Reader versions before 9.4 update:

resented exactly copies of the previous files: Tracking #18552836

Many of strong companies new it: Avira, DrWeb, Microsoft, Kaspersky, ESET

http://www.virustotal.com/file-scan/report.html?id=755311cb6201b47e6875d7075ccc337ae4a6a7baefe4668e6...

http://www.virustotal.com/file-scan/report.html?id=b6072b66595cb18dc65ce9ed60aa7790566fa5a502299e4c1...

http://www.virustotal.com/file-scan/report.html?id=9e11cccedf22e1a64f7dc4bcb04ba6d8508cd42797160d97f...

and tell us that it is Exploit:Win32/CVE-2010-2883.A

http://www.adobe.com/support/security/advisories/apsa10-02.html

Symantec (at least in Norton line Products) usually protect users against Exploits files and detects it as Bloodhound.<something>

Why this files are still not detectable? Big vendors missed or Symantec somehow skip from analyse this vulnerability?

Thanks for answer!

Niko233 · ‎06-25-2010

Little November-2010 submission:

All was found as alone (I think copied by themselves) on a one of our local network servers in free-to-upload SMB shared folder. By the way: if they spreading by replicating themselves, than by Symantec they are sitiated in the Worms class?

2010-11-18 MDL rapport.exe

http://www.virustotal.com/file-scan/report.html?id=cee4e04fb7abdf64f648dd06bf2af8d316d84456afc0a66bb...

2010-10-18 forum for all tvxoqx.exe

http://www.virustotal.com/file-scan/report.html?id=43c427724fc9be5e58ba54fbdaf49dc485e5eec6e75cb92e9...

Tracking #18552974

In additional: tvxoqx.exe (file with icon) is recognized as heuristic malware, but did not blacklisted for a 1 month from starting it.

But, product (NIS 18.1) Norton Community Watch Sample Submission is always was every my samples rescan procedure. strange

JohnM · ‎04-08-2008

Apologies for the delay and as always thanks for bringing this to our attention.

The files in the earlier submission (PDF and EXE) have been truncated in the middle of the file, effectively rendering them harmless. For the PDF files, the corrupted part is TrueType Font which can sometimes lead security vendors to suspect the files might exploit a vulnerability and add detection just in case. However when opened they only display error messages.

One of the files in 18552974 (~rapport.exe) was added as Trojan Horse, although the main culprit wasn't in the submission. If you find a file named "ZASRAKOMONDOHUI31338.EXE", please submit it for analysis.

Thanks again.

JohnM

Niko233 · ‎06-25-2010

Will be interesting topic:

Norton Trusted Files versus Virus Total Antiviruses: 7 files accidentally observed

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Trusted-Files-versus-Virus-Tot...

Niko233 · ‎06-25-2010

Thanks for detailed report, JohnM!

All was clear and understand by me

Unfortunately, main father file in this criminal band named "ZASRAKOMONDOHUI31338.EXE" at this moment was not found on the servers. Now detectable file was moved to my collection much more early - a month ago and probably was deleted by other admins or other security suite installed on the servers.

Mm.. and tell us that You thing about tvxoqx.exe (file with icon) detection, is it a malware?

Thanks for cooperation!

idea:

by the way: file named "ZASRAKOMONDOHUI31338.EXE" can be submitted via Norton Community Watch (NCW) Component of Norton lines products. Just such rule of NCW must be added and downloaded with nearest LiveUpdate session. I think with such method it will be catched fast if file name will be unique (probably is) and this name is not randomly changing by that malware

Quads · ‎07-21-2008

JohnM

The Trojan appears to be downloaded on PC's infected with some of the variants of the Zbot family

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe] Debugger = "ZASRAKOMONDOHUI31338.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe] Debugger = "ZASRAKOMONDOHUI31338.EXE"

By doing the above the infection can block or intercept any request it is meant to, But does the file "ZASRAKOMONDOHUI31338.EXE" actually exist or is the file name a just that in the registry. Meaning the file is actally another name or just doesn't exist.

Which would be something like Trojan:Win32/Killav.EL

Quads