• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos2 Stats

Trojan ZBOT with Good Rating from Symantec

Today i receive a spam Email (a Fake Bill) an Norton found nothing , later i check this File inside Spam and i can see Why Norton found nothing.

Trojan Zbot 23/46

https://www.virustotal.com/de/file/dbb8dfa4632f20e2e917be529c6ce9aea18ecb8db05c852f28ffce904e2fd3ef/analysis/1377360150/

And Norton say this File has Good Rating !  (see Picture)

http://s7.directupload.net/images/130824/p67yna4z.jpg

How can this happen?

Replies

Kudos0

Re: Trojan ZBOT with Good Rating from Symantec

Some of the information you are looking for is in your image. There are very few users with the file, the file is very new (less than one week).

Not all security companies are detecting it at VirusTotal, so this could be a new malware or a new variant that Norton has not yet picked up and fixed.

We have to remember that new and modified malware is released in the tens of thousands every DAY. Until a security company has detected it, then created a definition update, the users can be vulnerable. This is why no single security software can protect from 100% of malware 100% of the time.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Trojan ZBOT with Good Rating from Symantec

You dont understand ?

This is a new File , this is not a File that take good Things on a Computer... why have this File 2 green Points ?

A new File is unrated , right ?

(in times of NSA scandal this is a important question Why a Trojan Zbot comes with very good Ratings from Symantec)

You understand now ? ;)

Kudos0

Re: Trojan ZBOT with Good Rating from Symantec


Voyager10 wrote:

You dont understand ?

This is a new File , this is not a File that take good Things on a Computer... why have this File 2 green Points ?

A new File is unrated , right ?

(in times of NSA scandal this is a important question Why a Trojan Zbot comes with very good Ratings from Symantec)

You understand now ? ;)


I do understand.

Did you read the second part of my post?  Until malware is detected, a security program cannot protect against it. Being a new file, maybe Norton had not yet detected it as malware.

As a downloaded file, Norton Insight lets the user know it is new and the user has to decide if they want to proceed. It there is malware in the file, the other layers of Norton 's protection should catch anything that tries to run. Autoprotect, and Sonar should catch bad behavior and warn the user at that time. 

This Sonar detection would be logged, and your Norton program would relay that information back to Norton. Now they know about it, they can update the definitions to catch it earlier.

Unfortunately, someone has to get attacked first, so the rest of us can get the protection. Probably not the kind of early adopter  anyone wants to be.

Things happen. Export/Backup your Norton Password Manager data.
Kudos2 Stats

Re: Trojan ZBOT with Good Rating from Symantec


peterweb wrote:

Voyager10 wrote:

You dont understand ?

This is a new File , this is not a File that take good Things on a Computer... why have this File 2 green Points ?

A new File is unrated , right ?

(in times of NSA scandal this is a important question Why a Trojan Zbot comes with very good Ratings from Symantec)

You understand now ? ;)


I do understand.

Did you read the second part of my post?  Until malware is detected, a security program cannot protect against it. Being a new file, maybe Norton had not yet detected it as malware.

As a downloaded file, Norton Insight lets the user know it is new and the user has to decide if they want to proceed. It there is malware in the file, the other layers of Norton 's protection should catch anything that tries to run. Autoprotect, and Sonar should catch bad behavior and warn the user at that time. 

[...]


Hi peterweb

The issue here, though, is more about how a file considered 'Very New' (released less than a week ago) with a user count of fewer than 5 users could get Norton's second highest rating ('Good' with two green bars below): 

Hi Voyager10

Did this file arrive inside a compressed file (eg ZIP) in the original email? Have you done any further controlled testing on this file ie upload and then re-download the file to see what Download Insight has to say about it or a SONAR test?

Thanks

Kudos0

Re: Trojan ZBOT with Good Rating from Symantec

Peterweb do not understand the Question...

@elsewhere

yes , it was a file inside zip (named as a bill) .

certainly i tested this inside VM with Norton2013 and VM with latest Norton2014beta .

NIS2013 did not detect Installer (Dropper) and the installed exe-file , Sonar found only the installed Rootkit-Variante .

Norton2014b. , Sonar detect the Installer and killed it.

my question was very clear , yes Norton2013 can detect with the Norton Insight component this Trojan Zbot if the rating would not be green ! how is it possible that a new Trojan would be green rated ? the question is certainly addressed to symantec ;)

Kudos0

Re: Trojan ZBOT with Good Rating from Symantec

Voyageur10

I see your point now.

I think elsewhere's question may have a bearing on this. Maybe others here can confirm this.

Things happen. Export/Backup your Norton Password Manager data.
Accepted Solution
Kudos1 Stats

Re: Trojan ZBOT with Good Rating from Symantec

First Day : The Trojan is new and false Rated , i uploaded both Files (Dropper + installed EXE) to Websubmit Symantec.

http://s7.directupload.net/images/130824/p67yna4z.jpg

Second Day: We have now thousand of Infections (see Picture) , i got no confirmations Mails from Websubmit 

http://s1.directupload.net/images/130827/cl3ojrdb.jpg

Third Day: We have now Detections of both Files

http://s7.directupload.net/images/130827/uidxd6zw.jpg

This is still a bad report for Symantec , I give here extra hints to avoid thousands of infections ., all is pointless.

Kudos0

Re: Trojan ZBOT with Good Rating from Symantec


Voyager10 wrote:

First Day : The Trojan is new and false Rated , i uploaded both Files (Dropper + installed EXE) to Websubmit Symantec.

http://s7.directupload.net/images/130824/p67yna4z.jpg

Second Day: We have now thousand of Infections (see Picture) , i got no confirmations Mails from Websubmit 

http://s1.directupload.net/images/130827/cl3ojrdb.jpg

Third Day: We have now Detections of both Files

http://s7.directupload.net/images/130827/uidxd6zw.jpg

This is still a bad report for Symantec , I give here extra hints to avoid thousands of infections ., all is pointless.


Your description is just how it works for all security companies for every new infection. Your notifications, via your manual submissions and the reports sent automatically from your Norton product helped Norton identify and create a fix for the new infection.

You happened to be on the front line for this particular infection.

Norton may not have detected and corrected this one before the other companies, but in another situation, Norton may be the first with a fix. It all depends on which user is affected first, and what security software they are using to have the new infection reported to that company.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Trojan ZBOT with Good Rating from Symantec


Norton may not have detected and corrected this one before the other companies


this is not the Point , the Point is why this Trojan get very good ratings ... and can infect thousands of Users !

Other Norton Security Layers see this good Rating and do nothing... and can infect thousands of Users !

http://s1.directupload.net/images/130827/cl3ojrdb.jpg

The false Rating is the Question and the Websubmit-processing and Detection 4 Days later (24. -> 27.) is the Question...

Kudos0

Re: Trojan ZBOT with Good Rating from Symantec

The download insight rating would not affect how the other layers would see the file. Each layer does its work independantly. The Autoprotect and the Sonar detections do their own thing for detection. 

As to the time frame, and what would be considered 'normal', only Norton can answer that. 

Things happen. Export/Backup your Norton Password Manager data.

This thread is closed from further comment. Please visit the forum to start a new thread.