Norton Submissions Tracker

Tracking #20874408

 

We have here a File that can Norton not detect , found on a infected System on c:\Windows\System32\svshost.exe.

We see svshost is a fake Name , this File is resident on the System and close Taskmanager and other Things.

 

Norton says the File have a good Reputation (one green Point) and 50 Users , Sonar not detect this File with a infected Testsystem.

 

Zwischenablage1.jpg

 

http://www.virustotal.com/file-scan/report.html?id=1ad9e49c34e05a0183ba28b379ef5c73052ca5a99a5804ce1c2e84e7302c6c0d-1312074784

 

25 AV´s detect this File as a Trojan.

Tracking #20874408

 

We have here a File that can Norton not detect , found on a infected System on c:\Windows\System32\svshost.exe.

We see svshost is a fake Name , this File is resident on the System and close Taskmanager and other Things.

 

Norton says the File have a good Reputation (one green Point) and 50 Users , Sonar not detect this File with a infected Testsystem.

 

Zwischenablage1.jpg

 

http://www.virustotal.com/file-scan/report.html?id=1ad9e49c34e05a0183ba28b379ef5c73052ca5a99a5804ce1c2e84e7302c6c0d-1312074784

 

25 AV´s detect this File as a Trojan.

-------

have you ...

------

 

See first Post, Tracking Number... ;)

 

yes no one is perfect but i show this to make clear that the Detection to this File is Important and Symantec can also analyse Why Sonar do nothing and Why this File have a good Reputation...

A good Example to improve the Software.

[TRACKING]: Symantec Security Response Automation (Tracking #20926990)

 

new fresh Trojan Horse (1/42 VT) , after installing Free Female.... Sonar failed to Detect ! 

http://www.virustotal.com/file-scan/report.html?id=f8ca9d07ae7f677724ce1f3ff868fc638c6016d1336964f26eb6423cd7e6ace1-1312557050

 

You can see running Fake Windows Process inside the Roaming Folder...

 

Zwischenablage1.jpg

 

edit:

Threatexpert Report

http://www.threatexpert.com/report.aspx?md5=f5ad76b7a39ff691eaca0c48415e6f86

This is again as in old Days, Symantec WebSubmit is nonens because nothing is being processed until today. I have no detection on submitted Threats after 3 Days.

 

But i try a Retest today with NIS2012 Beta , this Sonar can detect the Threats better as you can see.

 

Zwischenablage02.jpg


 

We have processed your submission (Tracking #20956784) and your submission is now closed. The following is a report of our findings for the files in your submission:
--------------------------------------------------------------------------
File:  The Self Help Guide For Women.exe
Machine: Machine
Determination: Please see the developer notes.
---------------------------------------------------------------------------
Developer Notes
---------------------------------------------------------------------------
The Self Help Guide For Women.exe Our automation was unable to identify any malicious content in this submission.
The file will be stored for further human analysis
---------------------------------------------------------------------------
This message was generated by Symantec Security Response automation.


 

Look http://www.threatexpert.com/report.aspx?md5=8435b50bb12fe659ffa4baf9cfbb9dd1

or see the Picture in the last Message..

 

ThreatExpert belongs to Symantec since 2008, why the Company not use this to "identify any malicious content" ?

 

Sorry but the automatic email messages are not helpful where it says "we could not find anything" , if the solution is only one Mouse click away. Do you not think so? . :smileyhappy:

The Question is, is the automatic virus detection system so much worse than ThreatExpert and SONAR ? 

[TRACKING]: Symantec Security Response Automation (Tracking #20984384)

Found a new dropper "updatedrv.exe" that can bypass both SONAR (NIS2011 and NIS2012) .
Sonar only found partially infections, but not all. there are remainig in the memory , see Picture.
No Antivirus on Virustotal found a Virus (0/43) but the ThreatExpert log is pretty convincing ! 

http://www.virustotal.com/file-scan/report.html?id=ab7b6388b1ec64384d6865636dba8212522ec33fe08c3dff37443567c676a115-1313324291

 

http://www.threatexpert.com/report.aspx?md5=536b2f3d8533f4f2b127bc4f322f36f9

 

try your attention to "Memory modification - There were new processes created in the system"

 

Unbenannt.JPG

 

http://imageshack.us/photo/my-images/88/unbenanntnoh.jpg/

[TRACKING]: Symantec Security Response Automation (Tracking #20986344)

 

Found on this russian site many new undetected "xxx.avi.exe" threats hxxp://porevopremiumclass.ru , there are russian extortions.
after install SONAR found nothing , this threat reboot immediately the PC and after Reboot this PC is closed and unusable.
this message inside this blocked PC say "pay within 24h or your Windows and bios will be destroyed" , see picture .

 

4/43 http://www.virustotal.com/file-scan/report.html?id=49d95c22806c28b216930aecde8b484ad82d25e1250457a20fb1eca732c30df8-1313347110

 

Unbenannt2.JPG

 

http://imageshack.us/photo/my-images/43/unbenannt2ph.jpg/

[TRACKING]: Symantec Security Response Automation (Tracking #21013317)

 

Both Sonar (NIS2011/NIS2012) missing again a running threat "windowsupdate.exe" , see Pictures...these shows reputation scan with running objects in the memory..

 

The Dropper "keygen.exe" http://www.virustotal.com/file-scan/report.html?id=b839bc27875b5e2f5488e586c100b6d57ea2e4d0a6c13e43556ad2cdd1e046a9-1314122706

 

Trojan "windowsupdate.exe" http://www.virustotal.com/file-scan/report.html?id=42ed4113b489b34f62be7f55606f0e25c42440bc379cbec258c91e6f5cd5e699-1314122943

 

NIS2012 show many "Web Attack: Blackhole Toolkit Website 5" in the Tray after infection..

 

Unbenannt2.JPG

 

http://imageshack.us/photo/my-images/36/unbenannt2wi.jpg/

 

no one is perfect but i show this to make clear that the Detection to this File is Important and Symantec can also analyse Why Sonar do nothing

[TRACKING]: Symantec Security Response Automation (Tracking #21287289)

 

11/ 44 http://www.virustotal.com/file-scan/report.html?id=393085eb7b56f42e16b90fdeb0cf58b29c33b989853f522ec1c2ffe6b33f4ae6-1316798108

 

signed Malware ! werping.exe have a digital verisign certificate .

Symantec Reputation Good , 1 green point.

 

Malwarebytes found as Adware.Werping , 10 entries.

 

HKEY_CLASSES_ROOT\CLSID\{AA4E73CB-0853-41F1-98FF-8425F1FAF463} (Adware.WerPing) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{F9EC55CA-A59A-4707-9549-D7888F33EFD2} (Adware.WerPing) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{BA757198-9CBC-49E1-A504-EBBD2BA03978} (Adware.WerPing) -> No action taken.
HKEY_CLASSES_ROOT\WebManager.ExplorerManager.1 (Adware.WerPing) -> No action taken.
HKEY_CLASSES_ROOT\WebManager.ExplorerManager (Adware.WerPing) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA4E73CB-0853-41F1-98FF-8425F1FAF463} (Adware.WerPing) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\werping (Adware.Werping) -> Value: werping -> No action taken.

c:\WINDOWS\system32\werping.exe (Adware.Werping) -> No action taken.
c:\WINDOWS\system32\werping.dll (Adware.WerPing) -> No action taken.
c:\dokumente und einstellungen\Jens\Desktop\werping.exe (Adware.Werping) -> No action taken.

Huh Voyager10.

 

Do you know that Symantec detects trojware by hash per sample. What does this mean? They create hashes from samples you sent and put them into virus db. This sort of signatures is useless against new variants of the same malware.

 

I don't even imagine how they will protect users from some types of Trojan-Droppers which write the timestamp at the end of the each dropped file. So, in every unique moment of time this timestamp will be unique and consequently file hash must be unique too.

[TRACKING]: Symantec Security Response Automation (Tracking #21492910)

 

Have submitted today "German State Trojan used by German intelligence to hack into PCs and for stealing informations"

 

http://www.virustotal.com/file-scan/report.html?id=3407bf876e208f2dce3b43ccf5361c5e009ed3daf87571ba5107d10a05dc7bc4-1318115925

 

http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318115989

 

you can read here about this Topic in english http://ccc.de/en/updates/2011/staatstrojaner

This topic is also in the German News.

Thanks for Adding "German State Trojan" as Backdoor.Earltwo

 

This News-Topic "CCC found Bundestrojaner" is now the most read News in Google News German.

Backdoor.R2D2 (German State Trojan)

 

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2011-100906-1915-99&vid=53628

Symantec writes :

Symantec Security Response is currently investigating this threat and will post more information as it becomes available. 

 

I have more Information to your Investigating.

Digitask.de , This company is involved in the development of Spyware and Trojan software for dubious governmental surveillance. Their products are suspected of deliberately violating the directives of the Federal Constitutional Court of Germany. Their products are also suspected of knowingly violating the BSD license of the Speex audio codec. 

They developed software that captures audio data and sends it to the attacker through a U.S. server without user knowledge. It is used by the german state police in Bavaria last 3 Years. In a Case 2009 this State Trojan captures 60000 Screenshots and sends to the Bavarian Police , this was not allowed by directives of the Federal Constitutional Court of Germany. 

This information is officially confirmed.

 

mfc42ul.dll=Backdoor.R2D2 http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318282563

sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright (c) 1998
product......: MFC 42
description..: MFCDLL Shared Library - Retail Version
original name: mfc42ul.dll
internal name: mfc42ul.dll
file version.: 4.2.1.0
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

This company has also violated copyright rights of Microsoft  with a Fake Signing. 

 

[TRACKING]: Symantec Security Response Automation (Tracking #21531242)

 

undetected Backdoor.R2D2 Variants, German Federal Trojan 

 

Threatexpert Log of this Variant:

 

http://www.threatexpert.com/report.aspx?md5=309ede406988486bf81e603c514b4b82

 

 

The Question is, is the automatic virus detection system so much worse than ThreatExpert and SONAR ? 

 

Yes, http://community.norton.com/t5/Product-Suggestions/Symantec-s-Automation-vs-Norton-s-SONAR/m-p/422672#M1678

 

Intresting... Why are you getting so many pieces of undetectable malware? testing Norton or what?

http://www.securelist.com/en/blog/208193167/Federal_Trojan_s_got_a_Big_Brother

 

a new Federal Trojan Variant , does Symantec detect this Variant ?

 

Symantec´s Response would be welcome !