• 所有社区 - 中文
    • 所有社区 - 中文
    • 论坛
    • 创意
    • 博客
高级

不是您要找的? 咨询专家!

好评1 Stats

Vundo

I uploaded a suspicious file to Virustotal.com. The last analysis showed 0/37. An reanalysis resulted in a 7/37 detection; and 7/7 consistanly detected it as some variation of Vundo. 


My Tracking #

#10142928


Here's the ThreatExpert Report. I omitted the VT report to focus attention on the much more detailed ThreatExpert report. Very interesting.

http://www.threatexpert.com/report.aspx?md5=61db59639681afda3feddd0308dfff20


Look at the ThreatExpert Report, on the bottom, ThreatExpert heruistically detected that the executed file attempted to use BITS to download a file from childhe (dot com)

The SafeWeb analysis is here:

http://safeweb.norton.com/report/show?url=childhe.com

Now, this also relates to another thread about just how deep Norton scans; surprising it did not catch the fact that the file is a downloader; it downloads Vundo, according to ThreatExpert, and the SafeWeb report proves the site is infected with Vundo. 


So ... I am currently downloading AntiBot and installing it. I will then execute the suspicious file again, and allow AntiBot a couple hours.

Why AntiBot? Because Bloodhound obviously failed; so I am going to use full-fledged SONAR to see if it can detect the risk; NAV/NIS only include the most "battle-tested" components of AntiBot, according to a moderator. 

Message Edited by Tech0utsider on 12-19-2008 10:07 PM
=\

回复

好评0

Re: Vundo

Reporting back on my progress:

Just finished transferring the malicious files to my VPC. Installed AB. I am using Vista this particular VPC. I opted to keep Windows Defender on. 

Argh, Vista's archive explorer does not recognize .rar files. Downloading IZArc ... from a trusted mirror of course.

Now, I am debating whether or not to leave the computer connected to the internet or not after executing the file. I decide to; I want to give AB a fighting chance ... 

Using AB 1.1.851; latest update as of Dec.19, 10:39 PM ...

Extracted file. AB did not budge.

Ran file as Administrator. AB immediately warned of a threat. Yay!

I quarantined it. AB automatically submitted it to Symantec! 

This is almost definite proof that the file is a threat. Time for SSR to add this to their defs ASAP. 

Message Edited by Tech0utsider on 12-19-2008 10:46 PM
=\
好评0

Re: Vundo

Thanks Tech, Didi you also test it with SONAR on agressive?
"All that we are is the result of what we have thought"
好评0

Re: Vundo

I tested it using AB on my VPC, which does not have NAV installed ...

Can you flag this thread for review by the SSR? 

Message Edited by Tech0utsider on 12-20-2008 01:14 AM
=\
好评0

Re: Vundo

Will do.
"All that we are is the result of what we have thought"
好评0

Re: Vundo

Hey Tech,

You're a discoverer....You should change your name to Johnnie Walker..

Well done..

TrDo.

好评0

Re: Vundo


Stu wrote:
Thanks Tech, Didi you also test it with SONAR on agressive?

I just did. I install NAV09 on Windows 7, "Advanced Heruistic Protection" set on aggressive ...

I executed the file and Auto-Protect blocked a Suspicious.MH690.



Now, why is NAV able to block the threat, while AB had to disinfect the threat; it required a reboot ...

Additionally, I noticed that AB even removed the malicious file itself, not just what the malicious file created. NAV, on the other hand, does not.


I turned the herustics to both "Auto" and "Off"; and Auto-Protect consistently blocked the threat. Now, I am going to disable everything except for Advanced Protection.


Can't disable Auto-Protect w/o disabling Advanced Protection. Can some1 check my tracking #?
Message Edited by Tech0utsider on 12-20-2008 10:48 AM
=\
好评0

Re: Vundo

Its very easy to do what Tech does. Just go and download some cracks and keygens. I know tons of sites to download infections from. Anybody can do what he is doing if you look hard enough. 99% of pc users do not go out looking from infections and purposely downloading malware. Have you ever stopped and wondered how and why Tech went from NIS to NAV to NAV GE and now he also has AB. Thats a lot of money spent. Or is it?
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo


Dieselman743 wrote:
Its very easy to do what Tech does. Just go and download some cracks and keygens. I know tons of sites to download infections from. Anybody can do what he is doing if you look hard enough. 99% of pc users do not go out looking from infections and purposely downloading malware. Have you ever stopped and wondered how and why Tech went from NIS to NAV to NAV GE and now he also has AB. Thats a lot of money spent. Or is it?

He is just doing some tests with some malware. Offcourse we all can do it. Curiousthough is the fact that NIS itself did not catch and NAB did

"All that we are is the result of what we have thought"
好评0

Re: Vundo

If you want real proof on how NIS 2009 does visit Matt over at Remove-Malware.com.

http://remove-malware.com/

http://www.youtube.com/watch?v=7NEk54tO-hg

Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo


Stu wrote:

Dieselman743 wrote:
Its very easy to do what Tech does. Just go and download some cracks and keygens. I know tons of sites to download infections from. Anybody can do what he is doing if you look hard enough. 99% of pc users do not go out looking from infections and purposely downloading malware. Have you ever stopped and wondered how and why Tech went from NIS to NAV to NAV GE and now he also has AB. Thats a lot of money spent. Or is it?

He is just doing some tests with some malware. Offcourse we all can do it. Curiousthough is the fact that NIS itself did not catch and NAB did


Um, I believe that you are very confused. 

Both caught it. AB had to disinfect the threat. NIS/NAV stopped it in its tracks. 

=\
好评0

Re: Vundo


Dieselman743 wrote:
Its very easy to do what Tech does. Just go and download some cracks and keygens. I know tons of sites to download infections from. Anybody can do what he is doing if you look hard enough. 99% of pc users do not go out looking from infections and purposely downloading malware. Have you ever stopped and wondered how and why Tech went from NIS to NAV to NAV GE and now he also has AB. Thats a lot of money spent. Or is it?

There are 15 and 30 day trial versions. No big deal. 

And I only scavenge for malware to see how NIS/NAV/AB holds up; see if it's in line with all the independent tests. 

=\
好评0

Re: Vundo

And just another thing that futher verifies that the file is infected with Vundo. On my Vista VPC, after AB nabbed the threat and rebooted, I recieved a AntiVirus 360 advertisment when I started Internet Explorer...

From http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99&tabid=2

 

Trojan.Vundo consists of the following components:

  • HTML code that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515)
  • A downloader component
  • Adware
  • A DLL module that is installed by the adware


AntiVirus 360 is definitely adware. When I clicked "yes" to the advertisement, it downloaded a mere downloading shell. Then, it installed itself. And oh, I was infected through IE. That fits 3/4 right there, in my informal testing.

Most surprising is that AB has not nabbed it. It's been several hours and several reboot cycles. 

Message Edited by Tech0utsider on 12-20-2008 07:42 PM
=\
好评0

Re: Vundo

Well you have been a memeber on here for awhile now so your way past your 15-30 days. So did you purchase NIS,NAV,NAV GE and AB. You sure spent tons of money. Or did you? Mmmmmmmmm I wonder.Message Edited by Dieselman743 on 12-20-2008 04:45 PM
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

I also used N360 for quite a while =). See my frequent posts in the N360 section.

Message Edited by Tech0utsider on 12-20-2008 07:55 PM
=\
好评0

Re: Vundo

And what about back in Sept when you posted something at Wilders. Was that a 15 day trial also?  Your way past your trials. I am sure you know what I am getting at Tech.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo


Dieselman743 wrote:
And what about back in Sept when you posted something at Wilders. Was that a 15 day trial also?  Your way past your trials. I am sure you know what I am getting at Tech.

That was based on the betas.

=\
好评0

Re: Vundo

It was out of beta by then.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

However, that was before I permanently switched ... N360 ==> NIS/NAV/NAV GE
=\
好评0

Re: Vundo

So you have installed N360,NIS,NAV,NAV GE and AB. Which one did you buy?
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

NAV and N360.
=\
好评0

Re: Vundo

But your currently running what? NAV and another trial. Such as AntiBot? What happened to your trial of NAV GE? You change your mind like a girl changes clothes. Hard to believe the reuslts you are getting when you keep changing your set up.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

And you also bought System Cleaner I see. Man you love spending money. Guess your pockets are full.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

I was running NAV on my my Windows 7 VPC. I am running NAV on my physical PC. I was running AB on my Vista VPC.


The results are irrelevant to which product I use. NAV and NIS and NAV Gaming Edition can be used interchangeably. And I haven't used NIS for any test so far. Only NAV and NAV GE. And AB

And what is System Cleaner? I have no such program.


And I am not bashing Norton; just constructive criticism, some general, some more specific. I brought it, and its nice, however not perfect. There's always room for improvement.
Message Edited by Tech0utsider on 12-20-2008 09:57 PM
=\
好评0

Re: Vundo

Your too much Tech........................beating around the bush I see. System Cleaner is on your Vista Sceen shot with AntiBot. You dont even know the software that is installed on your pc. How can anybody trust your finds now.
Message Edited by Dieselman743 on 12-20-2008 06:57 PMMessage Edited by Dieselman743 on 12-20-2008 06:58 PMMessage Edited by Dieselman743 on 12-20-2008 06:59 PM
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

That is a rouge program. It is actually called something among the lines of systemcleanerproxpvista and that was the Vundo infected file.

As you can see in both my screenies that thing was sticking out like a sore thumb. Google it and there is no such thing as "systemcleanerproxpvista". Go to the system cleaner site and the file is called systemcleanersetup....

And the icons are different. And why purchase optimization software for my VPC? 



Anything else you need to debate about?Message Edited by Tech0utsider on 12-20-2008 10:12 PM
=\
好评0

Re: Vundo

System Cleaner is a legit program. It is not a rogue program at all.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Vundo

I found a backup of the Vundo infected trojan, disguised as SystemCleaner. 

http://uploading(dot com)/files/P02NJACV/SystemCleanerProXPVistaTrial.exe.html

Message Edited by Tech0utsider on 12-20-2008 10:39 PM
=\
好评0

Re: Vundo

So when its the holidays Symantec staff slack off? I hear that the staff have Dec. 22 off.

I posted this couple days ago. Is anyone going to bother looking at it? Its the 21. 

=\
好评1 Stats

Re: Vundo

Hi Tech0utsider,

Absolutely, thank you for alerting about this Vundo threat. I've contacted the malware submission team to check it out. Thanks again for all your help!

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
好评0

Re: Vundo


Tony_Weiss wrote:

Hi Tech0utsider,

Absolutely, thank you for alerting about this Vundo threat. I've contacted the malware submission team to check it out. Thanks again for all your help!


Thanks a lot man. I just got an e-mail this morning that said no malicious content was found ... 

How exactly does SSR's automated analysis work? If it had even bothered to execute the executable, it should have found its actions to be suspicious, at the very least ...

=\
好评0

Re: Vundo

Please drop this attitude -- it has nothing to do with helping people.
Hugh
好评0

Re: Vundo


huwyngr wrote:
Please drop this attitude -- it has nothing to do with helping people.

What?

=\
好评0

Re: Vundo

My message was not addressed to you.
Hugh
好评0

Re: Vundo

Can you answer my question?
=\
好评0

Re: Vundo

I did.
Hugh
好评0

Re: Vundo


Tech0utsider wrote:

...Thanks a lot man. I just got an e-mail this morning that said no malicious content was found ......

How exactly does SSR's automated analysis work? If it had even bothered to execute the executable, it should have found its actions to be suspicious, at the very least ...


=\
好评1 Stats

Re: Vundo

The program submitted with #10142928 appears to be a hacked version of a legitimate program, which may be why the automated system did not detect any malware infection. However, after further analysis by the team, two files were found to be Trojan.Vundo, and detections have already been added to the definition set last night.
Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation

This thread is closed from further comment. Please visit the forum to start a new thread.