how-to block ads
|
Mike_J
@anonymouse.org
| New Win32/AutoRun in Australia
I've been testing 8 of the so called top tier antivirus products - Avira, Avast, AVG, F-Secure, Kaspersky, McAfee, NOD32 and Symantec - for my employer, with a view to possibly changing providers when our license runs out at the end of the month - 3 workstations in each of 8 modules, quarantined from the rest of the network.
This afternoon 7 of those products let me down, and 21 PCs were electronically raped by a new Win32/AutoRun variant, "MQ". The only module that survived the hit was the one running NOD32 V3.0. Our main network was protected by our current NOD32 V2.7. I ran a sample through virustotal.com and NOD32 was the only one out of 33 scanners that detected it.
We won't be changing providers - NOD32 will get the renewal again but we'll stay with V2.7 for now because V3.0 has no workstation update mirroring, and that's a pain in the arse in our environment - and I like V2.7 better anyway. | |
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | how did you manage to find the new Win32/AutoRun variant that no other AV were able to detect?
Cudni | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
| reply to Mike_J
ESET added detections for Win32/AutoRun.MO, Win32/AutoRun.MP (3), Win32/AutoRun.MQ (3), to its definitions yesterday, May 9, 2008.
It has been in the databases of PcTools, Kaspersky, TrendMicro and Symantec since January, 2008. Here is the latest sandbox analaysis I could see. It is a Sohanad variant, and should be easily seen if actually installed on a computer due to this entry it makes:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "Explorer.exe scvhosts.exe"
»www.threatexpert.com/report.aspx···333b27dd
I would be very cautious about making any antivirus selection based on the results of testing an online file level scanner such as VirusTotal. There is a limit to what they can do -- essentially they cannot do much more than signature detection. There are exceptions. ThreatExpert, Sunbelt, and a few others will do a sandbox analysis, and this helps to get a better idea of how the AV of interest to you might react in actual use. Most of these infections look relatively benign from a signature basis, but are easily recognized when installed from heuristics.
I caution too, that while ESET is an excellent product, it does miss things too.
But the sad fact is that for new variants of old stuff, and true "0-day" stuff the detection rates revealed by a site such as VirusTotal, at least right away is going to be slow, and discouraging. Several of the larger AV companies are reporting that the number of new definitions added to their databases increased the total definitions database by by 50% during the period End of December, 2007 and April 1, 2008; that the number of new old threats and new new threats represented during this same three month period nearly doubled the entire database of known threats identified at year end 2007. ( VirusBursters, »www.xpatloop.com/news/rapidly_gr···malwares ; similar reports by the major AV companies can be easily searched online).
Too, the entire issue of Autorun infections is one that has not received the attention it deserves. Certainly in a managed setting such as yours, you should be aggressively using Group Policy to deal with USB pen drives; start making plans now for moving towards NAP; and have your HR department ammend whatever Acceptable Use Policy in place to place suitable restrictions on USB devices. It is to me self evident that one's AV cannot be expected to have sole responsibility for Autorun capable devices in the workplace. I really wish it were that simple, as the security issues surrounding Autorun devices is growing rapidly to be a huge one.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL | reply to Mike_J
NOD32 Is the best! | |
redwolfe_98
join:2001-06-11
1 edit | reply to Mike_J
i think ESET/NOD32 has been improving in recent years, at least, that is the impression that i have, which is good.. imo, they needed to improve in adding new malware-definitions to the malware-databases.. | |
tempnexus
Premium
join:1999-08-11
Boston, MA
| reply to Mike_J
said by Mike_J :
I've been testing 8 of the so called top tier antivirus products - Avira, Avast, AVG, F-Secure, Kaspersky, McAfee, NOD32 and Symantec - for my employer, with a view to possibly changing providers when our license runs out at the end of the month - 3 workstations in each of 8 modules, quarantined from the rest of the network.
This afternoon 7 of those products let me down, and 21 PCs were electronically raped by a new Win32/AutoRun variant, "MQ". The only module that survived the hit was the one running NOD32 V3.0. Our main network was protected by our current NOD32 V2.7. I ran a sample through virustotal.com and NOD32 was the only one out of 33 scanners that detected it.
We won't be changing providers - NOD32 will get the renewal again but we'll stay with V2.7 for now because V3.0 has no workstation update mirroring, and that's a pain in the arse in our environment - and I like V2.7 better anyway.
Kudos for NOD HOWEVER I must herald bcastner advice. Just because it got one strain this time it doesn't mean it will catch it next time. I had NOD32 fail me miserably many many times whereupon others acted on it. All things being equal the top 4 AV's detect and miss at virtually the same rate. You have to choose one AV at the gateway and supplement your deployable systems with another AV that way you got a two layered defense. | |
frenzee
@cogentco.com | reply to bcastner
If that MQ trojan has been in the databases of PcTools, Kaspersky, TrendMicro and Symantec since January 2008, how come Kaspersky and Symantec missed it on the OP's computers AND on Virus Total in May 2008? Where's the logic in that? | |
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| We still haven't heard back from the OP, re file names, locations, exact detection.
Nod has only just detected it, as they only just added detection for it.
There needs to be more proof than some anon's rantings.
Crikey I could do this and mention Kaspersky and a third the forum would believe me, a third would want solid proof and the other third would call me a fanboy.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
4 edits | reply to frenzee
You might ask VirusTotal.
All the AVs that "missed" it, would have heuristically picked up a Sohanad-style Autorun infection, and removed it. I am certain of it.
It is a very traditional Autorun Worm, using Autorun.ini (an AutoIt script), sometimes an Autorun.inf file, and hooking Winlogon in blatently obvious fashion, and its behavioral characteristics -- notably the registry changes it would make -- would make a heuristic identification rather easy.
I do not know what file was submitted. Likely it was the obvious "dropper". For a site like VirusTotal the only identification therefore would be definition-based; it could well be that these other AV companies have not added a specific definition entry for the dropper submitted. No matter. The dropper's role is temporary. Several of the files it creates are generic to Sohanad. Heuristically the consequences of what the dropper sets up to run the actual autorunning infection would be seen fairly easily by all the AV software that appeared to "miss" the dropper file submitted.
Lets make a specific case for this
The dropper creates and/or downloads these files:
%Windir%\hinhem.scr
%Windir%\scvhosts.exe
%System%\blastclnnn.exe
%System%\scvhosts.exe
2 %System%\autorun.ini
3 %Windir%\Tasks\At1.job
4 %Windir%\Tasks\At2.job
Lets divide that group:
Generic Autoit/Sohanad Worm infectors:
%Windir%\hinhem.scr
%Windir%\scvhosts.exe
%System%\blastclnnn.exe
Sohanad Variant "MQ" Specific.
These files are always used by this Family of Worm, but the details are always slightly different:
2 %System%\autorun.ini
3 %Windir%\Tasks\At1.job
4 %Windir%\Tasks\At2.job
These last three files are harmless in themselves. The first contains an Autoit script, used to rebuild the infection. It is specific to the file location, and the name of the dropper file. The last two are normal Windows Scheduled Tasks entries, that run the Autoit script on some set schedule. It is specific to the file locations and the unique dropper name used. All three files are generic to an Autoit/Sohanad family infection.
quote:
Worm.IM.Sohanad spreads via Yahoo Messenger and infects Windows. It sends a message to all Yahoo Messenger contacts of an infected user. The message contains a link enticing users to download the worm. The worm also disables certain Windows functionalities and hijacks the Internet Explorer homepage. It also downloads other malware and it will also attempt to propagate via the means of creating copies of itself onto removable devices such as USB flash and hard drives.
• If you submitted the randomly named dropper to VirusTotal, the detection rate would be low, at least initially.
• If you submitted one of the files in the first group, the detection as an Autoit Worm/Sohanad type, would likely be high. If you wanted the "MQ" you would be very disappointed.
• If you submitted one of the last group of files, the detection rate would like be 0%, as the files contain nothing but text.
But a Sohanad type AutoRun would, once the dropper began its job, be detected by nearly every AV scanner in the VirusTotal listing if you had that AV installed on your computer. What makes this family so tricky, is the use of Scheduled Tasks, the memory resident "svchosts.exe" hooked to Winlogon, and its aggressive use of Network Shares and USB external devices to spread. Between the Scheduled Tasks rebuilding of the infection, and the memory resident hook to Winlgon, the worm checks as often as every thirty seconds to make sure all of its parts are were they should be. If any part is missing, it is rebuilt immediately by the Worm. It spreads very rapidly through all Network Shares it can find. And spreads beyond the site by folks with infected laptops that subsequently share USB pen drives with others. A campus setting such as a University can have this Worm achieve deep penetration through LAN connections, and the extensive use of laptops and USB pen drives, in a very short period of time. The problem is not removing it once. The problem is that in the normal course of several days, students will likely be re-exposed to this same worm multiple times.
This is a "toolkit" worm, requiring no special skills to take the package of standard pieces, use a differnt packer on the svchosts.exe, change a few filenames, and edit the Autoit script to reflect any changes.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Mike_J
@anonymouse.org
| reply to tempnexus
I'm not just 1 person. I have 160+ computers to protect - 140 of them operated by scatterbrains who click on everything in sight.
I often see forum posts saying NOD32 missed this that and the other, but we've been using NOD32 for nearly 3 years, and in that time it has blocked everything that came our way, with no misses. That, plus the fact that NOD32 just blocked something none of the other 7 products on test detected, makes me wonder where those posters surf to get all those misses.
I know nothing catches everything, but NOD32 has proved itself to me as better at catching most things than anything else available. | |
mysec
Premium
join:2005-11-29
| reply to Mike_J
said by Mike_J :
This afternoon 7 of those products let me down, and 21 PCs were electronically raped by a new Win32/AutoRun variant, "MQ".
AutoRun, of course, is just one type of Remote Code Execution exploit, as are .ani, .wmf, iframe, embedded OLE objects, where code runs commands automatically with no user interaction.
Remote Code Execution exploits that download an executable as in your case are the easiest, of course, to prevent.
Why? Because a Software Restriction Policy in place, or some type of execution prevention program would deny the installation/running of any executable not already on the computer.
Until CEOs get tough enough to enforce such a policy, situations as yours will continue to occur.
I've spoken recently with two System Administrators whose organizations enforce such a policy, and I've quoted before from the Los Angeles Police Department which has execution protection in place:
"We currently have a policy that prohibits unauthorized installation of non-Department sanctioned/owned software on any Department computer," said Mr. Riley.
This of course would prevent any droppers from installing. Company personnel can use USB drives for legitimate company business, open Office Documents, etc, knowing that their system is protected from these types of exploits.
| |
Mike_J
@anonymouse.org
| reply to norwegian
said by norwegian  :We still haven't heard back from the OP, re file names, locations, exact detection. The file is "smcc.exe". 470,022 bytes. Exact identification from NOD32 is "Win32/Autorun.MQ".
Kaspersky missed it on my test PCs, and Kaspersky missed it on Virus Total an hour or so later. I know that's hard for Kaspersky fans to accept, but it's a fact they're just going to have to learn to live with.
said by norwegian :Nod has only just detected it, as they only just added detection for it. I don't care if NOD32 added detection for it 2 minutes ago or 2 years ago - the fact is NOD32 was the ONLY product of the 8 on test that detected it.
said by norwegian :There needs to be more proof than some anon's rantings. Because I choose to use an anonymizer, I'm "ranting"?
You need to get out into the fresh air more often mate.
said by norwegian :Crikey I could do this and mention Kaspersky and a third the forum would believe me, a third would want solid proof and the other third would call me a fanboy. I've seen you around. Do you think your habit of trying to defend Kaspersky against the indefensible might be why a third of the forum calls you a fanboy? | |
Mike_J
@anonymouse.org
 from:
Name Game
| reply to mysec
There's no point testing security software in a tightly controlled environment. My test modules were isolated from the main network and connected independently to the Internet, and the computers were deliberately exposed to everything that might come their way. | |
mysec
Premium
join:2005-11-29 | I understand, but in the real world, I submit that you can't depend on AV for 100% protection against this type of exploit, whereas the other solutions I mentioned will.
| |
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
2 edits | reply to Mike_J
said by Mike_J :
The file is "smcc.exe". 470,022 bytes. Exact identification from NOD32 is "Win32/Autorun.MQ".
Kaspersky missed it on my test PCs, and Kaspersky missed it on Virus Total an hour or so later. I know that's hard for Kaspersky fans to accept, but it's a fact they're just going to have to learn to live with. Okay, so at least now we know some information. It would have been better if you continued in your first post with details. If Kaspersky missed it, then it did, I'm not trying to defend a missed target, but I wonder what exact PDM alerts you did get when you became infected?
said by Mike_J :
I don't care if NOD32 added detection for it 2 minutes ago or 2 years ago - the fact is NOD32 was the ONLY product of the 8 on test that detected it. Yes I am concerned about this too, but after reading bcastner's description and your .exe, I did some digging, this link can explain some of bcastner's comments on network shares, yet it seems a legit exe in a Microsoft directory,maybe it has been altered, or it isn't in the correct place, so check the following to make sure it isn't a false positive.
Location: c:\ program files\ common files\ microsoft shared\ msinfo\ smcc.exe
MD5 hash : 81535AABA75E7DDEA6B62AE08B8C79CE
said by norwegian :There needs to be more proof than some anon's rantings. said by Mike_J :Because I choose to use an anonymizer, I'm "ranting"? You need to get out into the fresh air more often mate. 
said by norwegian :Crikey I could do this and mention Kaspersky and a third the forum would believe me, a third would want solid proof and the other third would call me a fanboy. said by Mike_J :I've seen you around. Do you think your habit of trying to defend Kaspersky against the indefensible might be why a third of the forum calls you a fanboy?
You are defending NOD, is that classified as fanboy, seems to be how you categorise me? I can't see anywhere here I've defended Kaspersky on this topic, get your facts straight. I know nothing is perfect, even testing beta, the question is raised "do you have a test case", I've seen nothing substantial to any of this post yet of yours. Again, no offence, just looking at your facts provided.
Now hopefully that has cleared up some, and now we await more info in hope that everyone else doesn't catch the worm on the internet, if the A/V's don't detect it as you say.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
tempnexus
Premium
join:1999-08-11
Boston, MA | reply to Mike_J
I recently had NOD32 misID my USB software as trojan it caused panic at one company and scrubbing of all systems just to show up later after further analysis as false positive even though it was fully ID by NOD32. | |
norwegian
Premium
join:2005-02-15
Outback | Which is why there needs to be more info provided, it just maybe a FP | |
frenzee
@cogentco.com | reply to Mike_J
smcc.exe has been targeted by malware several times over the last few years. | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to Mike_J
smcc.exe is a file I have never seen as an OS file.
There is a valid file for the Citrus SDK by that name as part of the SDK.
But, not at this location:
Location: c:\ program files\ common files\ microsoft shared\ msinfo\ smcc.exe
I seriously doubt that this was a False Positive.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
tempnexus
Premium
join:1999-08-11
Boston, MA | reply to Mike_J
Mike_J
Can you e-mail me the code if you have it to:
ViralTestAccount AT Gmail.com | |
|
