dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1023
share rss forum feed


Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2

1 recommendation

Interesting Fun This Morning

Click for full size
I happened to be moving mail from one account into a GMail account and GMail refused to move a few messages it said contained a virus. I decided to investigate a little. I was able to download the zip file and decompressed it in a folder. Not once did my Windows Defender on WIN8 complain. I investigated a little more and ran the ZIP through VIRSCAN.ORG multi-vendor test. The results were interesting. While most big brand vendors did detect it only 47% ended up doing so. I then updated my Defender definitions which for some reason were out of date and then touched the various files. I moved the infected ZIP to my desktop and Defender didn't even notice. I then touched the uncompressed files and Defender did detect and remove the EXE that was contained in the ZIP that I had decompressed. I check Defender's settings and it was set to scan archive files. Something must be wrong with that feature because it clearly misses the infected file within an archive. It is now sitting in my recycle bin and has yet to complain.

I was a bit surprised that Defender/Security Essentials was almost worthless with this payload, but check out the big names that detected nothing...
AntiVir -Nothing
Comodo- Nothing
NOD32 - Nothing
Sophos- Nothing
Sunbelt - Nothing
Trend Micro - Nothing (really disappointed here)

Even though Virscan.org says Kaspersky detects it, the Kaspersky online scan did not.

Kudos to Google for intercepting this malware.

Obviously with any given infection various products are going to be hit or miss at various times... but FWIW ... just reporting my mileage.

MrFixit1

join:1999-11-26
Madison, WI

Also interesting is the fact that your Virscan report says that Microsoft detected it ?
Does Virscan test it as a Zip , or does it unzip it first ?
If they test as a Zip , wonder what Microsoft scanner they used ?



norwegian
Premium
join:2005-02-15
Outback
reply to Kramer


There are a serious big load of zipped infected files getting around on emails at present and have been for near 6 to 10 mths.

Banks, airlines, online shops etc and the files are changing quite regularly.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2
reply to MrFixit1

The latest definitions do detect it unzipped. I can tell you on my machine the latest definitions do not detect it in an archive. Good question on how they deal with the zip. If they unzip it first, it doesn't tell you much how well the various products do with the compressed files. The way the scan looks, it looks like it is decompressed with each scan. That doesn't say much.



Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2
reply to norwegian

said by norwegian:

There are a serious big load of zipped infected files getting around on emails at present and have been for near 6 to 10 mths.

Banks, airlines, online shops etc and the files are changing quite regularly.

Yep, seen a lot of them. This was supposedly an ADP payroll report.


norwegian
Premium
join:2005-02-15
Outback
reply to Kramer

said by Kramer:

Even though Virscan.org says Kaspersky detects it, the Kaspersky online scan did not.

That was interesting - I know earlier versions of the online web scanner was not as reliable to run the engine code effectively, they had issues there with it; it seems that bug hasn't gone away; a couple of years later.

Thanks for pointing that out.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2

I am referring to the single file scan. You upload the file to them and they scan it.



therube

join:2004-11-11
Randallstown, MD
reply to Kramer

quote:
If they unzip it first, it doesn't tell you much how well the various products do with the compressed files.
The only way to test a compressed file is to unzip (uncompress) it.

You can scan a "ZIP" as a ZIP (a blob of data) but that isn't really going to tell you much because a ZIP cannot execute.

Now once the contents of the ZIP are extracted, either by you doing it manually, or the A/V extracting it into (presumably) a sandbox, then it can successfully scan the files therein for malware.

And it could also be that your A/V is set to ignore "ZIP" files altogether, & would only interact when they are unzipped.


norwegian
Premium
join:2005-02-15
Outback
reply to Kramer


Understood, slight misinterpretation, but I had the feeling at the time, any site web scan was not a big thing, they were preferring tools and downloadable engines rather than web based product. So while my reply was not quite correct, it was still in reference to the whole web interface.

I could go on, but it would become personal interpretation, rather than what I learnt at the time, it still seems it hasn't changed if the results were not good.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
reply to Kramer

I disable defender ever since Vista Beta. I find it quite useless.
You dont use a AV?

Wow trend micro usually says everything is a virus....

So you already opened this mail previously?



Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2

Defender in Vista and Defender in WIN8 are two completely different products. Mail has not been opened by me until testing. Google detected it, but I was able to get at it using another method.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to Cartel

said by Cartel:

You dont use a AV?

sindows7, with "windows 8", "windows defender" is MS's "security essentials"-rebranded, so it is an antivirus program..

incidentally, "windows defender", not the one in "windows 8", which is MS's "security essentials"-rebranded, does not have the same detections as MS's "security essentials"..

in the past, i found several malicious files that were not flagged by "windows defender" but, when i submitted them to MS, MS said that they already had detection for the files, so i concluded that the files were flagged by MS's "security essentials" while they were not flagged by MS's "windows defender"..

i don't see why "windows defender" couldn't have the same detections that MS's "security essentials" has, but, unfortunately, that is not the way that MS does things..


Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2
reply to therube

said by therube:

quote:
If they unzip it first, it doesn't tell you much how well the various products do with the compressed files.
The only way to test a compressed file is to unzip (uncompress) it.

You can scan a "ZIP" as a ZIP (a blob of data) but that isn't really going to tell you much because a ZIP cannot execute.

Now once the contents of the ZIP are extracted, either by you doing it manually, or the A/V extracting it into (presumably) a sandbox, then it can successfully scan the files therein for malware.

And it could also be that your A/V is set to ignore "ZIP" files altogether, & would only interact when they are unzipped.

Uh: 47% of the products used were able to detect the malware just fine. This is a definition issue, not anything having to do with the archive. I already stated Defender was set to scan archived files. It isn't going to ignore zips... at least if it is working properly.


HA Nut
Premium
join:2004-05-13
USA
reply to Kramer

My opinion...

We would need to know how MS scans archives. I doubt they do it in real time. Many AV products do but IMO, it's wasted CPU cycles to do so.

IMO, it's probably scanned on file open (real time), file close (real time) or during a scheduled/manual scan (NOT the real time engine.) This method provides decent protection and keeps the PC's CPU time better managed.



therube

join:2004-11-11
Randallstown, MD
reply to Kramer

> This is a definition issue

One way to be sure would be to ZIP up the files using password protection (IOW the scanner could not unzip the files) & resubmit them & see what comes of it.



Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2
reply to HA Nut

said by HA Nut:

My opinion...

We would need to know how MS scans archives. I doubt they do it in real time. Many AV products do but IMO, it's wasted CPU cycles to do so.

IMO, it's probably scanned on file open (real time), file close (real time) or during a scheduled/manual scan (NOT the real time engine.) This method provides decent protection and keeps the PC's CPU time better managed.

Fair enough and easy enough to prove one way or another. You are absolutely right. If I scan the file it does get detected. I really should have thought of that. If you just touch an archive, it would be unreasonable to expect the AV software to spend the time and effort to examine the contents which I assume would involve a heavy amount of CPU activity. Imagine what what become of a computer's speed were one to copy a folder of 1000 zips from one place to another if the AV software had to examine each one of those archives. Thanks for the explanation.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to Kramer

kramar, i wish you would upload the unzipped/decompressed EXE-file to "virustotal", and post a link to the scan-results..

and..submit the file to "avira"-if it is not flagged by the avira program, at "virustotal":

»analysis.avira.com/en/submit


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to norwegian

said by norwegian:

There are a serious big load of zipped infected files getting around on emails at present and have been for near 6 to 10 mths.

Banks, airlines, online shops etc and the files are changing quite regularly.

Longer than that, but high-frequency for that period. (There are blogs that provide play-by-play, but they're full of 'don't click on this' links.)

said by redwolfe_98:

kramar, i wish you would upload the unzipped/decompressed EXE-file to "virustotal", and post a link to the scan-results..

One of the hashes of the EXE is probably sufficient. One can search for that on VirusTotal.


Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2

1 edit
reply to redwolfe_98

This is the extracted EXE
»www.virustotal.com/en/file/95467···nalysis/

The ZIP which someone else had analyzed
»www.virustotal.com/en/file/514e3···nalysis/

3 Less detections from the ZIP

Don't see Avira as a listed product but I uploaded it to them and they identified the ZIP as being malware. I just couldn't bring myself to hit the word "Open" on the EXE for the upload

I don't know why my early this morning scan got such a poor hit rate.

Edit: This looks like a pretty new virus. That would explain the changing detection rate. Virustotal first saw it a couple of days ago. That's when the email arrived in this person's account. Google didn't detect it until this morning when I was uploading some mail into the account.


psloss
Premium
join:2002-02-24
Lebanon, KS

said by Kramer:

Edit: This looks like a pretty new virus. That would explain the changing detection rate. Virustotal first saw it a couple of days ago.

It was a new build a couple of days ago, but it is part of a frequent, repeating pattern.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Kramer

Click for full size
said by Kramer:

Edit: This looks like a pretty new virus. That would explain the changing detection rate. Virustotal first saw it a couple of days ago. That's when the email arrived in this person's account. Google didn't detect it until this morning when I was uploading some mail into the account.

Yep. It is very new (this particular version of it). Windows Defender covered it in the CURRENT definitions 1.145.109.0 as an updated definition.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson