AV industry doing pathetic job detecting .JS email attachments (Locky / Camelot / Dridex)...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Got a spam today at $dayjob.  That's a feat in and of itself, given that
I'm blocking over 80% of IPv4 IP space at the server.  But this one came
with something that I haven't seen in a while - a malware attachment (a
zipped .js file).

Here's a scan of that file:

https://www.virustotal.com/en/file/30a3bd32848adfa5f5b67f1a19705947adabcb4d1a1d4f4f8e47575c81785895/analysis/1456855137/

Detected by 2 out of 56 programs.  Pathetic.

Who got it right?

   Cyren        JS/Locky.D!Camelot  
   F-Secure     Trojan-Downloader:JS/Dridex.W

Cyren?

As in "Cyren out loud" ?  Never heard of them.

Wepawet is a piece of shit - it found nothing.  Anubis (from the same
group) is still f*cked up (can't get any analysis results).

Malwr.com has got it right:

https://malwr.com/analysis/OTZhYTRhODVjY2E1NDlhMDg4MTgzOGEzYjUwNTM3NDc/

Here's where the payload is being obtained:  

   demo.rublemag.ru/system/logs/87yhb54cdfy.exe

demo.rublemag.ru = 178.63.61.195 (as I write this)

Here's who owns that IP:

address:        Hetzner Online GmbH
address:        Industriestrasse 25
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 505-0
fax-no:         +49 9831 505-3
abuse-mailbox:  abuse@hetzner.de

These other IP's are somehow also involved (maybe backup?):

31.184.197.119
188.138.88.184
5.34.183.195
185.14.29.188

Here's the VT scan of the above-mentioned .exe file:

https://www.virustotal.com/en/file/8c781b10d0cc5f4734df9aca584ab996570560bff0cb7c9c5c152eddda35197c/analysis/1456879415/

Detection rate 5 / 56 (again - pathetic given this thing has been
circulating for over 6 hours).

Kaspersky      UDS:DangerousObject.Multi.Generic
McAfee-GW      BehavesLike.Win32.PWSZbot.fm
Qihoo-360      HEUR/QVM20.1.Malware.Gen
Rising         PE:Malware.Generic/QRS!1.9E2D [F]
Symantec       Suspicious.Cloud.2

This is ransom-ware, btw.  Something I'm sure won't run properly on my
win-98 system...

Re: AV industry doing pathetic job detecting .JS email attachments (Locky / Camelot / Dridex)

On Wednesday, March 2, 2016 at 8:54:54 AM UTC+8, Virus Guy wrote:
Quoted text here. Click to load it

Perhaps your Windows 98 system is not detecting this since it's old, and the programs written for it are not updated?  Anyway, if you don't click on an infected attachment, you'll be fine, so no harm, no foul.  

RL

Re: AV industry doing pathetic job detecting .JS email attachments(Locky / Camelot / Dridex)

RayLopez99 wrote:
  
Quoted text here. Click to load it

I see that you don't really understand what was being conveyed in my
post.

I don't run any AV software on my win-98 PC's.  Haven't for 8 or so
years.  AV software is useless.  Browser exploits just bounce off my
system and die.  Email attachments just sit there and I handle them with
ease.  

The AV results I posted were from Virus Total.  I don't have to run AV
software on my machine to know how poor a job the entire industry does
with these current samples.  Have you never heard of Virustotal.com?  
Have you no idea that you can submit suspicious files to a website that
can check the file against 50+ different AV software programs?

Quoted text here. Click to load it

Sometimes I click on them, just to watch them crash or give some sort of
error as they try to perform some heap-spray, buffer over-run or
privledge escalation that has zero effect on win-98.

Enjoy your NT-based version of Windoze.  NT - Where the vulnerabilities
go in before the name goes on.

Re: AV industry doing pathetic job detecting .JS emailattachments(Locky / Camelot / Dridex)

RayLopez99 wrote:
  
Quoted text here. Click to load it

And you missed one of my other points.

By running win-9x/me, I continue to "enjoy" the benefits of using a
WIN32-API-based OS, with essentially the same desktop and file-system
user experience as win-NT based systems. I can run many of the same
secondary programs that make computers useful (office productivity,
multimedia creation and experience, internet connectivity / web browsing
/ media experience) etc.

But because 9x/me is a fundamentally different animal "under the hood"
at the kernel level, it does not come with the baggage of the dozens or
hundreds of vulnerabilities of remote code execution and remote control
that has been discovered (and most times patched, sometimes not) found
in the increasing complexity and bloat in the code of the NT line of
Windoze.

Sometimes there is "security in simplicity", and that is exactly the
strength of 9x/me.  It is not or was not "security because of obscurity"
- because even during the years 2000 through 2005 (when 9x/me systems
were in heavy use) it was Win-2k and XP that were hacked in many
different ways.  

There were no IE-based (or web-based) vulnerabilities that I know of
that could cause code execution and payload downloading on 9x/me
systems, and certainly none of the 6 or so worm families that existed
roughly between 2000 through 2006 were ever shown to work against
9x/me.  9x/me was really only vulnerable to email attachments executed
by the user, but otherwise couldn't really be tripped up and exploited
by the tricks used against NT-based systems.

Quoted text here. Click to load it

And many people don't know that their XP, vista, 7 or 8 systems are
hacked and participating in botnet operations, sending spam, performing
ddos, keylogging, etc.  

Quoted text here. Click to load it

which I am not.

I am not influenced by peer pressure or marketing.  Back in 2002 - 2004
I needed to be convinced that XP was a better OS than win-98.  I needed
to be shown the advantages of XP and that those advantages outweighed
the disadvantages of learning the differences in various settings and
functions on XP vs 98.

As XP-sp0 and SP-1 were found to be incredibly vulnerable to a new
universe of emerging exploits, it was clear that Macro$haft rushed to
release XP into consumer hands as a way to circumvent software sharing
(as file-sharing was emerging and causing alarm in the music world).  
9x/me did not have remote activation and de-activation, so copies of
could be freely distributed (along with product keys) and freely
installed.  

I stuck with 98, built new systems with better / faster hardware and
found that 98 runs very well with 512 mb ram.  I now have 2 gb (using a
memory patch that allows full use of that) and with NUSB can use all
sorts of thumb drives, and using SATA drives up to t2b is easy.

Quoted text here. Click to load it

Since I've found that no malware has ever made it's way onto my win-98
systems, I've stopped using AV products many years ago.  What I have is
a WIN32 platform that is almost indistinguisable to XP from a
user/desktop/productivity point of view that has none of the
vulnerabilities that the NT-based line has.

Quoted text here. Click to load it

I don't run 98 because NT-based versions of windows are insecure.  The
fact that 98 has shown itself to me to be secure (or, practically
invulnerable to web-based exploits) is a nice side-benefit.  I run 98
because *if it's not broke, don't fix it*.  I'm not fooled (like most
people are) by the emperor's new clothes.  In this case, tailored by
Micro$haft.

Re: AV industry doing pathetic job detecting .JS email attachments (Locky / Camelot / Dridex)

FromTheRafters wrote:
  
Quoted text here. Click to load it

Viruses (or exploits of one sort or another) don't have the capacity to
care.

What they do have is the capacity to leverage vulnerabilities in remote
systems.

Quoted text here. Click to load it

There can be no risk if there are no vulnerabilities.

Re: AV industry doing pathetic job detecting .JS email attachments (Locky / Camelot / Dridex)

Virus Guy laid this down on his screen :
Quoted text here. Click to load it

True enough.


Viruses don't need vulnerabilities beyond the inherent ones in GP  
computers.

Quoted text here. Click to load it

... and there can be no "no vulnerabilities" in GP computers.

Re: AV industry doing pathetic job detecting .JS email attachments (Locky / Camelot / Dridex)

FromTheRafters wrote:
  
Quoted text here. Click to load it

What kind of circular statement is that?

Another way to say what you just said is:

"Viruses don't need vulnerabilities beyond the ones that exist"

Quoted text here. Click to load it

If there's any operable web-facing vulnerability on my system, given the
various installed software components including the OS, I've yet to
discover or experience it.

BTW, none of the tests on this site do anything on my system:

http://www.wicar.org/test-malware.html

I have Java Plug-in 1.6.0_07, Firefox 2.0.0.20, IE 6.0.2800.1106.

On FF, my flash version is 10.3.183.86.

On IE6, my flash version is 11.8.800.175.

On Opera 12.02, my flash version is 11.7.700.257.

Re: AV industry doing pathetic job detecting .JS email attachments (Locky / Camelot / Dridex)

Virus Guy wrote :
Quoted text here. Click to load it

The one that exists is the fact that GP computers let users run new (to  
that system) code. If you close that ingress vector, you no longer have  
a GP computer. That's what I meant by "inherent".

Quoted text here. Click to load it

Site Timeline