Avast Doesn't Block XP Defender malware (ave.exe)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


My main computer got a drive-by infection of AVE.EXE earlier today.  The first
thing I heard about it was Windows warning me that the firewall had been
turned off.  Then I got a "scan" from "XP Defender".  The offender is ave.exe.
 I rolled back the registry and eliminated it, but I'm rather pissed that
the latest Avast did not see it at all.  Avast has normally been very good
about checking out programs (exe, dll, etc) and blocking them if suspicious,
but this one sailed right through.  It launched as an app and it showed up as
ave.exe in the task manager.  How'd it get in?  

Also, if anybody has a clue as to where I could have gotten it.  I had visited
some rather innocuous websites, didn't click on any downloads, didn't install
any updates to anything.  Windows did not warn me about any exe downloads,
either.  

I'm stymied.


Re: Avast Doesn't Block XP Defender malware (ave.exe)

David Kaye wrote:
Quoted text here. Click to load it

Booby-trapped web pages are growing at an alarming rate with
unsuspecting firms acting for nurseries for botnet farmers, according to
a new study.

Security watchers at Sophos are discovering 6,000 new infected webpages
every day, the equivalent of one every 14 seconds. Four in five (83 per
cent) of these webpages actually belong to innocent companies and
individuals, unaware that their sites have been hacked. Websites of all
types, from those of antique dealers to ice cream manufacturers and
wedding photographers, have hosted malware on behalf of virus writers,
Sophos reports.


The study sheds fresh light on the well-understood problem of
drive-by-downloads from compromised sites, a tactic that's come to
eclipse virus-infected email as a means of spreading malware.
Cybercrooks target users by spamvertising emails containing links to
poisoned webpages, exposing unsuspecting victims to malware. At least
one in ten web pages are booby-trapped with malware, according to a
separate study by Google published last May.

Often these malware packages are designed to put compromised zombie PCs
under the control of hackers.

Around half a million computers are infected by bots every day according
to data compiled by PandaLabs, the research arm of anti-virus firm Panda
Software. Approximately 11 percent of computers worldwide have become a
part of criminal botnets, which are responsible for 85 percent of all
spam sent, it said.

http://www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace /

--
Dave - I tried to tell you this before! ;)

Re: Avast Doesn't Block XP Defender malware (ave.exe)

Quoted text here. Click to load it

Were you running as administrator at the time of the "attack"?

It is possible, while browsing to a legitimate site, to get redirected
to a site that launches several browser exploits aimed at executing a
rogue application on your machine. When such a site is able to cause a
download, the downloadable file may be changed programatically
(server-side) to avoid detection by your antimalware component. Similar
to the way a virus can be self-polymorphic - a downloaded program file
can take many forms.



Re: Avast Doesn't Block XP Defender malware (ave.exe)


Quoted text here. Click to load it

Running XP Pro with a default user with admin privileges.  

Quoted text here. Click to load it

Using OpenDNS as the DNS.  Using Windows Firewall and Avast.  I checked
filedates in various directories and didn't see much other than ave.exe and
its entries in the registry.  It was actually fairly simple to get rid of,
having dealt with it before on customer machines.  

Quoted text here. Click to load it

What's eating me is that the program launched with a window that was clearly
detectable in Task Manager as ave.exe, and yet while Avast was running it
simply didn't see the program.  

After rolling back the registry 5 days manually (booting up with BART-PE) I
then ran XP in regular mode and scanned with MalwareBytes.  MB immediately saw
it.  (I'm using the freebie MB, so it does no realtime scanning).  Avast
still didn't see it even after I ran the drive scan option.  And I have the
latest Avast update.




Re: Avast Doesn't Block XP Defender malware (ave.exe)

"David Kaye" wrote:

Quoted text here. Click to load it

That's not very secure.

Quoted text here. Click to load it

They won't stop the exploit of a software vulnerability.

Quoted text here. Click to load it

Once malware gets in it often changes date stamps to match one of the
system files.

Quoted text here. Click to load it

Since you appear to do this for a living you ought to know about
securing your machine.

Quoted text here. Click to load it

So did you kill it from task manager?

Quoted text here. Click to load it

You can't rely on AV apps to protect a machine - they are a last ditch
resort. None of them can detect everything because malware is re-
packaged every day to avoid detection. The AV vendors are always
trying to catch up.

You didn't say which browser was involved. Is it up-to-date? What
plugins and other applicatiuons are used as helpers to view embedded
content and are they sercurely configured and up-to-date? Think about
Java (not javascript), PDF and Flash viewers, ActiveX components and
other media players. Do you allow them to run automatically?



Re: Avast Doesn't Block XP Defender malware (ave.exe)


Quoted text here. Click to load it

Regardless, I set up this computer to behave as much like my customers'
computers behave.  In this way I can spot issues quickly.  And it's been years
since this particular machine has had any kind of infection at all.  

Quoted text here. Click to load it

Seldom, though.  One of the easiest ways I've found to find the process
causing an infection is to use a tool like PrcView to look within processes
such as svchost, explorer, winlogon, etc and see the date stamps on the DLLs
called.  Makes it super-simple to spot them.  

Quoted text here. Click to load it

See my comments above.  

Quoted text here. Click to load it

Actually, no.  Because I immediately knew what it was, I shut down the
computer, booted from BART PE and manually copied back snapshots of the
registry.  

Quoted text here. Click to load it

This is where heuristic scanning comes in and why MBam can catch nearly
everything.  I had the impression, reading from Avast's documentation and
various postings from people that Avast also had similar heuristic scanning.  
Apparently not.  

Quoted text here. Click to load it

Again, this particular computer is set up to imitate real world scenarios as
are present in my customers' computers.  Prior to the infection I had visited
several websites from Google links.  I did not click on anything within those
web pages.  I don't recall if there was a pdf among the stuff I looked at or
not.  My machine is set up top warn about ActiveX, but not Java, Flash, or
pdfs.  However, downloading of exe and dll files should be triggering
*something* to warn me.  

As someone suggested, perhaps something else is being renamed as an exe.

I did notice one thing that may be a clue.  I couldn't run exe files any
longer until I entered the exe extension in the filetypes section to replace
what had been there.  This was after the registry rollback, so I'm not sure
where the exe reference was being pulled from.  It should have reverted just
like all other registry entries.  

So, indeed it could well be that ave.exe is really something non-exe that got
renamed and thus wasn't detected by Windows as being bogus.  I have not saved
the ave.exe file to look at it.  Perhaps I should have, but I had to use this
particular computer and just wanted to get rid of the malware.


Re: Avast Doesn't Block XP Defender malware (ave.exe)


[...]

Quoted text here. Click to load it

[...]

From my reading, Avast! only uses its heuristic's for its e-mail
scanner.



Re: Avast Doesn't Block XP Defender malware (ave.exe)

"David Kaye" wrote:

Quoted text here. Click to load it

So that would be insecurely and typically lacking the latest (or any)
third party software updates or patches for bug fixes. They might be a
little better protected with Vista or Win7 if they haven't disabled
the nags.

Quoted text here. Click to load it

You still haven't stated which browser and you don't need to click to
be infected. In the last few days there have been updates for IE6 & 7,
Firefox, Quicktime & Itunes and Foxit PDF reader. All of them correct
exploitable vulnerabilities. Take a look at http://isc.sans.org /

To convince yourself to not allow PDF files to display automatically
see the article "PDF Arbitrary Code Execution - vulnerable by design"
at isc.sans.org. Foxit have corrected it but Adobe Acrobat is probably
still vulnerable. In fact malicious PDFs, which are frequently used,
often don't display at all but just run code.

If you want some warning it's best to to have the appropriate OS
security policies and logging in place. Firewalls are usually only
concerned with network connections, not what you allow to run.

The only way you can find out what causes a problem like this is to do
an immediate investigation of all the recent HTTP (and perhaps other
protocol) requests and examine any cached pages, scripts, Java .jar
and .class files, etc when it happens so you can track down the bad
site and what exploit was used.

Quoted text here. Click to load it

An executable named temp.tmp, for example, is easily run without being
renamed by using the right API magic.

Quoted text here. Click to load it

That depends how you backup/restore the registry. File associations
are stored in HKLM\software\Classes which is in the software hive in
[win]\system32\config. Then there's the individual hives (ntuser.dat)
in each user profile directory. It may be that exe association can be
overrridden from those.

Once malware is running with administrator rights it can do anything
it wants, including elevating itself to have NT authority\system
privilege. Thus it has full access to protected areas of the registry,
the hard disk and the ability to load drivers.

Quoted text here. Click to load it

More important is to find the vulnerable software component that
allowed it to run.



Re: Avast Doesn't Block XP Defender malware (ave.exe)


Quoted text here. Click to load it

What I'm getting at is that I use the best of off the shelf freebie programs
my customers would tend to download.  As for updates, typically when I first
see them they have default Windows services turned on, so that they are up to
date on Windows updates, but also have remote registry and other nasties
turned on.  By the time I reach them they're badly infected and have installed
4 or 5 anti-malware programs hoping to fix what they've done.  I spend much of
my time uninstalling stuff, returning the computer to as close to pristine as
possible, and then install anti-malware tools.  

I know you mean well, but believe me, I already know about this stuff.  I
wasn't saying anything about a firewall protecting me against this problem.
  What I SAID was that the warning that the firewall was turned off was th
e first information I received that an exploit was running.  


Quoted text here. Click to load it

I'm using IE8 Version 8.0.6001.18702.  


Quoted text here. Click to load it

Yeah, Adobe has been remarkably lame in fixing their software.  They have
exploits going back years I'm told.  


Quoted text here. Click to load it

I know you mean well, but believe me, I already know about this stuff.  I
wasn't saying anything about a firewall protecting me against this problem.  
What I SAID was that the warning that the firewall was turned off was the
first information I received that an exploit was running.  


Quoted text here. Click to load it

I noted the file date/time and have looked back on this.  The exploit appears
to have come from foxnews, officedepot, or officemax -- the time stamps are
within a few seconds of each other and show up right before the time stamp
that was written to the temp directory in my documents and settings tree.

Quoted text here. Click to load it

Yes.  Also, since I was able to get this infection I suspect that I'll be
getting frantic calls this coming week from others.  I'm getting tempted to
set people up as limited users, even though that creates headaches in itself
(such as the inability to run QuickBooks properly, which I mentioned before).


Re: Avast Doesn't Block XP Defender malware (ave.exe)

On 04/04/2010 04:01 PM, David Kaye wrote:
Quoted text here. Click to load it

See this:
http://www.broadbandreports.com/forum/r22225362-foxnewscom-infected~time=1240194878



Re: Avast Doesn't Block XP Defender malware (ave.exe)

Mumia W. wrote:
Quoted text here. Click to load it
http://www.broadbandreports.com/forum/r22225362-foxnewscom-infected~time=1240194878
Quoted text here. Click to load it
The last post in that thread was most telling! Viz:

"Please note people - you may think you removed it, but really did not.
Malwarebytes and others do not detect Rootkits. You should run
ROOTKITREVEALER. I thought I had cleaned this, and I had really not.
There was a deep and nasty rootkit involved here. Only way to remove was
to boot off a Windows CD, and delete hidden drivers. I would be willing
to bet that half the people think they clean this stuff and its not
really clean."

--
Dave

Re: Avast Doesn't Block XP Defender malware (ave.exe)


Quoted text here. Click to load it

That's not entirely accurate. Malwarebytes does detect some rootkits. As
do the other programs. Some newer rootkits will prevent rootkitrevealer
and/or gmer from even loading.

Quoted text here. Click to load it

Not very deep or nasty if you only had to delete files. Yes, I'm sure it
was a pain because you couldn't do it while in windows, but it's still
not what I would call deep.
 



--
"Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge
this boulder right down a cliff." - Goblin Warrior


Re: Avast Doesn't Block XP Defender malware (ave.exe)

Dustin Cook wrote:
Quoted text here. Click to load it
Your comments read and noted, Dustin.

--
Dave

Re: Avast Doesn't Block XP Defender malware (ave.exe)

gufus wrote:
Quoted text here. Click to load it

many thanks for that update
as if anyone cares what you do

Quoted text here. Click to load it

yes you are

Re: Avast Doesn't Block XP Defender malware (ave.exe)


Quoted text here. Click to load it

Thank you very much!  Fox News.  If those rightwingers spent as much money on
fixing their web servers as they do hiring Sarah Palin to show up at their
rallies, there'd be a lot less malware out there.  


Re: Avast Doesn't Block XP Defender malware (ave.exe)

David Kaye wrote:

Quoted text here. Click to load it

Thank you for fixing your clock.

--
   -bts
   -Four wheels carry the body; two wheels move the soul

Re: Avast Doesn't Block XP Defender malware (ave.exe)



Quoted text here. Click to load it

| Thank you very much!  Fox News.  If those rightwingers spent as much money on
| fixing their web servers as they do hiring Sarah Palin to show up at their
| rallies, there'd be a lot less malware out there.


They came to most likely a faux conclusion.
"...I now categorize foxnews.com as infested..."

Either of two possibilities but not "infected".

A malvertisement in a flash file or the site was hacked and there is reirection
happening.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Avast Doesn't Block XP Defender malware (ave.exe)

Quoted text here. Click to load it

Thank you, I was hoping someone would point that out. The idea that one
would have to click on an ad to get infested is erroneous. If someone
(not running as admin) gets one of those "your computer is infested and
we can help you" messages, you can maximize the window using task
manager and see the actual IP address of the malware server in the
address bar. (hint - it won't be foxnews).



Re: Avast Doesn't Block XP Defender malware (ave.exe)

"David Kaye" wrote:

Quoted text here. Click to load it

What about non-MS updates?

Quoted text here. Click to load it

That should be reasonably safe, hence the importance of checking 3rd
party (non-MS) plugins and helper apps.

Quoted text here. Click to load it

I appreciate you have some clue and that's why I'm interested in how
you got infected. If all your software was fully updated this drive-by
infection should not have happened. If it was a new vulnerability, AKA
a zero-day exploit, then I'm particularly interested in knowing what
it was.

When executable code runs via an exploit like a buffer overflow and
code injection there's no guarantee that an otherwise securely
configured OS can spot it. DEP (data execution prevention) can help
prevent this kind of attack if available for the machine.

Quoted text here. Click to load it

As I said, you need to examine the cached files to have any hope of
finding the exploit. Of course, you will need to have an understanding
of file formats and know what to look for.

Quoted text here. Click to load it

You see, my probing has caused you to give more information which then
prompted someone else to reply with a link to a forum about the Faux
News site infection. Although that discussion is a year old, the
problem of legitimate sites serving up malware through adverts or
hacked servers is still a real one. It appears those exploits were via
buggy ActiveX controls which have all now been patched.

Quoted text here. Click to load it

You should at least disallow the automatic running of PDFs, look at
tightening browser security settings, and perhaps change the browser
to Firefox or Opera if they are not using IE 8. XP's default settings
are no longer sufficient.



Re: Avast Doesn't Block XP Defender malware (ave.exe)

Ant wrote:

Lots of interesting technical things, which I know little about but
enjoy reading.

Thanks, Ant! :)

--
Dave


Site Timeline