Crap AV detection results

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've just finished cleaning up a customer PC that was riddled with malware,
including the much-publicised Downadup/Conficker worm. To confirm the
latter, I 'harvested' the autorun.inf file it deposited on a test USB
memory stick and submitted it to virustotal.com. VirusTotal reported it had
first seen my suspect file on 4-Jan-2009 and that 26/40 identified it as
malicious. I requested re-analysis to see the current status.

VirusTotal now reports 25/39 hits. Which means that after nearly three
months of it being known to the anti-malware community, more than 33% of
anti-malware packages *still* don't recognise it, including several
'household' names e.g. McAfee, AntiVir, Avast!, PCTools, PrevX. Even
Microsoft's product detected it!

The participating vendors have access to the sample files submitted to
VirusTotal and would surely have received it through other sources as well.

So why aren't we seeing close to 39/39 hits? Are their specialists *that*
overloaded? Incompetent?

If they can't even detect this malware, what trust can we have in
anti-malware products?

And where does that leave anti-malware benchmarking? Scoring close to 100%
in a benchmark but missing the bleedin' obvious in live use doesn't
re-assure me at all.

Re: Crap AV detection results

On 03/28/2009 12:30 PM, Frazer Jolly Goodfellow sent:
Quoted text here. Click to load it

This could have been either Conficker.A or Conficker.B, given the stated
date.

Quoted text here. Click to load it

Going back *over* 4 weeks ago, it was /then/ my understanding that the
Conficker.A, Conficker.B and Conficker.B++ worms existed in their
_basic_ form.  Also I had read, at *that* time, that >300 variations of
those basic three existed.  ...and now, we have their mama, Conficker.C
and many weeks for the all of these to flourish with more variants
coming from the minds of the bad folks.

I believe this problem is like none we've seen before.

Would you please post a reply with the reported identity(s) of the worm
you found?

Do you believe that most of the big named antimalware producers have
received samples of /most/ all of the strains?

If you believe you've successfully purged your customer's system, what
tool(s) did you employ to eradicate the Conficker worm?   If you still
have a copy of the virustotal URL report, that would even be better.

I'm sure that many of us share in your obvious frustration.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Crap AV detection results

On Sat, 28 Mar 2009 14:57:30 -0700, 1PW wrote:

Quoted text here. Click to load it

Pete here are the before and after reports from VirusTotal:

File has already been analysed:
MD5: 7d9542ef7c46ed5e80c23153dd5319f2
First received: 01.04.2009 23:55:36 (CET)
Date: 03.27.2009 10:53:21 (CET) [+1D]
Results: 26/40
Permalink: analisis/0b687a1372ad6cc095f0dad3dd26198c


File autorun.inf received on 03.28.2009 15:58:19 (CET)
Current status:     finished  
Result: 25/39 (64.11%)
Antivirus    Version    Last Update    Result
a-squared    4.0.0.101    2009.03.28    Net-Worm.Win32.Kido!IK
AhnLab-V3    5.0.0.2    2009.03.28    Win32/Conficker.worm
AntiVir    7.9.0.129    2009.03.27    -
Antiy-AVL    2.0.3.1    2009.03.28    -
Authentium    5.1.2.4    2009.03.27    JS/AutoRun
Avast    4.8.1335.0    2009.03.27    -
AVG    8.5.0.285    2009.03.28    Worm/Generic_c.ZS
BitDefender    7.2    2009.03.28    Trojan.Autorun.AET
CAT-QuickHeal    10.00    2009.03.28    -
ClamAV    0.94.1    2009.03.28    Worm.Autorun-1838
Comodo    1087    2009.03.28    Unclassified Malware
DrWeb    4.44.0.09170    2009.03.28    Win32.HLLW.Shadow
eSafe    7.0.17.0    2009.03.27    -
eTrust-Vet    31.6.6421    2009.03.27    INF/Conficker
F-Prot    4.4.4.56    2009.03.27    JS/AutoRun
F-Secure    8.0.14470.0    2009.03.28    Worm:W32/Downaduprun.A
Fortinet    3.117.0.0    2009.03.28    -
GData    19    2009.03.28    Trojan.Autorun.AET
Ikarus    T3.1.1.48.0    2009.03.28    Net-Worm.Win32.Kido
K7AntiVirus    7.10.684    2009.03.28    Trojan.BAT.Autorun.IWB
Kaspersky    7.0.0.125    2009.03.28    Net-Worm.Win32.Kido.ih
McAfee    5566    2009.03.27    -
McAfee+Artemis    5566    2009.03.27    -
McAfee-GW-Edition    6.7.6    2009.03.28    -
Microsoft    1.4502    2009.03.28    Worm:Win32/Conficker.B!inf
NOD32    3972    2009.03.28    INF/Conficker
Norman    6.00.06    2009.03.27    BAT/Autorun.IWB
nProtect    2009.1.8.0    2009.03.28    -
Panda    10.0.0.10    2009.03.27    W32/Conficker.C.worm
PCTools    4.4.2.0    2009.03.28    -
Prevx1    V2    2009.03.28    -
Rising    21.22.52.00    2009.03.28    -
Sophos    4.40.0    2009.03.28    Mal/ConfInf-A
Sunbelt    3.2.1858.2    2009.03.28    INF.Autorun (v)
Symantec    1.4.4.12    2009.03.28    W32.Downadup!autorun
TheHacker    6.3.3.8.294    2009.03.28    W32/Conficker.autorunL
TrendMicro    8.700.0.1004    2009.03.28    TROJ_DOWNAD.AD
VBA32    3.12.10.1    2009.03.27    -
ViRobot    2009.3.27.1666    2009.03.27    INF.Autorun.59288.B

Additional information
File size: 59288 bytes
MD5...: 7d9542ef7c46ed5e80c23153dd5319f2
SHA1..: f49fa573a973500d37df219d6055fd4a50f7931f
SHA256: dfc1f69b3efc968310ed8901eda055ea40fa488059a6a3763c356539820ccc3e
SHA512:
1fb7746bdff15739b2a8ff7bb52517457ac820d4bfd26efa516555db836e3ff1<BR>f605ed399aaf0d9b83a8aa9dbf4b199398fc6626e5ff0ee98a00363404b36c56
ssdeep: 1536:uvE5/VJ8m0HJnppEnANcFqAsVH8cORecS/1:ksh6pl/H8nRK<BR>
PEiD..: -
TrID..: File type identification<BR>Text - UTF-16 (LE) encoded
(66.6%)<BR>MP3 audio (33.3%)
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
packers (Authentium): Unicode
packers (F-Prot): Unicode

Re: Crap AV detection results

On 03/28/2009 03:42 PM, Frazer Jolly Goodfellow sent:
Quoted text here. Click to load it
1fb7746bdff15739b2a8ff7bb52517457ac820d4bfd26efa516555db836e3ff1<BR>f605ed399aaf0d9b83a8aa9dbf4b199398fc6626e5ff0ee98a00363404b36c56
Quoted text here. Click to load it

This report is *so* informative as it certainly underscores your
troubles in tussling with this infestation.  Unless I'm mistaken, this
Conficker is identified as /any/ of the A, B or C variants!

VG has posed a great question.  However, I wonder if any of the
Confickers deletes all traces of the first/original .dll infecter file?

Thank you kindly for posting this!  Much appreciated.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Crap AV detection results

On Sat, 28 Mar 2009 14:57:30 -0700, 1PW wrote:

Quoted text here. Click to load it
Conficker was but one of the problems this system had. Initially it
displayed very obvious symptoms of a WinFixer type rogue AV infection -
banner on the desktop wallpaper and pop-ups announcing a gazillion spurious
infections - so I set MBAM onto it, followed by SuperAntispyware, Spybot
S&D and then Kaspersky AVP.

To be sure I'd got rid of the Conficker infection I used specific fix tools
from Symantec and Bit Defender. I later ran the latest Microsoft MRT.exe
and it still found 5 infected files after all of the others!

The cleanup post-infection was a challenge as well. No network access at
first, fixed by running WinsockXPfix and rebooting. Couldn't get it to
accept Service Pack 3 because of Access Denied errors - probably a defence
mechanism planted one or other items of the malware. Resetting the registry
and the file permissions per Microsoft's kb949377 did the trick -
eventually - the fix wouldn't complete because a program it depends on
(secedit.exe) was missing from the target system.

It has taken two days elapsed to clean up, mostly unattended I hasten to
add.

Quoted text here. Click to load it

I'm frustrated because, whilst most of us can understand that a 'day-zero'
infector may well get through the best defences, you at least expect the
industry to be on top of the headline-grabbing ones that have been around
for weeks.

Re: Crap AV detection results

1PW wrote:
Quoted text here. Click to load it

But the mechanism and the method of operation are the same. The writing of
an autorun file to a flash disk would be a rare to non existant legitimate
activity, and a prety likely behaviour of a a virus.

All antivirus software should now be scanning removable media for autorun
files on the root, as a matter of routine and flagging up suspicious
behaviour.

Gaz



Re: Crap AV detection results

On 03/29/2009 05:37 PM, Gaz wrote:
Quoted text here. Click to load it

So you're saying that anti-malware should flag >40,000 byte autorun.inf
files that contain more than 50% binary data on usb keys as
"w32/autorun.suspicious"? I agree.


Re: Crap AV detection results

Gaz wrote:
[snip]
Quoted text here. Click to load it

just because it doesn't happen a lot in your environment doesn't mean
it's rare in other environments... virtually every software developer
that distributes their product on optical media uses autorun.inf files...

Quoted text here. Click to load it

i think folks are getting a little hysterical about autorun.inf files...
while i agree that autorun is a braindead feature that should absolutely
be killed, scanning autorun.inf files is retarded - you might as well
scan autoexec.bat files while you're at it... there's nothing bad in the
autorun.inf file...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Crap AV detection results

On 03/29/2009 08:25 PM, kurt wismer sent:
Quoted text here. Click to load it

But Kurt, I wonder if that was _the_ possible attack vector that took
down a portion of the French Air Force for a few days and raised hob
with portions of bt.com as well?

I know this may be unanswerable.

USB thumb drives and laptops, brought from the outside world, were some
of the primary sources for our attacks at my previous place of employment.

Warm regards,

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Crap AV detection results

Quoted text here. Click to load it

You would think that sneakernet was a new development after reading
about the USB autorun vector. What security professional doesn't already
know that attaching foreign devices to a system can lead to malware
problems?



Re: Crap AV detection results

On 03/30/2009 04:29 AM, FromTheRafters sent:
Quoted text here. Click to load it

Hi All:

Mentioning sneakernet - I guess I'll load up some of my thumb drives
with all the legitimate Conficker removal tools to be found, gas up our
cars, and be prepared to make a few house calls late in the week...

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Crap AV detection results

On Mon, 30 Mar 2009 08:21:07 -0700, 1PW wrote:

Quoted text here. Click to load it

Hope they're write protectable, otherwise you risk becoming a carrier. :-)

Re: Crap AV detection results

1PW wrote:
Quoted text here. Click to load it
[snip]
Quoted text here. Click to load it

oh, absolutely, portable physical devices are one of the least protected
attack vectors these days (everything old is new again)... but it still
makes little sense to try and identify something as malware by looking
at it's associated autorun.inf file...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Crap AV detection results

kurt wismer wrote:
Quoted text here. Click to load it

Optical media will be read only, are you trying to tell me that it isnt
possible to distinguish between a removable drive and a cd drive???
Really???

Quoted text here. Click to load it

It is a sign however. If i see a flash drive with autorun.inf i assume it is
infected...

Gaz



Re: Crap AV detection results

Gaz wrote:
Quoted text here. Click to load it

some flash memory drives lie to the system about what type of drive they
are - see U3 drives...

also, some folks actually distribute content in flash media rather than
optical... it's especially prevalent as promotional gifts...

Quoted text here. Click to load it

no U3 drives for you then...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Crap AV detection results

Frazer Jolly Goodfellow wrote:
Quoted text here. Click to load it

you realize, of course, that the autorun.inf file *isn't* the actual
malware, it's just the tool the malware uses to get automatically
executed...

Quoted text here. Click to load it

most probably if you submitted what the autorun.inf file pointed to you
would have gotten better results...

[snip]
Quoted text here. Click to load it

there are a number of reasons why virustotal can't be used as a measure
of an av product's effectiveness... they aren't always using the most
up-to-date version, they only run the command line scanner component and
thus miss out on the more advanced detection capabilities, etc...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Site Timeline