Dismal AV detection on recent "American Airlines" spam payload

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've been getting at least 1 spam a day over the past week with a link
that claims to be an American Airlines e-ticket (or something to that
effect).

The link is to a zip file.  After I unzip and submit the .exe to VT, the
detection rate is a consistent 6 or 7 out of 44.

Some of the "big names" in the malware game (Symantec, Microsoft, Trend,
McAffee, AVG, Avira, and sometimes Kaspersky) are failing to detect
these files as a threat, even after re-submitting a few days after the
first scan.

What a joke.

Re: Dismal AV detection on recent "American Airlines" spam payload

Anyone waiting for their American Airlines ticket receipt?

Well, here it is:

hxxp://www.blackgospelvoice.com/components/.tch2em.php?ticket=_

Currently, that link is still working, and blackgospelvoice.com resolves
to 174.121.8.194.

Shoving the .exe file at VirusTotal reveals that the same file had been
scanned 3 hours prior, giving these results:

=================
https://www.virustotal.com/en/file/64b3758168dc6343db18da768850c9bee63e990863e1d0419e9fcab973a07319/analysis/

Detection ratio:    5 / 46
Analysis date:  2013-04-14 13:14:12 UTC ( 2 hours, 51 minutes ago )

 ByteHero          Trojan.Malware.Obscu.Gen.004
 Kaspersky         UDS:DangerousObject.Multi.Generic
 Malwarebytes      Trojan.Agent.TSV
 SUPERAntiSpyware  Trojan.Agent/Gen-Faker
 VBA32             BScope.Trojan-Dropper.8612
===================

A very poor detection rating.  Having it perform a re-analysis gives one
extra result:

===================
https://www.virustotal.com/en/file/64b3758168dc6343db18da768850c9bee63e990863e1d0419e9fcab973a07319/analysis/1365955648/

Detection ratio:    6 / 46
Analysis date:  2013-04-14 16:07:28 UTC ( 0 minutes ago )

McAfee    Ransom-FBNH!A0B5819A0CF9
====================

Re: Dismal AV detection on recent "American Airlines" spam payload

On Monday, April 15, 2013 1:37:23 AM UTC+8, Virus Guy wrote:
Quoted text here. Click to load it

Damn you're dumb.  Do you think anybody would run a file that had *any*
detections?  You have six, and you think that's not warning enough?

RL


Re: Dismal AV detection on recent "American Airlines" spam payload


Quoted text here. Click to load it

Depends on the detections Ray. Some legit software can cause bad  
detections due to internal file structures. I know, years still beyond  
what you can technically grasp; but that's how it is.


--  
... I'm heavily armed, easily upset, and off the medication.


Re: Dismal AV detection on recent "American Airlines" spam payload

RayLopez99 has brought this to us :
Quoted text here. Click to load it
The executable drops another executable and a text file and executes  
the dropped executable which displays the text file while doing other  
maliciousness.

Some malware from two weeks ago is still only 9 of 46 on VT.



Re: Dismal AV detection on recent "American Airlines" spam payload

FromTheRafters wrote:

Quoted text here. Click to load it

Try this one:

==================
hxxp://premierplayers.com/components/com_docman/pdf_ftc_consumer_complaint.zip

premierplayers.com = 173.201.185.78
==================

As of about 4 hours ago, VT was reporting a hit-rate of 4/47.

https://www.virustotal.com/en/file/630d583b19acb686453ed2b0e252af887eb04c2fcd60e7725aac1d3da185bc6e/analysis/

 ESET-NOD32           a variant of Win32/Kryptik.AYUB
 Kaspersky            Trojan-Spy.Win32.Zbot.kjkb
 Malwarebytes         Trojan.Agent.BDAVGen
 McAfee-GW-Edition    Heuristic.BehavesLike.Win32.ModifiedUPX.C

Re: Dismal AV detection on recent "American Airlines" spam payload

Virus Guy formulated the question :
Quoted text here. Click to load it
https://www.virustotal.com/en/file/630d583b19acb686453ed2b0e252af887eb04c2fcd60e7725aac1d3da185bc6e/analysis/
Quoted text here. Click to load it

Screensaver file with PDFlike icon unpacks into binary files.  
Definitely malware - accesses the address book and macromedia history  
among other things.



Re: Dismal AV detection on recent "American Airlines" spam payload

Virus Guy has brought this to us :
Quoted text here. Click to load it
https://www.virustotal.com/en/file/630d583b19acb686453ed2b0e252af887eb04c2fcd60e7725aac1d3da185bc6e/analysis/
Quoted text here. Click to load it

A batch file too:
=======================================================================
@echo off
:d
del "C:\Documents and  
Settings\user-1\Desktop\pdf_ftc_consumer_complaint\pdf_ftc_consumer_complaint.scr"
if exist "C:\Documents and  
Settings\user-1\Desktop\pdf_ftc_consumer_complaint\pdf_ftc_consumer_complaint.scr"
 
goto d
del /F "C:\DOCUME~1\user-1\LOCALS~1\Temp\tmp68c49d2d.bat"
=======================================================================



Dismal AV detection on recent "American Airlines" spam payload

+ User FidoNet address: 1:3634/12.42

 VG> Anyone waiting for their American Airlines ticket receipt?

 VG> Well, here it is:

 VG> hxxp://www.blackgospelvoice.com/components/.tch2em.php?ticket=_  

 VG> Currently, that link is still working, and blackgospelvoice.com
 VG> resolves to 174.121.8.194.

 VG> Shoving the .exe file at VirusTotal reveals that the same file had
 VG> been scanned 3 hours prior, giving these results:

you know something? you'd get better results if you threw these at the virus
detection engines' maintainers and let them analyze it... virus total can't
tell you anything about it until the virus detection engines know about it...

FWIW: it seems that there are over 2000 web sites hosted on that IP...

project honeypot has it flagged here:
http://www.projecthoneypot.org/ip_174.121.8.194

that sites isn't even fully configured since it carries the default cpanel web
page on the "raw" IP... that's a pretty sad state of affairs since ThePlanet
owns that IP and they should be maintaining the system properly...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Dismal AV detection on recent "American Airlines" spam payload

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 VG> No I wouldn't.

really?

 VG> What I'm testing here is the compentency of the entire anti-virus
 VG> industry.

no one can test for or protect against that which they know nothing about the
presence of, can they?? can you?

 VG> I'm testing that industry by throwing current malware at them and
 VG> see how they respond.

virus total is not "the industry"... it is but one company that has installed a
bunch of antivirus and malware detection programs... none of them are any more
reliable than their latest engines and rules... just like a chain is only as
strong as its weakest link...

 VG> I'm throwing files at them that in theory they should already have  
 VG> a line on.

no, you are throwing files are virus total...

 VG> They should already have a response system that includes a feed  
 VG> for these files to get into their own hands.

there is for every one that i've ever seen... you send the files in question
directly to them... not some third party source and expect that third party to
pass it along to everyone else... yo seem to be forgetting about the commercial
aspect of the industry and the "battle to be first" and "be on top as the best"
and such...

 VG> They can operate honey-pot e-mail addresses - can't they?  It's  
 VG> cheap to do.  Email accounts that are long established and attract  
 VG> spam.

they do but that doesn't mean that they get sent these files by the those
groups who create them... you are having to access an infested site to acquire
them, aren't you? they, the actual files, aren't being sent to you... a link to
a distribution site is being sent... honey pots don't go and retrieve external
links... they do, however, suck up network data packets and store them for
analysis by humans... it is a long a tedious job...

 VG> And by the way - those various companies which have their AV scan
 VG> engines hosted by VirusTotal - we're under the impression that
 VG> there is some sort of real-time feedback from VT to these companies
 VG> regarding these files that are submitted.  Perhaps that feedback is
 VG> just urban legend?

i don't know what "feedback" you are talking about... when ever i come across
nefarious files, i send them to the companies that i have a business
relationship with... as such, since i do not do norton or mcaffee or m$
schtuff, they do not get anything from me... some of my associates may have
relationships with those companies and may pass the files on to them but no one
can force anyone to do such...

/me thinks your expectations are much too high... turn them down a few notches
and contribute to helping rather than testing and carrying on when your
expectations are not met ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Dismal AV detection on recent "American Airlines" spam payload

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 R> That's not true.  The way these detections are done is though a  
 R> hash signature, not 'internal file structures'.

the hashes are built based on the structures of the malware, ray... without
those structures to analyze and build against, there is nothing...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Dismal AV detection on recent "American Airlines" spam payload

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 VG> Are you saying that I would get different results if I had any of  
 VG> those AV programs on my computer vs submitting the file to VT?

you might if you have newer rules or engine than VT has... you would also have
a more direct line for the reporting and delivery of the stuff you find that is
bad...

Quoted text here. Click to load it

 VG> Your statement does not address the point.

granted but you are not testing the industry like you think you are ;)

 VG> I stated that I am testing the entire AV industry (to the extent
 VG> that those 47 programs hosted by VT represents the industry).

no, you are testing VT and their installed library of those 47 programs...
nothing more...

 VG> I am testing them on a valid, "in the wild", currently circulating
 VG> piece of malware.

testing VT, yes...

 VG> I am testing them to see which of them can, and can't, detect the
 VG> example file.

that's given but you still do not know if they have the latest signatures
installed or even the latest engines...

 VG> The test is a valid, real-life use-case test.

sorry but no... it is not...

 VG> If any one of them can't detect the file as malicious the instant  
 VG> that it is unzipped on the victim's computer, then it fails it's  
 VG> intended function as AV protection.  How can it possibly matter if  
 VG> the file is submitted to the AV program for testing by VT, or if  
 VG> it's running on the victim's computer?

a has been stated many times in many areas, chasing viruses and malware is just
that... chasing... the AV and AM industries will never be able to get ahead of
the folks that create those things... the AV and AM industries have no choice
but to follow and hope they can get examples of everything and that is never
going to happen...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site Timeline