Click HERE to learn more about classes Adrien is teaching for SANS

Hi, remember me?...

Published: 2008-05-02. Last Updated: 2008-05-02 14:20:12 UTC
by Adrien de Beaupre (Version: 1)
3 comment(s)

Ever read through your spam sometimes to see what's popular? Of course you may also get a fresh serving of malware, which makes it very worthwhile. "Hi, remember me?..
new fotos(archived) you asked ;))
hxxp://lightfly.de/My_foto.exe
kiss,
Angella O."

Well, no I don't remember an Angella that I have met recently, particularly not someone who might send me photos. But I'll bite. A simple wget scores me an exe. Virustotal results are depressingly consistent. 4/32.

AntiVir     7.8.0.11     2008.05.02     TR/Crypt.XPACK.Gen
CAT-QuickHeal     9.50     2008.05.01     (Suspicious) - DNAScan
eSafe     7.0.15.0     2008.04.28     Suspicious File
Webwasher-Gateway     6.6.2     2008.05.02     Trojan.Crypt.XPACK.Gen
Additional information
File size: 167936 bytes
MD5...: cb1de4847ca840f8837fc8381ec6b0cb
SHA1..: 26c018e4968e6dc092d5389759e939f741bb66b3

So, only generic detection when the file was first seen, how about 12 hours later? Nope, same results.

Cheers,
Adrien de Beaupré
Bell Canada

 


Keywords: malware spam
3 comment(s)
Click HERE to learn more about classes Adrien is teaching for SANS

Comments

YOU received the only sample ever distributed from that server!
The sample was changed right after your download (Rem: we already see servers that change the binary every 30 mins!)

Every sample is well tested against all know AV so that generic detection will not fire!

NO AV-Vendor will ever be able to write a siganture against that sample, unless you send that sample and if he does, he will publish a signature to millions of users for which that signature is simply useless! We already have over 700.000 detections in F-Secure and I personally expect over 1.3 Mio until End 2008!

If you want to be protected you need a good HIPS based behavioral blocking!
Install the ISTP (Internet Security Technology Preview) from F-Secure http://support.f-secure.com/beta/istp/is2009beta.shtml and START that EXE.

THAT is the future how to combat malware! No more "scan-before-start"! It is just "monitor-while-running"

So please stop complaining about AVs not detecting unless you run that malware while you are protected by that AV!

BTW: AV-Vendors meet these days im Amsterdam to discuss about new AV-testing. see http://www.amtso.org/

MysticJay

May 2nd 2008
1 decade ago

Can you submit it to cwsandbox so we can check out what it does? Maybe it can be linked to a better known variant that way.

nog_lorp

May 2nd 2008
1 decade ago

Adrians sample does not match the scenario, that I discribed above. He told me, that the sample was available quite some time. Nevertheless the story stays the same as that is what we will be threatned by: malware that is not detected by AVs based on signatures!

MysticJay

May 3rd 2008
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives