Different packing = different scan results (remember Zlob posts?)
in [Anti-Virus]
|
From: Virus Guy on 20 Apr 2006 23:38 The file in question was located here: http://www.media-codec.com /v4 /mediacodec-v4.143.exe It is still available at that location. The file is 71,456 bytes, and is UPX packed. It has a digital signature of "KAS NET" according to the file properties. When unpacked with UPX: http://upx.sourceforge.net, the resulting file is 83,232 bytes and has no digital signature attribute. Previous scanning by Jotti had indicated that this file was packed with PE_PATCH and UPACK. In any case, I submitted both the original file (71kb) and the UPX-unpacked version (83kb) to the now-working Virus Total website. The following AV software found nothing in both files: Avast, AVG, Cat, Clam, DrWeb, E-trust Inoculate, E-trust-vet, Ewido F-prot, McAfee, Norman, Sophos, Symantec, TheHacker, UNA The following detected something ONLY in the original (packed) file: AntiVir: TR/Dldr.Zlob.HQ.1 Avira: TR/Dldr.Zlob.HQ.1 BitDefender: Trojan.Downloader.Zlob.HQ Ikarus: Trojan.Favadd Panda: Suspicious file The following detected the same thing in BOTH files: Fortinet: W32/Zlob.LJ!dldr Kaspersky: Trojan-Downloader.Win32.Zlob.lj NOD32v2: Win32/TrojanDownloader.Zlob.LD VBA32: Trojan-Downloader.Win32.Zlob.lj Note that there is no over-lap between the above 2 groups in the name/identifier used, but there is considerable similarity within the groups. For example AntiVir, Avira and BitDefender use the term "Zlob.HQ", while Fortinet, Kaspersky, and VBA32 use "Zlob.LJ". Conclusions: 1) Many hi-profile AV software is not detecting any threat in these files. Either they are deficient, or the files are clean and this is a false alarm. 2) The AV software that signaled a positive detection only in the first (packed) file but not the unpacked file must not have the ability to unpack PE_Patch and /or UPACK'd files, and the only thing that can account for their positive detection of the first file is that they are relying on MD5 (or equivalent) hash.
From: Nick FitzGerald on 21 Apr 2006 01:33 "Virus Guy" wrote: > The file is 71,456 bytes, and is UPX packed. It has a digital > signature of "KAS NET" according to the file properties. > > When unpacked with UPX: http://upx.sourceforge.net, the resulting file > is 83,232 bytes and has no digital signature attribute. Previous > scanning by Jotti had indicated that this file was packed with > PE_PATCH and UPACK. Hmmmm -- the file at that URL doesn't match that description. I get 69,776 and 81,552 bytes unpacked... <<snip>> > The following detected something ONLY in the original (packed) file: > > AntiVir: TR/Dldr.Zlob.HQ.1 > Avira: TR/Dldr.Zlob.HQ.1 > BitDefender: Trojan.Downloader.Zlob.HQ > Ikarus: Trojan.Favadd > Panda: Suspicious file Probably because that (and possibly other packed forms) was the only one they had received samples of... > The following detected the same thing in BOTH files: > > Fortinet: W32/Zlob.LJ!dldr > Kaspersky: Trojan-Downloader.Win32.Zlob.lj > NOD32v2: Win32/TrojanDownloader.Zlob.LD > VBA32: Trojan-Downloader.Win32.Zlob.lj Because their engines do UPX and/or generic decompression (if they do UPX they probably also do the same for other common/popular packers, but that doesn't really matter here). > Note that there is no over-lap between the above 2 groups in the > name/identifier used, but there is considerable similarity within the > groups. For example AntiVir, Avira and BitDefender use the term > "Zlob.HQ", while Fortinet, Kaspersky, and VBA32 use "Zlob.LJ". This is normal virus naming inconsistency -- nothing to take from it at all apart from the fact that the AV developers can't agree on a way to standardize malware names... > Conclusions: > > 1) Many hi-profile AV software is not detecting any threat in these > files. Either they are deficient, or the files are clean and > this is a false alarm. You missed at least one option -- your understanding of how popular AV software works is deficient... Known virus/malware scanning technology requires that the developer or maintainer of such software gets and analyses samples of new viruses/ malware so as to add detection (and possibly cleanup) to their product. You found a new-ish malware that not everyone has received a sample of or has not yet had time to add detection of (or has, but has not yet shipped its detection update, or Jotti and Virus Total have not picked up that update yet). This happens all the time. Many dozens to hundreds of times a day now, in fact... If that is deficient it is because the whole model is deficient, not because any given product is. Most days I see multiple new malware files that are missed by some or all of the scanners you say detected one or both forms of this malware, and yet are detected by some of the scanners you say detected neither form of this. By your rationale above, these files mean we should also say that the scanners you suggest the above data shows are not inadequate, are in fact, inadequate by your own standard. And, I'm sure I only need look back less than 24 hours to find an example of (what was then) a new malware file that NOT ONE of the products you listed detected at all (even in their most false-positive-prone extra, ultra heuristics mode _AND_ in some cases even with pre-release, beta and pre-beta (current lab build) DAT/DEF/etc files). So they're all deficient if we are to apply your reasoning... > 2) The AV software that signaled a positive detection only in the > first (packed) file but not the unpacked file must not have > the ability to unpack PE_Patch and /or UPACK'd files, and the > only thing that can account for their positive detection of the > first file is that they are relying on MD5 (or equivalent) hash. Not for the full file... Hashing-like approaches across partial file blocks for certian file locations are used in most/all products for identifying (some) static malware files, but no decent product uses full-file hashing for a plethora of reasons I'll not bore you with. -- Nick FitzGerald
From: Art on 21 Apr 2006 10:32 On Thu, 20 Apr 2006 23:38:20 -0400, Virus Guy <Virus(a)Guy.com> wrote: > >The file in question was located here: > >http://www.media-codec.com /v4 /mediacodec-v4.143.exe > >It is still available at that location. All I can find at that site (from all four d/l links) is v4.107 and it's clean according to KAV. Art http://home.epix.net/~artnpeg
From: Adam Piggott on 21 Apr 2006 12:10 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Virus Guy wrote: > The file in question was located here: > > http://www.media-codec.com /v4 /mediacodec-v4.143.exe > > It is still available at that location. > > The file is 71,456 bytes, and is UPX packed. It has a digital > signature of "KAS NET" according to the file properties. (Mostly in response to your first conclusion of it being a false positive and/or clean) It's certificate has been revoked by Thawte, probably a sign it's malware. That domain name as well as that of the domain's email contact are also on the block list of my web filtering service so either I've come across it in my travels or it's present in the publicly-available block lists that I use. Also of note is that the domain is registered with estdomains which are currently very popular for malware sites. The Ecodec and Vcodec "brands" have been in use by malware pushers for a while now - I believe that they may be installed via exploits or other malware - so this is likely to be a sibling. - From the install's EULA: "SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to MEDIA-CODEC or its affiliates during this process. Licensor may change homepage on user's computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager." On my Windows 2000 testing system the installer does seem to create ecodec.exe but then deletes it, leaving only an uninstaller. With a bit of jiggery-pokery I managed to get at the ecodec.exe file and run it. Hey-presto it just deletes itself as well! *shrug* Adam Piggott, Proprietor, Proactive Services (Computing). http://www.proactiveservices.co.uk/ Please replace dot invalid with dot uk to email me. Apply personally for PGP public key. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFESQQO7uRVdtPsXDkRAsgDAJ4/mMEVWDw6nzXRG+HILT8KZW1bHgCeJnx/ APprSZ9WZs9vkkU3tw8LOpM= =9g0/ -----END PGP SIGNATURE-----
From: David H. Lipman on 21 Apr 2006 18:03
From: "Virus Guy" <Virus(a)Guy.com> | | The file in question was located here: | | http://www.media-codec.com /v4 /mediacodec-v4.143.exe | | It is still available at that location. | | The file is 71,456 bytes, and is UPX packed. It has a digital | signature of "KAS NET" according to the file properties. | | When unpacked with UPX: http://upx.sourceforge.net, the resulting file | is 83,232 bytes and has no digital signature attribute. Previous | scanning by Jotti had indicated that this file was packed with | PE_PATCH and UPACK. | | In any case, I submitted both the original file (71kb) and the | UPX-unpacked version (83kb) to the now-working Virus Total website. | | The following AV software found nothing in both files: | | Avast, AVG, Cat, Clam, DrWeb, E-trust Inoculate, E-trust-vet, Ewido | F-prot, McAfee, Norman, Sophos, Symantec, TheHacker, UNA | | The following detected something ONLY in the original (packed) file: | | AntiVir: TR/Dldr.Zlob.HQ.1 | Avira: TR/Dldr.Zlob.HQ.1 | BitDefender: Trojan.Downloader.Zlob.HQ | Ikarus: Trojan.Favadd | Panda: Suspicious file | | The following detected the same thing in BOTH files: | | Fortinet: W32/Zlob.LJ!dldr | Kaspersky: Trojan-Downloader.Win32.Zlob.lj | NOD32v2: Win32/TrojanDownloader.Zlob.LD | VBA32: Trojan-Downloader.Win32.Zlob.lj | | Note that there is no over-lap between the above 2 groups in the | name/identifier used, but there is considerable similarity within the | groups. For example AntiVir, Avira and BitDefender use the term | "Zlob.HQ", while Fortinet, Kaspersky, and VBA32 use "Zlob.LJ". | | Conclusions: | | 1) Many hi-profile AV software is not detecting any threat in these | files. Either they are deficient, or the files are clean and | this is a false alarm. | | 2) The AV software that signaled a positive detection only in the | first (packed) file but not the unpacked file must not have | the ability to unpack PE_Patch and /or UPACK'd files, and the | only thing that can account for their positive detection of the | first file is that they are relying on MD5 (or equivalent) hash. That site is auto-generating new variants of the ZLob Trojan on a regular and periodic bassis. A SpyBot technician had examined that site and wrote to me... "i checked the site, and the samples are autogenerate like a cronjob (see the filedate). " ---<result>---- 15.04.2006 01:18 71.376 mediacodec-v4.104.exe 15.04.2006 01:18 71.376 mediacodec-v4.105.exe 15.04.2006 01:18 71.376 mediacodec-v4.106.exe 15.04.2006 01:18 71.376 mediacodec-v4.107.exe 15.04.2006 01:18 71.376 mediacodec-v4.108.exe 15.04.2006 01:18 71.376 mediacodec-v4.109.exe 15.04.2006 01:18 71.376 mediacodec-v4.110.exe 15.04.2006 01:18 71.376 mediacodec-v4.111.exe 15.04.2006 01:18 71.376 mediacodec-v4.112.exe 15.04.2006 01:18 71.376 mediacodec-v4.113.exe 15.04.2006 01:19 71.376 mediacodec-v4.114.exe 15.04.2006 01:19 71.376 mediacodec-v4.115.exe 15.04.2006 01:19 71.376 mediacodec-v4.116.exe 15.04.2006 01:19 71.376 mediacodec-v4.117.exe 15.04.2006 01:19 71.376 mediacodec-v4.118.exe 15.04.2006 01:19 71.376 mediacodec-v4.119.exe 15.04.2006 01:19 71.376 mediacodec-v4.120.exe 15.04.2006 01:19 71.376 mediacodec-v4.121.exe 15.04.2006 01:19 71.376 mediacodec-v4.122.exe 15.04.2006 01:19 71.376 mediacodec-v4.123.exe 15.04.2006 01:19 71.376 mediacodec-v4.124.exe 15.04.2006 01:19 71.376 mediacodec-v4.125.exe 15.04.2006 01:19 71.376 mediacodec-v4.126.exe 15.04.2006 01:19 71.376 mediacodec-v4.127.exe 15.04.2006 01:19 71.376 mediacodec-v4.128.exe 15.04.2006 01:19 71.376 mediacodec-v4.129.exe 15.04.2006 01:19 71.376 mediacodec-v4.130.exe 15.04.2006 01:19 71.376 mediacodec-v4.131.exe 15.04.2006 01:19 71.376 mediacodec-v4.132.exe < snip > --<result md5>--- a0f2654035e785828dd43fe05c131b02 mediacodec-v4.104.exe b144037dbf6003bca3c9514ac8c32108 mediacodec-v4.105.exe c647cd66e383003061b509b50cc64b95 mediacodec-v4.106.exe edc9a96f130df95ddae39e4fb0005f42 mediacodec-v4.107.exe 8a3d804f951716dbaa4ef195a870e1ae mediacodec-v4.108.exe da0b16632851b54625638ec561ef2f15 mediacodec-v4.109.exe < snip > -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |