Today's Experience With A Virus

[Veazer]

I was working on a friend's pc that had a virus infection today. He knew what file caused the virus but was puzzled why nothing stopped it. I monitored the system to see what was altering files and deleted the culprits. Dr. Web CureIt found a few more questionable .inf files later, but everything seemed to be ok.

Back at home, I copied the file to the desktop of a Virtual PC running a fresh install of XP SP2 and NOD32 fully updated. With all AMON (realtime scanning) settings maxed on NOD32 (advanced heuristics, etc), it still let me copy and paste the file around the system without detecting the virus. Then i did a manual scan of the file, still nothing. I ran the infected executable, an installer for "homeview". I pressed cancel when the first dialog box appeared. Surprise, the system was now infected and NOD32 had not uttered a peep.

A new process was running, tempo-617.tmp. The virus creates autorun.inf on all drives, and creates a folder "resycled" containing 'boot.com', which NOD32 does not detect as a virus. Since autorun.inf executes the boot.com file, i knew that was the file used to spread the virus which i was able to test on another VirtualPC session. I could not get any configuration of NOD32 to detect the virus, though it did occasionally find viruses in c:\windows\temp after the infection - which it couldn't remove.

Deleting any of the autorun files or the Resycled folder was fruitless, they just recreate themselves.

Then I wiped the system and started again, this time with AVG Free edtion V8. Same result, no detection whatsoever. The system was much slower with AVG however.

I tried again with AntiVir, same thing. No detection moving the file around, and no notification when the system infection took place.

Again... this time with Avast. Avast is an annoying, blinking, beeping, flashing and talking (not joking) AV app but at least it noticed the autorun files being created. And couldn't do a thing about it. All it could do was delete them and wait a few moments and delete them again. and again. and again.

Next up, Kaspersky... Kaspersky faired a little better than the others. It didn't detect the virus in the original file, and it allowed the infection to occur... but it prompty reported that the virus was using the print spooler to modify autorun.inf, and it deleted the windows temp files that seemed to hold the .exe that started the whole mess. Unfortunately is didn't detect or delete the file used to spread the virus to other compters later, boot.com. Still, it did result in a machine that didn't have any virus executables running.

It's important to note than in every test I fully updated the AV program first and then set the protection settings to the highest available, even when they warned it might result in false positives. It didn't help, unfortunately. None prevented the infection and only one was able to remove it, Kaspersky, and it left behind files that it couldn't detect and would cause a re-infection if run again.

For the final test i uploaded the virus spreader (boot.com) to virustotal.com and only 3/36 AV engines recognized it as a virus. Authentium and F-Prot recognized that it is the W32/Sinowal-based!Maximus virus responsible for over 500,000 compromised bank accounts. PrevX1 declared it to be malicious software but didn't identify it. This is amazing! Only 2/33 (6%) of the current major AV engines on virustotal identified it. Why is it amazing to me? Because this virus is over two years old and has been a major news story for weeks. Why are major AV packages failing to see it?

I was really disappointed by today's experience, especially since NOD32 has been my preferred AV for years and it performed poorly. This only goes to show how limited the protection of antivirus applications really is. It also shows how slow the AV companies are to act, despite appearing to be on top of everything with several updates per day.

If anyone else wants to play around with the file, just PM me and i'll send you the link. I'd rather not post a direct link to a virus here.

[Phil Conners]

Thanks for the heads-up, though two quick questions pops into my mind:

1) where did you get the virus originally?

2) why not report it on a more virus-oriented board? While reporting it here is nice, it's probably unlikely to get the AV companies to focus more on it.

EDIT: One of the first utilities I install on my Windows PC's is TweakUI which I use to among other things stop Windows from automatically executing autorun.inf files...

Edited November 16, 2008 by Phil Conners

[Veazer]

Thanks for the heads-up, though two quick questions pops into my mind:

1) where did you get the virus originally?

It was attached to a fake keygen, i'm sure it's part of many different files at this point.

2) why not report it on a more virus-oriented board? While reporting it here is nice, it's probably unlikely to get the AV companies to focus more on it.

EDIT: One of the first utilities I install on my Windows PC's is TweakUI which I use to among other things stop Windows from automatically executing autorun.inf files...

I'm in the process. Unfortunately forgot my password and email for Wilder Security forums. My thumbdrive with that password vault was recently lost, and i can't use the "forgot my password" because i used a random email address on my personal domain.

I always turn off autorun too, but unfortunately it didn't help my friend because it originated from a download.

[Veazer]

UPDATE: I just ran the same test with F-Prot and it fully prevented the infection from occurring, as the virustotal.com results would support. That makes it the only AV app that prevented the infection. I'd like to test "Authentium Command Anti-Malware v5 for Windows" as well but they don't offer eval copies for download without contacting their customer support via email. It was the other app that identified the virus at virustotal.com.

Edit: added link

Edited November 16, 2008 by Veazer

[OxfordWill]

How long have you been working with F prot?

[Veazer]

How long have you been working with F prot?

I'm not trying to promote anything... just relating my experience of what happened today. I just tested F-prot because of the results i had with virus total. If you think i'm promoting F-prot, do the test yourself and see what you what happens. i'm not impressed by it other than that, the controls are very limited. I would be far happier if nod32 blocked it, i just renewed my subscription.

[Guest Reimar]

How long have you been working with F prot?

I'm not trying to promote anything... just relating my experience of what happened today. I just tested F-prot because of the results i had with virus total. If you think i'm promoting F-prot, do the test yourself and see what you what happens. i'm not impressed by it other than that, the controls are very limited. I would be far happier if nod32 blocked it, i just renewed my subscription.

Please do me a faivour and send me that virus or the link to it because I like to do some testings.

What's about the result with CureIt? can give a few more details please?

Thanks.

[Robski]

It sounds to me that it's not the AV programmes that are so dumb, but the virus that is so smart.

[Guest Reimar]

It sounds to me that it's not the AV programmes that are so dumb, but the virus that is so smart.

[Veazer]

Please do me a faivour and send me that virus or the link to it because I like to do some testings.

What's about the result with CureIt? can give a few more details please?

Thanks.

Unfortunately CureIt did not find it either. I played with it a bit more after my post and I found that the virus uses a rootkit to hide the virus.

The virus will generate a randomly named executable and place a link to the file in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. When I thought all traces of the virus were gone, i removed that registry entry and it immediately re-appeared. Then i ran Systernal RegMon to see what executable was changing the registry entry, but because it was hidden by the rootkit RegMon never saw it either. The process didn't show up in any process viewer, and it can't be deleted even if you know the full path and filename. Fortunately Panda Anti-Rootkit and Sophos Anti-Rootkit both found the rootkit, but i think it's best to remove the rest of the virus first.

From what i can tell, the whole virus "package" is a combination of 1 worm and 1 trojan working together and hidden by a rootkit and an encrypted or self-morphing installer.

I sent you a link to the virus, check your messages.

[dave_boo]

Thank god for alternative operating systems that don't have registries and allow crap like this to go on.....

[OxfordWill]

get as many users for linux as windows and watch what happens.

[Veazer]

Thank god for alternative operating systems that don't have registries and allow crap like this to go on.....

Get a decent raster app on par with Photoshop and i'll use my Ubuntu partition full time. of course, i'll also need a page layout app on par with InDesign, a CAD/CAM app like Rhino or Solidworks... etc...etc...

I love the linux OS, but i'm waiting for the apps to fill the void.

[nikster]

Thank god for alternative operating systems that don't have registries and allow crap like this to go on.....

Get a decent raster app on par with Photoshop and i'll use my Ubuntu partition full time. of course, i'll also need a page layout app on par with InDesign, a CAD/CAM app like Rhino or Solidworks... etc...etc...

I love the linux OS, but i'm waiting for the apps to fill the void.

OS X? PS and ID are covered, though I think the CAD/CAM apps are still holding out for some reason. It's really one of the very last category of apps that are not on OS X.

As for AV programs, they slow down your computer and don't help you if you get infected. The above is pretty much a case in point. Most viruses come in via exploits that are not fixed, and there is in theory and practice absolutely nothing an AV program can do about it. An obscure AV program is your best bet because chances are the virus authors didn't consider it important enough to add cloaking code. For the popular ones, forget it. Any script-kid can cobble together malware that turns these off or cloaks itself from them. Once it's running on the system - via some exploit - the AV program is dead in the water.

[katana]

A while back, I was surfing in Firefox and suddenly AVG popped up a warning that a virus had been detected. It couldn't clear it though. Turns out I was running an out of date version of Sun Java that enabled the drive-by download. Going back to that page led to immediate reinfection. Anyhow, a quick scan with Hijack this revealed the 4 or so new entries and I was able to delete them and clean it up. So while AVG couldn't delete the virus, it was useful in alerting to its presence.

Edited November 19, 2008 by katana

[Guest Reimar]

Thank god for alternative operating systems that don't have registries and allow crap like this to go on.....

Get a decent raster app on par with Photoshop and i'll use my Ubuntu partition full time. of course, i'll also need a page layout app on par with InDesign, a CAD/CAM app like Rhino or Solidworks... etc...etc...

I love the linux OS, but i'm waiting for the apps to fill the void.

Why didn't use Parrallels Desktop for Linux?

Started to deal with that Virus and by using an old machine with windows 2000 in the moment, connect to the internet with an old Zyxel 630 ADSL Modem, F-Prot isn't able to find the Virus in Win 2000 but Clam AV and Cureit came up without to mention the name but the right location.

But I'll digg a bit deeper the next few day's but my time is limited because of an havy job I have to finish just in the next 2 weeks. So that need some time for me to to check deeper.

Cheers.

[Veazer]

Thank god for alternative operating systems that don't have registries and allow crap like this to go on.....

Get a decent raster app on par with Photoshop and i'll use my Ubuntu partition full time. of course, i'll also need a page layout app on par with InDesign, a CAD/CAM app like Rhino or Solidworks... etc...etc...

I love the linux OS, but i'm waiting for the apps to fill the void.

OS X? PS and ID are covered, though I think the CAD/CAM apps are still holding out for some reason. It's really one of the very last category of apps that are not on OS X.

As for AV programs, they slow down your computer and don't help you if you get infected. The above is pretty much a case in point. Most viruses come in via exploits that are not fixed, and there is in theory and practice absolutely nothing an AV program can do about it. An obscure AV program is your best bet because chances are the virus authors didn't consider it important enough to add cloaking code. For the popular ones, forget it. Any script-kid can cobble together malware that turns these off or cloaks itself from them. Once it's running on the system - via some exploit - the AV program is dead in the water.

I like OSX, but i don't like the idea that I must buy all my hardware and operating systems from a single company. If Apple releases OSX for use on other machines, i'll consider it. I've been tempted to run it anyway, but my fear is that Apple will someday put a wall in place that the hackintosh crowd can't find a way around. I'd much rather see a greater selection of apps on linux, but that will take some time.

As for protecting a windows systems, i've since gone to a limited user profile and I use SudoWin and Sudown to run as admin as needed. I've had more luck with the latter. Running under LUA access can be annoying, which is why myself and others spend far too much time logged in as an administrators, but the Sudo tools help reduce the pain a lot. I very rarely need to login to the admin account to get tasks done. After a little testing i found that running with limited access would have protected me from the rootkit and virus infection this post started off with.

Why didn't use Parrallels Desktop for Linux?

Started to deal with that Virus and by using an old machine with windows 2000 in the moment, connect to the internet with an old Zyxel 630 ADSL Modem, F-Prot isn't able to find the Virus in Win 2000 but Clam AV and Cureit came up without to mention the name but the right location.

But I'll digg a bit deeper the next few day's but my time is limited because of an havy job I have to finish just in the next 2 weeks. So that need some time for me to to check deeper.

Cheers.

Embarrassingly, because i didn't know it existed! lol. I thought Parallels was still for OSX only. i'll take a look, thanks for that suggestion.

The virus i sent u is being dealt with for the most part, many of the companies have added the signature of the file to their updates in the past few days. i was abused by many of the security guys at the Wilder's security forums for my harsh statements against the current crop of AV solutions. Mainly, their argument is "hey, this is a new variant, of course nothing can see it". I have several objections to this viewpoint.

First, F-prot DID see it, and not using a brand new signature. So claiming that it's OK that AV were blind because it's a new variant is not an argument that is easy for me to accept.

More than anything, i don't like the complete acceptance by these guys that today's AV apps are generally "non-intellegent" apps just trying the scan and delete. When you watch what a well written virus does, you see some very clever programming and intelligent tricks used to get around the system's defense.

The AV apps are still largely depenedant on a technique that is increasingly less effective: Scan for a known signature and try to delete the file. The don't seem to do much beyond that. Many of the additional files in the virus were other well know viruses and the apps COULD identify them, just not remove them.

Why not start to write intelligent AV apps that take the approach of a security professional trying to un-infect a system?

Some examples...

1) The AV app detects a file is a virus and deletes it. moments later, the same file is re-created. The current crop of apps will just get stuck in a stupid loop of endlessly trying to delete the file and it's never going to succeed. A live user with some knowledge is going to run some monitoring apps to try to find

what process is responsible for putting the file back, why arent' the AV apps doing this?? If it is the next logical course of action for a human, then it needs to also be the next course action by the app.

suppose it tries to find what process and file are doing the dirty work but it can't, then what? As real person, I'm going to start scanning for root kits and other nasties that might be hidden from the system. Again, this is what the AV app should be doing imho. It's interesting for me to track down these viruses and see how they work, but the average user just wants the virus removed and don't have the knowledge to track down the virus.

2) The AV app detects a virus and tries to delete it, but can't because the file is locked. The AV app lets you know that it will "delete the file on the next reboot".. stupid!!! don't leave the file running - unlock all hooks on that file and delete it right now. This one drives me nuts.

There's numerous apps that the AV apps could be improved to be more effective, but they've been lazy and using old techniques for far too long. Maybe my standards and expectations are too high. According to the individuals representing the AV companies, i'm not being realistic.

[Guest Reimar]

Parallels Desktop exist for Linux and Windows as well.

About the AV used, both of the more than 6 weeks old! I was avoiding the use of updated AV's just to check if older versions able to find the virus. Clam even was alerting while downloading. But again, without to showing any name just an alerting info of an possible threat!

Cheers.

[Veazer]

Parallels Desktop exist for Linux and Windows as well.

About the AV used, both of the more than 6 weeks old! I was avoiding the use of updated AV's just to check if older versions able to find the virus. Clam even was alerting while downloading. But again, without to showing any name just an alerting info of an possible threat!

Cheers.

How? I thought ClamWin was still scan-on-demand. I'm not trying to argue, just curious how you have it doing realtime scanning.

From http://www.clamwin.com/ :

The latest version of Clamwin Free Antivirus is 0.94.1

Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

Thanks for pointing out Parallels for linux. It looks good, but it's far less robust than the OSX version, and lacks important features like 3D, video, multicore support. That would make it much less usable for my design apps.

[dave_boo]

get as many users for linux as windows and watch what happens.

Probably oh so true if the majority of them are running n00buntu. Of course, for us using SELinux it's not such a big deal.

Parallels Desktop exist for Linux and Windows as well.

About the AV used, both of the more than 6 weeks old! I was avoiding the use of updated AV's just to check if older versions able to find the virus. Clam even was alerting while downloading. But again, without to showing any name just an alerting info of an possible threat!

Cheers.

I don't know if Paralels Desktop supports VT, but VirtualBox does.....

[Guest Reimar]

Parallels Desktop exist for Linux and Windows as well.

About the AV used, both of the more than 6 weeks old! I was avoiding the use of updated AV's just to check if older versions able to find the virus. Clam even was alerting while downloading. But again, without to showing any name just an alerting info of an possible threat!

Cheers.

How? I thought ClamWin was still scan-on-demand. I'm not trying to argue, just curious how you have it doing realtime scanning.

From http://www.clamwin.com/ :

The latest version of Clamwin Free Antivirus is 0.94.1

Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

Thanks for pointing out Parallels for linux. It looks good, but it's far less robust than the OSX version, and lacks important features like 3D, video, multicore support. That would make it much less usable for my design apps.

I use my own Macro Program for to scan all files while downloading. Is just a question of my own security to do that. Even programs like avast didn't scan all while downloading. To get them to scan everything, you need to program your own macro.

Cheers.

[dingdongrb]

It sounds to me that it's not the AV programmes that are so dumb, but the virus that is so smart.

That's the reason why AV programs are revised...,.

[slackula]

Well well well, it seems some posts have vanished from this thread.