Slashdot Mirror

Tools like Process Monitor, Process Explorer, Autoruns are better for watching viruses.

Checking the software with VirusTotal is the best way of finding out if it's virus/trojan. Of course the best way to scan a system is from separate OS. But I'm lazy and use Malwarebytes Anti-Malware.

Try http://www.autohotkey.com/docs/ or http://ahkscript.org/.

Autohotkey basically lets you remap any combination of buttons (keyboard or mouse) and modifiers to anything else, including scripts. I use it extensively for PC gaming. Things like automatically repeating mouseclicks for Diablo2 or PathOfExile, Or just mapping mice buttons to keyboard buttons for MMORPGs.

Open source, of course. Passes all the check-with-everything online antivirus scans, e.g https://www.virustotal.com/. Extensive capabilities. Lots of discussion on stackoverflow. Wonderful little background drama on the forums with a semi-fork and reconciliation. Extensive forums. Phenomenal capabilities. Did I mention that it can remap mice/keyboard on a per-application basis? You can have different mappings for different games that you're running concurrently. Extensive documentation.

Check it out!

Hello,

The SHA-256 hash for the file is 8e64c38789c1bae752e7b4d0d58078399feb7cd3339712590cf727dfd90d254d.

According to VirusTotal, at the time the report was released, it was being detected by by the following anti-malware programs:

• Avira AntiVir - Android/FakeInst.ES.4
• Baidu-International - Trojan.Android.FakeInst.bES
• ESET - a variant of Android/Morcut.A
• Kaspersky - HEUR:Trojan-Spy.AndroidOS.Mekir.a
• ThreatTrack VIPRE - Trojan.AndroidOS.Generic.A

Five out of fifty-three program, or a little under 10%. Currently, detection is at 13/53, according to this report.

Regards,

Aryeh Goretsky

There's no need to upload files to Virustotal most of the time. Just calculate the MD5 or SHA-1 hash (or whatever else is supported) for the file, and search for it on Virustotal. More often than not someone else has already uploaded the exact same file very recently.

Then again, I guess for some users uploading might actually be easier.

Well-done article. Read it top to bottom. Congrats.

I tried to follow it all the way through, bounce around reddit and even downloaded the torrent "2014 Mt. Gox Leak" http://thepiratebay.se/torrent...

But wasn't able to view it as there's concern over the file TibanneBackOffice.zip; It appears to be a MAC.OSX.Coinstealer, go figure.
https://www.virustotal.com/en/...

All I want is a program that combines Autoruns with StartupMonitor. and steps in when any Dll or executable is about to be modified, hell, the OS should do that anyway.

Over 5 years I have enjoyed running my PC virus free. and without the annoyance of anti-virus software's constant nagging. VirusTotal for when I'm in doubt and a scan with Malwarebytes Anti-Malware for when I get a tinge of paranoia.

"Bing Tops Google At Finding Malware"

IMO this is a bullshit article. Why?

Because...

https://www.virustotal.com/en/about/

"What is VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners."

I assume VT discovers more Malware.

Fuck you, Bing, and Fuck your Bing Commercials.

Mind you, it triggers on four antivirus packages on VirusTotalas being a trojan.

Admittedly, these are likely false-positives as it triggers on less-known antivirus scanners as "generic" trojans, but since I've never heard of WSUSOffline before and doesn't significantly improve the Windows update problem, I think I'll pass on this one. While WSUSOffline is probably perfectly legitimate software, it's better to play it safe. Perhaps the developers might wish to contact the antivirus scanners that are giving the erroneous results so they can fix the false positives.

I submit downloads from untrusted sources to VirusTotal Discerning which results are false positives and which are from less recently updated signatures isn't something for the lay man, though.

I'd argue its because Microsoft has access to their own source-code

I doubt that's the real reason, because both Norton and McAfee used to be good. Then they started to be bigger resource hogs than most viruses they were protecting you against (yes there's other evil stuff that viruses do but keep reading...).

I definitely recall Norton/Symantec making systems more unstable or causing problems:
1) Years ago someone had problems fetching email, turns out Norton/Symantec was intercepting the POP3 connections to scan for viruses (ok fine), but some email was causing it to _crash_ (extremely not fine- especially if it turns out to be an exploitable code-injection bug).

2) In 2007: http://www.pcworld.com/article/132050/millions_of_chinese_hit_by_symantec_foulup.html

A virus-signature update delivered automatically to users on Friday about 1:00 a.m. Beijing time to Symantec's antivirus scanning engine mistook two critical system files of the Simplified Chinese edition of Windows XP Service Pack 2 for a Trojan horse. The two files -- netapi32.dll and lsasrv.dll -- were falsely quarantined, which in turn crippled Windows. If an affected PC was rebooted, Windows failed on start-up and showed only a blue screen.

3) On 28 January 2010, Symantec's antivirus software marked Spotify as a Trojan horse, disabling the software across millions of computers

Nowadays depending on the situation I use Avira, MSE or "no antivirus". My personal home machine has no AV installed. My browser runs as a different user process. If I have something that I think is suspicious, I check it with VirusTotal ( https://www.virustotal.com/ ). So far I have had no problems doing things this way, so I don't see the point of constantly incurring the extra CPU/resource costs by installing a real-time virus scanner on my machine. For the past few decades my personal machines have never been infected by a virus. I may have downloaded viruses or malware, but I have not been infected by them. And yes I do know how to check.

A dedicated attacker might be able to put malware on my machine, but they'd know how to use virustotal or similar too, and still be able to plant malware on my machine even if I was running AV software (and wasting resources).

The machine my parents use on the other hand has AV software installed (not Symantec, nor McAfee).

AV software is not needed everywhere and in some cases if installed, it indicates someone is doing something wrong: http://xkcd.com/463/

Given my track record vs Symantec's track record, I would prefer to take the bet that Symantec is more likely to screw up my system than a virus. There have been other antivirus vendors with similar screw ups too.

On a related note, Trend screwed up notoriously - albeit with its antispam product, blocking the letter "p".

For these reasons production servers and other important machines that are well secured and managed should NOT have antivirus software installed.

If they are so poorly managed that the operators are much more likely to screw up than the AV vendors, then sure, install AV, but that means you are doing something wrong.

Replying to myself, but I pushed the file through VirusTotal (which runs suspect files through a whole host of AV engines). Somewhat depressingly, most of them didn't catch it.

The results are here if anyone's interested.

A quick trip to TPB for a cracked file

Umm, that's an extraordinarily bad idea and if you're doing it routinely I absolutely guarantee that your box is currently 0wned. I've yet to see a standalone crack on TPB which isn't a trojan or wrapped with one. Those coloured established-user skulls don't mean shit, nor does a lack of "it's a virus" comments - they tweak the packing until the common AVs don't detect it. It's the easiest way there is to build yourself a 10k node or so botnet, so people put in a little effort ... I saw a cute one recently which kept the original release group split rar format and edited the .nfo with a note not to worry that their "keygen" mysteriously required UAC elevation. Sure enough it was a botnet installer.

The situation with entire cracked software packages is almost as bad. Like, maybe 90% of it is infected instead of 100%. Seriously, do not download warez from public trackers. It isn't hard to get on a semi-private like Demonoid at least, where you should still exercise caution but the situation is significantly better. The only software you should ever consider using a public tracker for is uncracked original ISOs that you have verified the hashes of via MSDN / technet or some other official source.

Generally IRC is no longer a good C&C protocol for a number of reasons:

1) Companies are increasingly putting in place protocol filters, so that only pure HTTP gets out of the company,

2) IRC runs on a port that is almost always blocked, you could use your servers but then you come again to the problem of "your servers",

3) IRC has problems getting out through company proxies.

4) You asked "what is wrong with a list of IP addresses,", well, in a log report, IP addresses stand out like a sore thumb and are immediately visible.

We should harness the free market and build a system that takes inputs from whatever security feeds users subscribe to and weight those security feeds based upon the end user's preferences. Also, we should be able to override the choices for any given case.

I think they have a good system at http://www.virustotal.com/ users have ratings and leave comments. too bad it wouldn't work for large files. but we could use hashes for them.

I'll second the plug for MS Security Essentials.

Remember last month's hoo-rah over the Alureon rootkit? Rootkit May Be Behind Windows Blue Screen

Which MSE nailed and Avast did not. File atapi.sys received on 2010.02.11:28:49 (UTC) The curious thing, whether it be Aleuron or Cornflicker, the MSE - and MSRT definitions - tend to be published months before the latest "crisis" makes headlines on Slashdot.

Yeah but are they really trojans? Or was MSE wrong about those?

FWIW, I don't install AV on my main windows machine. If I do see something suspicious I upload it to: http://www.virustotal.com/

So far I don't think my machine has been infected before. If my machine ever gets zombied, I'd probably notice since 1) I have a crappy internet connection, 2) I'd eventually notice the network traffic on the gateway machine - which is not windows.

I use AVG's free edition for on-access scanning, just for a little extra protection, because I am generally able to avoid getting infected with anything. (Even if something does slip by me, I can often track it down through a service it installs, entry in startup lists, or running processes.)
If I'm downloading something that has a big potential for being a virus (e.g. a no-CD crack), I'll scan it manually with AVG, and also upload it to a scanning service like virusscan.jotti.org or virustotal.com, which take a file and put it through a number of anti-virus products.

Natually, AVG has also been making it harder to find the free edition. They, of course, want you to buy the full AVG Internet Security package. (To find AVG Free, you have to go to free.avg.com, and look for the less-flashy, more hidden buttons.)

Now, this ain't bulletproof but it's a start.

1) Download autoruns, run it, take a look at what it finds.
2) Think something is suspicious? Upload to Virus Total.
3) Act accordingly

It's anything but foolproof and there are a LOT of things that will slip past, but it's a good way to start without having to know anything about software.

Actually, there was an infected version of the affected ATAPI.sys uploaded to SANS ISC, and its checksum is different than the legit ATAPI.sys. Here's the Virustotal of the atapi.sys file from a machine that blue-screened: http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529 Here's the Virustotal of a clean and unpatched atapi.sys file: http://www.virustotal.com/analisis/0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d-1265930822 However, there may be more than one rootkit involved in the debacle.

Actually, there was an infected version of the affected ATAPI.sys uploaded to SANS ISC, and its checksum is different than the legit ATAPI.sys. Here's the Virustotal of the atapi.sys file from a machine that blue-screened: http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529 Here's the Virustotal of a clean and unpatched atapi.sys file: http://www.virustotal.com/analisis/0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d-1265930822 However, there may be more than one rootkit involved in the debacle.

I know it's bad form to reply to my own post but I just found the following VirusTotal scan result for a rooted atapi.sys file that causes the blue screen:

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Note that eSafe in this case finds nothing. Doesn't say much for eSafe, huh?

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.

Microsoft does detect it - and has since last October.

File atapi.sys received on 2010.02.11 21:58:49 (UTC)

Virus:Win32/Alureon.A
Updated: Dec 07, 2009

Aliases:

Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)

Encyclopedia entry

Updated: Dec 07, 2009 | Published: Dec 02, 2009

Aliases

Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)

Alert Level
Severe

Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary

http://www.virustotal.com/analisis/b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9-1265974140

However, only eSafe tells the file is infected with Win32.Rootkit, other seem to be clear. Has anyone else checked their file?

It seems like someone's figured out what was causing the bluescreens... from the MS forum thread:

I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced %System32%\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth. If I find anything more, it will be posted in a follow-up comment at the ISC:
http://isc.sans.org/diary.html?storyid=8209

UPDATE :
I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.

It should tell him that his scanner spots that malicious code, like most AVs: http://www.virustotal.com/analisis/74af02248eb35da5a0e615538f73ecd37e186aef5234da237908ba48290c2aa5-1258907794

Just a word of note:

Real scene sites virtually never contain viruses. (OK. I will grant that the scene itself generally does not use websites, but there are some reputable sites that provide end-user access to the goods of the scene).

To be honest, I've never seen malware that were at all any risk to somebody who has any level of sense at all, with the exception of viruses on crack/keygen sites. I've on rare occasion seen alleged software download links that actually contain viruses, but these were pretty obvious. When that software you were downloading results in a few kilobyte executable when you were expecting something much larger, that is a pretty good indicator that something is wrong. In such a case, one should upload the file to VirusTotal, which is a site that scans anything you upload with virtually all the different virus scanners out there.

Never the less, there are some scene-associated sites where I am more conformable downloading files from without scanning the results then even microsoft.com, or kernel.org.

Nope. Only 12 out of 41 and none of the high quality ones detect it as a trojan.

Firefox and IE are the targets of the trojan once it already has control over your computer. That doesn't mean they are "vulnerable" or are in need of patches.

Only the last link in the Slashdot article discusses how these attackers gained control over your computer:

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.

So, basically an IE hole that was fixed in 2006, plus a handful of plugin vulnerabilities. They didn't even bother looking for an old Firefox vulnerability to exploit, perhaps because too many Firefox users are up-to-date.

Firefox and IE are the targets of the trojan once it already has control over your computer. That doesn't mean they are "vulnerable" or are in need of patches.

Only the last link in the Slashdot article discusses how these attackers gained control over your computer:

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.

So, basically an IE hole that was fixed in 2006, plus a handful of plugin vulnerabilities. They didn't even bother looking for an old Firefox vulnerability to exploit, perhaps because too many Firefox users are up-to-date.

that's why you: -first read all torrent comments and see if someone has labeled it as infected -wait a week or two and scan with various AV software or use http://www.virustotal.com/ and http://virusscan.jotti.org/ (let suckers train the AV software) -always look first for serials, and (as mentioned) get demo from official site. keygens are easier to scan than whole program, because of size. -run in sandbox or something.

http://www.virustotal.com/

If your browser is not using english locale make sure you click "English" from top of page before submitting your suspicious keygen. Otherwise upload tends to fail.

You're running the risk of infecting other people without decent antivirus software y'know. I do know how you feel, on-access stuff does seem to slow down systems a lot.

Sounds like you need a decent snapshot system to save re-installing, mind you by the time you come to use it, all the old software needs updating anyway. I'd stick to *nix boxes.

Still, that site *is* good for testing little files you're slightly suspicious of, rather than being unsure. Hell, I use it sometimes just cos I'm wondering what exactly is in some viruses, and what antivirus packages detect it, and what they think it is. I'm not a sponsor of virustotal.com or anything, I just think it's kinda cool and useful.

ClamAV, but no live scanning. AVG is what I recommend for most customers; it's pretty decent but not amazing.

For testing individual files; I highly recommend trying Virus Total. Upload a single file and they'll test it with a LOAD of different antivirus programs. Worth it for those small files you don't trust.

Use this free service: http://www.virustotal.com/

Upload your exe, and it will check if the last updated antiviruses tag it as a virus.

It's always good to have a second opinion - see e.g.portable clamwin

Andy

Antivirus is one of those things that(at least until actual heuristic scanning that seriously works comes out) leans heavily on having a whole bunch of security guys and worker drones hammering out signature updates all day every day. That isn't something that falls under "The Open Source is strong with this one".

Hmmm, not sure I agree. I have always thought that the open source community could do a great job with antivirus.

The key is to get a large community of people who, when they discover a new virus, contribute their knowledge back to the open source project. And I think this is actually working with ClamAV.

I know that I have submitted my share of viruses... when I get an email offering me a cool new screen saver, and the file is called "screensave.scr.exe", I scan it with ClamAV. If ClamAV doesn't spot anything wrong, I'll submit that file to the ClamAV project.

Usually I submit the file at VirusTotal first, and attach the report to my submission.

ClamAV gets signatures very quickly for new viruses as they appear. The whole signature-based game is a continual game of catchup, though. I agree that heuristic-based scanning would be preferable, but that seems like a hard problem.

steveha

Forgot the link to the chart

(But for my non tech friends machines it's usually AVG + spybot. No zonealarm because it causes more grief for non tech users especially when programs update themselves).

Andy

"Trojan Generic..." Yeah, right. That's not a trojan sig that the antivirus recognized, it's just a heuristic that tags possible malware. Only 3 out of 32 antivirus programs complain. The message "Suspicious Self Modifying File" indicates that it's probably just because they used an uncommon packer.

OFFsystem sez:

That is a false positive. We are still trying to figure out how to tell them about it.

You could try uploading the version you have to virustotal.

Andy

This is an executable, and AVG does not include coverage right now. FF will not save you, either.

Translation: PWND

http://www.virustotal.com/analisis/13bfb6913f9c328c7b657fce4ba4c731

you mean this RatioFaker : http://www.virustotal.com/nl/analisis/5d4aeef92b11cfb38f6d0b1811706eca/

Take the file in question and send it to VirusTotal. There you can see whether your AV tool is the only one who claims an infection, or whether more AV manufacturers consider it a threat.

Now, this is of course not a 100% surefire way to detect a false alarm, but it usually is a good indicator. Especially when it comes to system files. Infectors are today a tiny minority of malware, malware (especially commercial malware) comes in the form of trojans which don't infect files but try to dig into the system and become part of it. So, I'd wager in about 99% of all cases, such an alleged infection of a system file is a false alarm.

Never install anything executable ,where you do not trusts the author.
No single virus for all these years.
and if you do really need something try
http://www.virustotal.com/en/indexx.html

Well, minutes do make a difference, of course, when you're getting the update 5 minutes after the infection. Generally, though, you'll see that most updates of the "good" AV kits come within 5 hours of each other.

And yes, Clam even has occasionally the lead. Most of the time, though, this happens when it happens to detect a variant of the virus with a detection written actually for another variant, that happens to match the new variant as well, due to its detection algorithm.

But you can check for yourself. When you get a hold of a piece of malware, throw it towards Virustotal and see what scanners do and which ones don't find it. I do it on a regular base and generally, for most malware, you see a certain development.

1. One AV tool finds it. Usually it's Kaspersky.

2. A few follow shortly after. One gets the impression that a few AV vendors have some kind of agreement to distribute the malware amongst them. It's fairly obvious, and it's not hard to figure out the "circle of AV pals" working together here.

3. After a LONG while (usually between a few hours and a day or two), some others follow.

4. Some don't find it after a week, unless the malware is so far spread that everyone has it.

Clam usually falls in category 3. Sometimes, unfortunately, into cat 4. Should you get a hold of a current piece of malware, try it for yourself.

Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.

Try Virustotal for a service that does this for you.

Avira AntiVir also reported a virus in my windows-based installer, and a couple of others reported it as suspicious. I reported it to Avira, and they came back fairly quickly with a confirmation that it was a false positive, and that it would be fixed in a future definition update (they didn't say when).

I was using UPS to compress the executable header on an NSIS installer, which seemed to be a combination likely to freak out the "smart" detection of many scanners. Avoiding the use of UPX on the installer cleared everything up for me, tho it was still annoying that I wasted a couple of hours on it and had to convince the reporting user that there really wasn't a problem!

I ended up using http://www.virustotal.com/ to check my new installer against about 25 of the major scanners - very handy free site...

Only a few major antivirus vendors consider this malware.

Complete scanning result of "ZCodec1000.exe", received in VirusTotal at 09.05.2006, 03:14:11 (CET).
http://www.virustotal.com/vt/en/resultadof?c0625fe 6555efe005bebfb3d39f6f327
Aditional Information
File size: 97469 bytes
MD5: 97b95a0a9c31000b6f873320d7acd012
SHA1: 1e1b12288dd48ab02a8e8c5afd8e2997d33867e8

VirusTotal... it's free, web-based, and uses many different AV scanners: http://www.virustotal.com/

Next time sent it to the Norman sandbox or virustotal.