Only 12 out of 41 antivirus engines currently detect the malicious payload. From the VirusTotal analysis:
File name: antimalware.exeBehavioral analyses of this malware:
File size: 1572864 bytes
MD5...: d7cb2ac94a4ad92df54f46fa1a1518dc
SHA1..: 065af3ef68d32b686b61b0a144c83bdfa352b2e1
SHA256: 959d2f7efc5aa7fa719067d466f73aa4c015adddc5149663351a604beda47314
12/41 detection rate as of 2009.11.10 18:25:06 (UTC)
Variously identified as: Artemis!D7CB2AC94A4A, FraudTool.Win32.RogueSecurity (v), Mal/FakeAV-BP, Medium Risk Malware, Packed.Win32.TDSS.aa, Trojan:Win32/FakeCog, Trojan.FakeCog.DZ, Trojan.Win32.Alureon, W32/FakeAV.C!genr, Win32/Adware.CoreguardAntivirus.A, Adware/CoreguardAV, Win32/AntiMalware.A, Win32:Jifas-BY, Win-Trojan/FakeAV.1572864, HomeProtectionCenter, Adware/SystemGuard2009, Malware-Cryptor.Win32.Trac, Packed/Win32.Tdss.gen, TR/FakeAV.AS.1, TROJ_FAKECOG.AJ, Trojan.FakeAV-200, Trojan.FakeAV.AS.1, Trojan.Generic.2649775, Trojan.TDSS.aa, Trojan.Win32.FakeCog, Trojan.Win32.Generic.51F11C66, Trojan.Win32.Malware.1, Generic.TRA!d7cb2ac94a4a, W32/FakeAlert.DY.gen!Eldorado, Trojan/W32.TDSS.1572864.I, Trojan.Tdss.Dhy, Packed.Tdss.adic, Packed.Win32.Tdss.y (v), etc.
- Panda Xandora (includes screenshots)
- ThreatExpert
- Sunbelt CWSandbox
- Anubis
- http://www.mywot.com/en/scorecard/scansecurityhole.cn
- http://www.mywot.com/en/scorecard/activesecuritygates.cn
- http://www.mywot.com/en/scorecard/activesecuritycard.cn
- http://www.mywot.com/en/scorecard/activelayersecurity.cn
- http://www.mywot.com/en/scorecard/onlinesecurebill.net
- http://www.mywot.com/en/scorecard/78.129.166.141
- http://www.mywot.com/en/scorecard/91.211.117.63
- http://www.mywot.com/en/scorecard/95.169.190.223
- http://www.mywot.com/en/scorecard/95.211.14.162
- http://www.mywot.com/en/scorecard/ns1.activesecuritylivepro.org
- http://www.mywot.com/en/scorecard/ns2.activesecuritylivepro.org
- http://www.mywot.com/en/scorecard/activesecuritylivepro.org
- http://www.mywot.com/en/scorecard/193.169.234.27
- http://www.mywot.com/en/scorecard/193.169.234.28
- http://www.mywot.com/en/scorecard/95.211.14.163
- http://www.mywot.com/en/scorecard/secure.arpayment.com
- http://www.mywot.com/en/scorecard/arpayment.com
UPDATE, 11 Nov 2009 @ 07:20 PST: Added 5 new detection names from Fortinet, MalwareURL, and VirusTotal, and also added 8 related domains identified by hpHosts and MalwareURL.
UPDATE, 13 Nov 2009 @ 12:10 PST: Added 14 new detection names from McAfee and VirusTotal. Detection is still fairly low at only 27 out of 41 engines. In other news, with help from hpHosts the malicious URL hosted at 95.211.14.163 has been taken down. Additionally, the antimalware.exe hosted on scansecurityhole .cn has changed, and has a very low detection rate (currently 5 out of 41):
File name: antimalware.exeBehaviorally it appears to be very similar to the previous sample (see the Xandora, ThreatExpert, and Anubis analyses), except that it contacts different domains:
File size: 1585152 bytes
MD5...: 8d48379fd946e06b12d1ee8fe9efc65b
SHA1..: de3f142cf15ac4fc4eb97b14a3c7ad9a73acb227
SHA256: 647320fa125cd4b540faab30513ca5a3517affc73bf9bb9b48b7507a8fd03246
5/41 detection rate as of 2009.11.13 18:58:28 (UTC)
Variously identified as: Artemis!8D48379FD946, FraudTool.Win32.RogueSecurity (v), Sus/UnkPacker, Trojan.FakeAlert.Gen!Pac.13, W32/FakeAV.C!genr, Packed.Win32.TDSS.aa, W32/FakeAlert.FL!tr, Heur.Suspicious, Medium Risk Malware, Packed.Win32.Tdss, SHeur2.BRRJ, TR/PCK.Tdss.AA.1855, TROJ_FAKEAV.BNY, Trojan:Win32/FakeCog, Trojan.FakeAV, Trojan.PCK.Tdss.AA.1855, Trojan.Win32.Generic.51F15672, W32/FakeAlert.DY.gen!Eldorado, Win-Trojan/FakeAV.1585152, Win32:Malware-gen, Win32/Adware.CoreguardAntivirus.A, Generic FakeAlert.c, Trojan.Tdss.Dkx, Win32/AntiMalware.D trojan, Trojan.TDSS-1247, Packed.Tdss.adld, etc.
- http://www.mywot.com/en/scorecard/activesecuritytool.cn
- http://www.mywot.com/en/scorecard/superactivesecurity.cn
- http://www.mywot.com/en/scorecard/activesecurityzones.cn
- http://www.mywot.com/en/scorecard/useractivesecurity.cn
- http://www.mywot.com/en/scorecard/activesecuritycodes.cn
UPDATE, 16 Nov 2009 @ 08:20 PST: Added 2 new detection names from VirusTotal for the first sample. Current detection is now 30/41. Also added 14 new detection names from Kaspersky, Fortinet, and VirusTotal for the second sample. Current detection is now 24/41. As of the time of this update, scansecurityhole .cn (which has hosted both variants of antimalware.exe) is inaccessible. 11:30 PST: The site is back up again, and it's still hosting the second variant.
UPDATE, 18 Nov 2009 @ 18:30 PST: Added 3 new detection names from VirScan for the first sample and 5 new detection names from McAfee and VirScan for the second sample.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
No comments:
Post a Comment
Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)