AusCERT - Something to think about...

HOME

About AusCERT

Membership

PKI Services

Training

Publications

Sec. Bulletins

Conferences

News & Media

Services

Web Log

Site Map

Site Help

Member login

Something to think about...

Date: 23 December 2010

Click here for printable version

Good afternoon,

I thought I'd follow up on the blog that I wrote on Tuesday regarding the malware that was targeting Australians. Let's start by reviewing how successful we have been in increasing the detection rates of these binaries.

   javaobe.jar -> MD5 = eaecf10ba5163edd3975e1393bf662e0

GData                 21              2010.12.23   Java:Jade-A 
Microsoft             1.6402          2010.12.23   TrojanDownloader:Java/OpenConnection.JQ
AhnLab-V3             2010.12.23.01   2010.12.22   Java/Downloader
Kaspersky             7.0.0.125       2010.12.23   Trojan-Downloader.Java.OpenConnection.ck
Symantec              20101.3.0.103   2010.12.23   Downloader
AVG                   9.0.0.851       2010.12.23   Java/Downloader.AW
Emsisoft              5.1.0.1         2010.12.23   Trojan-Downloader.Java.OpenConnection!IK
PCTools               7.0.3.5         2010.12.23   Downloader.Generic
AntiVir               7.11.0.144      2010.12.22   Java/Agent.JB
Ikarus                T3.1.1.90.0     2010.12.23   Trojan-Downloader.Java.OpenConnection
Sophos                4.60.0          2010.12.23   Mal/JavaHeL-F
TrendMicro            9.120.0.1004    2010.12.23   JAVA_EXPL.III
TrendMicro-HouseCall  9.120.0.1004    2010.12.23   JAVA_DLOADR.WEQ
Antiy-AVL             2.0.3.7         2010.12.23   Trojan/Java.OpenConnection
Avast                 4.8.1351.0      2010.12.22   Java:Jade-A
Avast5                5.0.677.0       2010.12.22   Java:Jade-A

Tuesday it was 8 out of 43 vendors detecting this sample. Today it is detected by 16 vendors out of 43 (37.21%).

    pdf1.pdf -> MD5 = 05d22c4d1e53d2889a516f8113c0b63c 

GData                 21              2010.12.23   JS:Pdfka-gen 
Microsoft             1.6402          2010.12.23   Exploit:Win32/Pdfjsc.KY
F-Secure              9.0.16160.0     2010.12.23   Exploit:JS/Pdfka.Y
Kaspersky             7.0.0.125       2010.12.23   Exploit.JS.Pdfka.dbt
Symantec              20101.3.0.103   2010.12.23   Trojan.Gen.2
AVG                   9.0.0.851       2010.12.23   Exploit_c.TMD
Norman                6.06.12         2010.12.23   JS/Shellcode.JZ
Emsisoft              5.1.0.1         2010.12.23   Exploit.JS.Pdfka!IK
TrendMicro-HouseCall  9.120.0.1004    2010.12.23   TROJ_PIDIEF.XSE
AhnLab-V3             2010.12.23.01   2010.12.22   PDF/Exploit
PCTools               7.0.3.5         2010.12.23   Trojan.Gen
Sophos                4.60.0          2010.12.23   Mal/PDFEx-J
NOD32                 5726            2010.12.22   JS/Exploit.Pdfka.OOR
AntiVir               7.11.0.144      2010.12.22   EXP/Pdfka.BZ
TrendMicro            9.120.0.1004    2010.12.23   TROJ_PIDIEF.XSE
Avast                 4.8.1351.0      2010.12.22   JS:Pdfka-gen
Avast5                5.0.677.0       2010.12.22   JS:Pdfka-gen
Ikarus                T3.1.1.90.0     2010.12.23   Exploit.JS.Pdfka

Today this malware IS detected by 18 vendors out of 42 (42.86%) which is much better than the zero detection rate we had Tuesday.

    pdf2.pdf -> MD5 = c3ed1a578cb92b83a55bcecf80564e71 

AhnLab-V3             2010.12.23.01   2010.12.22   PDF/Exploit
GData                 21              2010.12.23   JS:Pdfka-gen 
Microsoft             1.6402          2010.12.23   Exploit:Win32/Pdfjsc.KZ
Symantec              20101.3.0.103   2010.12.23   Trojan.Gen.2
F-Secure              9.0.16160.0     2010.12.23   Exploit:JS/Pdfka.Z
Kaspersky             7.0.0.125       2010.12.23   Exploit.JS.Pdfka.dbu
VIPRE                 7768            2010.12.23   Exploit.AdobeReader.gen (v)
NOD32                 5726            2010.12.22   PDF/Exploit.Pidief.PFG
AVG                   9.0.0.851       2010.12.23   Exploit_c.TME
Sophos                4.60.0          2010.12.23   Troj/PDFJs-OY
PCTools               7.0.3.5         2010.12.23   Trojan.Gen
Avast                 4.8.1351.0      2010.12.22   JS:Pdfka-gen
TrendMicro-HouseCall  9.120.0.1004    2010.12.23   TROJ_PIDIEF.SMZB
Avast5                5.0.677.0       2010.12.22   JS:Pdfka-gen
TrendMicro            9.120.0.1004    2010.12.23   TROJ_PIDIEF.SMZB

This sample also improved but not as much as we'd like. It went from 2 out of 43 detections to 15 out of 43 (34.88%) vendors detecting this sample.

 mxmt.exe -> MD5 = 7e186ad404f718e02585d82c0436e200

Comodo                7155            2010.12.22   TrojWare.Win32.Trojan.Agent.Gen
Microsoft             1.6402          2010.12.23   PWS:Win32/Zbot.gen!Y
AhnLab-V3             2010.12.23.01   2010.12.22   Win-Trojan/Zbot.151616.B
NOD32                 5726            2010.12.22   a variant of Win32/Kryptik.JBF
BitDefender           7.2             2010.12.23   Gen:Variant.Kazy.6256
F-Secure              9.0.16160.0     2010.12.23   Trojan:W32/Krap.AO
GData                 21              2010.12.23   Gen:Variant.Kazy.6256
Norman                6.06.12         2010.12.23   W32/FakeAV.ACCO
nProtect              2010-12-22.01   2010.12.22   Gen:Variant.Kazy.6256
Symantec              20101.3.0.103   2010.12.23   Trojan.ADH.2
AVG                   9.0.0.851       2010.12.23   Crypt.AEVL
Emsisoft              5.1.0.1         2010.12.23   Packed.Win32.Krap!IK
Kaspersky             7.0.0.125       2010.12.23   Packed.Win32.Krap.ao
PCTools               7.0.3.5         2010.12.23   Trojan.ADH
VIPRE                 7768            2010.12.23   Trojan.Win32.Generic!BT
VirusBuster           13.6.108.0      2010.12.22   Trojan.PWS.Zbot!Tsi6fSi8xdQ
AntiVir               7.11.0.144      2010.12.22   TR/Agent.AO.115
Antiy-AVL             2.0.3.7         2010.12.23   Packed/Win32.Krap
Avast                 4.8.1351.0      2010.12.22   Win32:FakeSysdef-G
Avast5                5.0.677.0       2010.12.22   Win32:FakeSysdef-G
Fortinet              4.2.254.0       2010.12.21   W32/Krap.GAO!tr
Ikarus                T3.1.1.90.0     2010.12.23   Packed.Win32.Krap
Panda                 10.0.2.7        2010.12.22   Trj/CI.A
Sophos                4.60.0          2010.12.23   Mal/FakeAV-EA
TrendMicro            9.120.0.1004    2010.12.23   TROJ_KRYPTIK.ASQ
TrendMicro-HouseCall  9.120.0.1004    2010.12.23   TROJ_KRYPTIK.ASQ

An excellent improvement in detections from 8 to 26 vendors out of 43 (60.47%) now detecting this.

    ikyle.exe -> MD5 = 7cecdd9f7e663b450317e2b23bb4c4f9

Fortinet              4.2.254.0       2010.12.21   W32/Krap.GAO!tr
Norman                6.06.12         2010.12.23   W32/Zbot.VVP
Symantec              20101.3.0.103   2010.12.23   SystemTool
AhnLab-V3             2010.12.23.01   2010.12.22   Win-Trojan/Zbot.152592.B
DrWeb                 5.0.2.03300     2010.12.23   Trojan.PWS.Panda.570
F-Secure              9.0.16160.0     2010.12.23   Trojan:W32/Krap.AZ
Kaspersky             7.0.0.125       2010.12.23   Packed.Win32.Krap.ao
Microsoft             1.6402          2010.12.23   PWS:Win32/Zbot.gen!Y
AVG                   9.0.0.851       2010.12.23   Cryptic.BQY
BitDefender           7.2             2010.12.23   Gen:Variant.Kazy.6226
eSafe                 7.0.17.0        2010.12.22   Win32.GenVariant.Kaz
GData                 21              2010.12.23   Gen:Variant.Kazy.6226
NOD32                 5726            2010.12.22   a variant of Win32/Kryptik.JAK
nProtect              2010-12-22.01   2010.12.22   Gen:Variant.Kazy.6226
Emsisoft              5.1.0.1         2010.12.23   PWS.Win32!IK
eTrust-Vet            36.1.8055       2010.12.22   Win32/Zbot.DQO
McAfee                5.400.0.1158    2010.12.23   Generic FakeAlert.am
McAfee-GW-Edition     2010.1C         2010.12.22   Generic FakeAlert.am
Panda                 10.0.2.7        2010.12.22   Trj/CI.A
PCTools               7.0.3.5         2010.12.23   SystemTool
Sophos                4.60.0          2010.12.23   Troj/Agent-PVM
VIPRE                 7768            2010.12.23   Trojan.Win32.Generic!BT
VirusBuster           13.6.108.0      2010.12.22   Trojan.PWS.Zbot!dLwCtyLvDl0
AntiVir               7.11.0.144      2010.12.22   TR/Agent.AO.114
Antiy-AVL             2.0.3.7         2010.12.23   Packed/Win32.Krap.gen
Avast                 4.8.1351.0      2010.12.22   Win32:FakeSysdef-G
Avast5                5.0.677.0       2010.12.22   Win32:FakeSysdef-G
CAT-QuickHeal         11.00           2010.12.23   (Suspicious) - DNAScan
Ikarus                T3.1.1.90.0     2010.12.23   PWS.Win32
Prevx                 3.0             2010.12.23   Medium Risk Malware
TrendMicro            9.120.0.1004    2010.12.23   TROJ_KRYPTIK.ASR
TrendMicro-HouseCall  9.120.0.1004    2010.12.23   TROJ_KRYPTIK.ASR

This sample also increased with impressive results jumping from 17 to 32 out of 43 (74.42%) vendors making this detection.

So, why is this important? It is because new malware emerges everday. I want you to think about two things here:

1. Use multiple scanning engines which will increase your chances of detection.
2. Most importantly, we won't need to clean our friends' and family's systems if we ensure they keep all their software up to date.

Thanks for your time.

Regards,
Zane.