Hi, remember me?...

Published: 2008-05-02
Last Updated: 2008-05-02 14:20:12 UTC
by Adrien de Beaupre (Version: 1)
3 comment(s)

Ever read through your spam sometimes to see what's popular? Of course you may also get a fresh serving of malware, which makes it very worthwhile. "Hi, remember me?..
new fotos(archived) you asked ;))
Angella O."

Well, no I don't remember an Angella that I have met recently, particularly not someone who might send me photos. But I'll bite. A simple wget scores me an exe. Virustotal results are depressingly consistent. 4/32.

AntiVir     2008.05.02     TR/Crypt.XPACK.Gen
CAT-QuickHeal     9.50     2008.05.01     (Suspicious) - DNAScan
eSafe     2008.04.28     Suspicious File
Webwasher-Gateway     6.6.2     2008.05.02     Trojan.Crypt.XPACK.Gen
Additional information
File size: 167936 bytes
MD5...: cb1de4847ca840f8837fc8381ec6b0cb
SHA1..: 26c018e4968e6dc092d5389759e939f741bb66b3

So, only generic detection when the file was first seen, how about 12 hours later? Nope, same results.

Adrien de Beaupré
Bell Canada


Keywords: malware spam
3 comment(s)


YOU received the only sample ever distributed from that server!
The sample was changed right after your download (Rem: we already see servers that change the binary every 30 mins!)

Every sample is well tested against all know AV so that generic detection will not fire!

NO AV-Vendor will ever be able to write a siganture against that sample, unless you send that sample and if he does, he will publish a signature to millions of users for which that signature is simply useless! We already have over 700.000 detections in F-Secure and I personally expect over 1.3 Mio until End 2008!

If you want to be protected you need a good HIPS based behavioral blocking!
Install the ISTP (Internet Security Technology Preview) from F-Secure http://support.f-secure.com/beta/istp/is2009beta.shtml and START that EXE.

THAT is the future how to combat malware! No more "scan-before-start"! It is just "monitor-while-running"

So please stop complaining about AVs not detecting unless you run that malware while you are protected by that AV!

BTW: AV-Vendors meet these days im Amsterdam to discuss about new AV-testing. see http://www.amtso.org/
Can you submit it to cwsandbox so we can check out what it does? Maybe it can be linked to a better known variant that way.
Adrians sample does not match the scenario, that I discribed above. He told me, that the sample was available quite some time. Nevertheless the story stays the same as that is what we will be threatned by: malware that is not detected by AVs based on signatures!

Diary Archives