|
Posted by Virus Guy on April 21, 2006, 9:26 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hmmmm -- the file at that URL doesn't match that description.
> I get 69,776 and 81,552 bytes unpacked...
Well isin't that interesting.
I just downloaded it (I assumed it was a static file) but I get this:
April 21 8:40 am:
Packed (as down-loaded): 70,672 bytes
Unpacked (with UPX): 82,448 bytes
On April 14 (10 am) I got 71,456 and 83,232 bytes
Virus Total is currently NOT RESPONDING at all, so I'm not able to run
the new versions to see what they contain.
The website www.media-codec.com seems designed to just deliver these
files - practically no content on the site about who or what they
(media-codec.com) is.
------------
Domain Name: MEDIA-CODEC.COM
Registrant:
Lemos Adamantios
(lemos@securitywarnings.net)
aktis 119, vouliagmeni
athens, GR
Creation Date: 08-Apr-2006
Expiration Date: 08-Apr-2007
------------
The domain was registered very recently.
The domain "securitywarnings.net" is suspect:
------------
Domain Name: SECURITYWARNINGS.NET
Registrant:
Mag Dicacik
(****@sexpicsporn.com)
P.O Box 3728 Praha
4749 CZ
Creation Date: 14-Nov-2005
Expiration Date: 14-Nov-2006
------------
Sexpicsporn.com?
The ip address for www.media-codec.com resolves to 85.255.116.252,
which seems to be located in the Ukraine.
I think it's a no-brainer that www.media-codec.com is designed
specifically to deliver the trojan Zlob.
Group 1: (detection only in original packed file)
> > AntiVir: TR/Dldr.Zlob.HQ.1
> > Avira: TR/Dldr.Zlob.HQ.1
> > BitDefender: Trojan.Downloader.Zlob.HQ
> > Ikarus: Trojan.Favadd
> > Panda: Suspicious file
Group 2: (detection in both packed and unpacked file)
> > Fortinet: W32/Zlob.LJ!dldr
> > Kaspersky: Trojan-Downloader.Win32.Zlob.lj
> > NOD32v2: Win32/TrojanDownloader.Zlob.LD
> > VBA32: Trojan-Downloader.Win32.Zlob.lj
> > Note that there is no over-lap between the above 2 groups in
> > the name/identifier used, but there is considerable similarity
> > within the groups. For example AntiVir, Avira and BitDefender
> > use the term "Zlob.HQ", while Fortinet, Kaspersky, and VBA32
> > use "Zlob.LJ".
>
> This is normal virus naming inconsistency -- nothing to take from
> it at all
I'm fully aware that different names are frequently given to the same
malware by the AV vendors.
In this case, we have basically 2 different names or variants: HQ and
LJ.
But what are the odds that the 2 names would be split along the lines
of the groupings listed above?
That would indicate some commonality or cooperation within:
Group 1: AntiVir, Avira, BitDefender
Group 2: Fortinet, Kaspersky, Nod32, VBA32
> > 1) Many hi-profile AV software is not detecting any threat
> > in these files. Either they are deficient, or the files
> > are clean and this is a false alarm.
>
> You missed at least one option -- your understanding of how
> popular AV software works is deficient...
Please provide some additional backup or clarity for that statement.
> Known virus/malware scanning technology requires that the developer
> or maintainer of such software gets and analyses samples of new
> viruses/ malware so as to add detection (and possibly cleanup) to
> their product.
Of that I am well aware, and made no claim to the contrary.
> You found a new-ish malware ...
>
> This happens all the time.
Naturally, every piece of malware is "new" at least once in it's
life. The fact that some AV software is detecting Zlob and others
aren't provides a strong basis to say that some AV software IS
deficient (in this case) in their ability to gather, analyze, and
include new malware in their detection inventory.
> If that is deficient it is because the whole model is deficient,
> not because any given product is.
Oh, I see now. I touched a nerve because your favorite AV software
was among the group that didn't detect the malware (or perhaps it
detected Zlob only in the packed file?).
> By your rationale above, these files mean we should also say that
> the scanners you suggest the above data shows are not inadequate,
> are in fact, inadequate by your own standard.
AV software is inadequate if it signals a positive detection in a
packed or compressed version of a malware sample, but signals a
negative detection when the file is unpacked.
For example, if someone downloads and installs the above zlob file,
and during the course of installation the trojan deletes it's own
compressed archive, then AV software that signals a positive detection
on the compressed archive will naturally NOT detect the presence of
the infection because the original archive is no longer present.
Most people would be pissed if that's how their AV software behaved.
> And, I'm sure I only need look back less than 24 hours ...
What bug got up your ass?
Face it. Some AV software is better than others, some are faster than
others at incorporating new detections, and some can signal a positive
detection no matter how many ways the file is packed or unpacked.
| 
XML site map