Just thought I'd share my experience with a virus I picked up from news.saix.net
I downloaded an EXE, scanned it with Nod32 and ran it but nothing appeared to happen, so I got suspicious.
The next day someone had tried to bid on some WoW characters with my ebay account (155 GBP worth). I suspected my details had been compromised by the d'l I got the day before - it was the only source I could imagine, My PC is generally clean.
So I installed wireshark and started capturing packets on my LAN card, then ran the exe again. Lo and behold, this program had contacted an FTP site, logged in (plain text) and uploaded what appeared to be all my saved FF user/passwords as well as my outlook user/passwords.

So I sent the file to Nod32 with full details then decided to mosey on to the guys site armed with his user/pass for FTP. I found a whole bunch (50 ish) files with stolen users/passwords for FF, IE, Opera, Chrome, OE, Outlook, MSN, yahoo messenger etc.

I deleted the lot and left a rude message for the owner saying he was being investigated for ID theft.

Later in the day I decided, what the heck, I logged in to his web provider using the same credentials picked up from the packet sniff, and got his email addy, sent him a rude message and cancelled his account with the free web provider using their web admin interface.

What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean. I'm really surprised at their lack of interest. Of course it doesn't work anymore since the site is down but it won't take the script kiddie long to change the FTP details in his next 'release'...

What would you reckon you would have done?

You deleted the "hackers" files off his FTP?

I would not have touched the exe file to begin with. But playing around with these virii that connect to a server using plaintext username/pass could be quite fun though... :D

perhaps report it to the FBI.. seriously
https://tips.fbi.gov/

Yeah, great Idea Noswal - yeah Killa, I blitzed his FTP account and web setup - it was a free provider and no real content, only used to steal stuff.
About FBI - I'd say 90% of the victims were european judging by the .de .nl and .be emails. Would the FBI even be interested? Nod32 apparently aren't - I think they should at the very least acknowledge receipt of the file. Makes me wonder - just after I spent money on the business edition.

Not even the hosting service acknowledged my email to them, reporting the user... that's why I decided to do something myself.

What would you reckon you would have done?

Firstly scan dodgy exes @ virustotal.com, you can also run exes in sandboxie or a VM to make sure your mashine does not get infected. Lastly try to avoid storing passwords on your pc.

Firstly scan dodgy exes @ virustotal.com, you can also run exes in sandboxie or a VM to make sure your mashine does not get infected. Lastly try to avoid storing passwords on your pc.

At least don't store your passwords in your browser without a master password.
Rather use a trusted password storage app like KeePass to store your passwords.
I have one file on my hard drive which holds all my passwords, which uses AES encryption algorithm which

even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe!

When will people learn not to run dodgy EXE's! Just because one AV package reports that its cleans doesnt mean it is. There are literally 1000's of new pieces of malware being released daily. Its virtually impossible for all the AV companies to keep up to date.

1) Use virustotal - if it reports that its clean then chances are 99% its safe.
2) Run suspect EXE in Sandboxie.
3) Dont run suspect EXE's
4) Dont run suspect EXE's

What was the name of the file download anyway?

The file was cutlist plus something or other but I suspect there are many different names for the same thing since is was deliberately planted.
Virustotal reports file is clean.

Sandbox is great idea
So is keepass!

What was the name of the file download anyway?

Normally something like crack.exe ;)

Normally something like crack.exe ;)

Not necessarily - those are the obvious ones - it's the ones you expect to be legit that you should really be careful of as in my case.

A nice FF extension for secure passwords:
https://addons.mozilla.org/en-US/firefox/addon/8542
Lastpass

Unfortunately it doesn't help you with Outlook/MSN/Yahoo messenger/Google Talk passwords...

I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean.

Just for interest sake what does virustotal say about the file? And have Eset updated their AV?

Just thought I'd share my experience with a virus I picked up from news.saix.net
I downloaded an EXE, scanned it with Nod32 and ran it but nothing appeared to happen, so I got suspicious.
The next day someone had tried to bid on some WoW characters with my ebay account (155 GBP worth). I suspected my details had been compromised by the d'l I got the day before - it was the only source I could imagine, My PC is generally clean.
So I installed wireshark and started capturing packets on my LAN card, then ran the exe again. Lo and behold, this program had contacted an FTP site, logged in (plain text) and uploaded what appeared to be all my saved FF user/passwords as well as my outlook user/passwords.

So I sent the file to Nod32 with full details then decided to mosey on to the guys site armed with his user/pass for FTP. I found a whole bunch (50 ish) files with stolen users/passwords for FF, IE, Opera, Chrome, OE, Outlook, MSN, yahoo messenger etc.

I deleted the lot and left a rude message for the owner saying he was being investigated for ID theft.

Later in the day I decided, what the heck, I logged in to his web provider using the same credentials picked up from the packet sniff, and got his email addy, sent him a rude message and cancelled his account with the free web provider using their web admin interface.

What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean. I'm really surprised at their lack of interest. Of course it doesn't work anymore since the site is down but it won't take the script kiddie long to change the FTP details in his next 'release'...

What would you reckon you would have done?

Wow. Hectic. Kudos for following through. Please keep in mind that ESET probably receive hundreds, if not thousands of files everyday, so it will take them time to get back to you.

Just for interest sake what does virustotal say about the file? And have Eset updated their AV?

Give me a few and I'll post it here... No, eset still says 'no virus'

I assume you have updated your ESET NOD32 right?

Yep, I have updated Nod32 :)

Virus total is giving grief right now... trying again. First attempt:
Exception
Please report failure as: ErrorTime= "Jul 14 12:22:59"
Attempt 2 using ssl:
Exception
Please report failure as: ErrorTime= "Jul 14 12:22:59"

Trying Iexplore now - same
Trying email submission next...
Oops - google won't deliver exe's
What next lol... maybe I can try the saix outgoing server... dunno...

virustotal seems to be very, very busy...


Edit: and "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."

They are hectically busy - I've found 3 new pieces of malware that most AV programs don't detect. Upped to virustotal.

What exactly does virustotal do with them? Is there any collaboration between AV vendors?

*Edit* still unable to upload to virustotal - am now trying my ghost account...
Am I supposed to get an email acknowledgement from virustotal after an email send?

What exactly does virustotal do with them?

Vriustotal scans the file with:

* AhnLab (V3)
* Antiy Labs (Antiy-AVL)
* Aladdin (eSafe)
* ALWIL (Avast! Antivirus)
* Authentium (Command Antivirus)
* AVG Technologies (AVG)
* Avira (AntiVir)
* Cat Computer Services (Quick Heal)
* ClamAV (ClamAV)
* Comodo (Comodo)
* CA Inc. (Vet)
* Doctor Web, Ltd. (DrWeb)
* Emsi Software GmbH (a-squared)
* Eset Software (ESET NOD32)
* Fortinet (Fortinet)
* FRISK Software (F-Prot)
* F-Secure (F-Secure)
* G DATA Software (GData)
* Hacksoft (The Hacker)
* Hauri (ViRobot)
* Ikarus Software (Ikarus)
* INCA Internet (nProtect)
* K7 Computing (K7AntiVirus)
* Kaspersky Lab (AVP)
* McAfee (VirusScan)
* Microsoft (Malware Protection)
* Norman (Norman Antivirus)
* Panda Security (Panda Platinum)
* PC Tools (PCTools)
* Prevx (Prevx1)
* Rising Antivirus (Rising)
* Secure Computing (SecureWeb)
* BitDefender GmbH (BitDefender)
* Sophos (SAV)
* Sunbelt Software (Antivirus)
* Symantec (Norton Antivirus)
* VirusBlokAda (VBA32)
* Trend Micro (TrendMicro)
* VirusBuster (VirusBuster)

Eish lol...

What else can one do? I kept the EXE and now three days later I have had no feedback from Eset (Nod32) and the file still scans as clean.

Yeah Eset doesn't really reply much. Some of the files I've sent through get detected after a few days, others still aren't being detected months later.

Send it to support@avg.com, replies are normally the same day.

I would but I no longer use AVG lol... I don't think AVG would share info with Eset or am I mistaken?
I already know it's malicious and fairly widespread...

Haven't tested this recently, but in the past I've seen up to 10 more detections on Virustotal a day after submitting the file to AVG. Whether Virustotal distributes the files, or AVG shares the info, or the files I submitted suddenly got very popular, I'm not sure...

I'd love to know the answer to that - wouldn't it be great if they agreed to work together - who cares what flav of AV you have... prolly too much competition to ask for that tho... maybe virustotal runs a subscription service that the AV providers pay for? Perhaps they are just one of many such services... like all those sites that offer assistance with hijackthis log analysis.

Finally got the report from virustotal. First submission was on the 10th July. Seems some products detect it as at todays update:
http://www.virustotal.com/analisis/46e994e81b093ac83d42c0b4d0b1f5898e8b938495bf580fc4 9df52ba25c0025-1247589682

Antivirus Version Last Update Result
a-squared 4.5.0.22 2009.07.14 Riskware.PSWTool.Win32.NetPass!IK
AhnLab-V3 5.0.0.2 2009.07.14 -
AntiVir 7.9.0.204 2009.07.14 SPR/Tool.ProdKey.1
Antiy-AVL 2.0.3.1 2009.07.14 -
Authentium 5.1.2.4 2009.07.14 -
Avast 4.8.1335.0 2009.07.13 -
AVG 8.5.0.387 2009.07.14 -
BitDefender 7.2 2009.07.14 -
CAT-QuickHeal 10.00 2009.07.14 -
ClamAV 0.94.1 2009.07.14 -
Comodo 1648 2009.07.14 -
DrWeb 5.0.0.12182 2009.07.14 Tool.PassView.135
eSafe 7.0.17.0 2009.07.14 Win32.SPRTool.ProdKe
eTrust-Vet 31.6.6612 2009.07.14 -
F-Prot 4.4.4.56 2009.07.13 -
F-Secure 8.0.14470.0 2009.07.14 -
Fortinet 3.120.0.0 2009.07.14 -
GData 19 2009.07.14 -
Ikarus T3.1.1.64.0 2009.07.14 not-a-virus:PSWTool.Win32.NetPass
Jiangmin 11.0.706 2009.07.14 -
K7AntiVirus 7.10.792 2009.07.14 -
Kaspersky 7.0.0.125 2009.07.14 -
McAfee 5676 2009.07.14 -
McAfee+Artemis 5676 2009.07.14 Artemis!0017E649EBC6
McAfee-GW-Edition 6.8.5 2009.07.14 -
Microsoft 1.4803 2009.07.14 -
NOD32 4242 2009.07.14 -
Norman 6.01.09 2009.07.14 -
nProtect 2009.1.8.0 2009.07.14 -
Panda 10.0.0.14 2009.07.14 -
PCTools 4.4.2.0 2009.07.14 -
Prevx 3.0 2009.07.14 -
Rising 21.38.14.00 2009.07.14 -
Sophos 4.43.0 2009.07.14 -
Sunbelt 3.2.1858.2 2009.07.14 Win32-Trojan-gen {Other}
Symantec 1.4.4.12 2009.07.14 -
TheHacker 6.3.4.3.366 2009.07.14 -
TrendMicro 8.950.0.1094 2009.07.14 -
VBA32 3.12.10.8 2009.07.14 -
ViRobot 2009.7.14.1835 2009.07.14 -
VirusBuster 4.6.5.0 2009.07.14 -
Looking at that list, it seems very few of the big guns are on it... by big guns, I mean commercially.

Finally got the report from virustotal. First submission was on the 10th July. Seems some products detect it as at todays update:
http://www.virustotal.com/analisis/46e994e81b093ac83d42c0b4d0b1f5898e8b938495bf580fc4 9df52ba25c0025-1247589682

Looking at that list, it seems very few of the big guns are on it... by big guns, I mean commercially.

AntiVir I think has been No. Uno for quite sometime, usually gets shadowed by ESET promos lol.

Finally got the report from virustotal. First submission was on the 10th July. Seems some products detect it as at todays update:
http://www.virustotal.com/analisis/46e994e81b093ac83d42c0b4d0b1f5898e8b938495bf580fc4 9df52ba25c0025-1247589682

Looking at that list, it seems very few of the big guns are on it... by big guns, I mean commercially.

Seems that most of these antivirus software classify it as a password tool/password view tool judging by the name they come up with for the virus. What I don't understand is how diffident versions of Mcafee seems to have different conclusions (I have seen this before as well).

Finally got the report from virustotal. First submission was on the 10th July. Seems some products detect it as at todays update:
http://www.virustotal.com/analisis/46e994e81b093ac83d42c0b4d0b1f5898e8b938495bf580fc4 9df52ba25c0025-1247589682

Looking at that list, it seems very few of the big guns are on it... by big guns, I mean commercially.

Very interesting. Seems that the more unknown anti-virii apps are detecting it.

Seems that most of these antivirus software classify it as a password tool/password view tool judging by the name they come up with for the virus. What I don't understand is how diffident versions of Mcafee seems to have different conclusions (I have seen this before as well).

That last point is a good one - it's a mystery how these guys should be working together but don't. That brings me to my next point....
Why don't the AV guys just notify the site host and have it shut down? Or is that defeating the object and taking their business away? Did I do them an injustice by closing down the FTP? Perhaps it just forces the hacker to adjust the code, effectively making another product, or perhaps it just makes it harder for 'cops' if there are any out there, to investigate... thoughts?

I did get a kick from leaving that message and shutting it down, I must admit. I would rather have had the guy arrested for fraud though... teach him a life lesson.

AV - V = A useless product

AV - V = A useless product
My thoughts exactly...

Give me a few and I'll post it here... No, eset still says 'no virus'

The file was not a virus. It did what any software which "calls home" does.

You need a good firewall which will intercept such attempts (eg Comodo), even when they are spoofed - some trojans use your browser to connect to the internet - Comodo detects those attempts too. Weaker firewalls will not warn you, because your browser is authorised and running in memory already. A firewall with HIPS is best, but can get very technical.

Most important - DON'T RUN EXEs! If you must- run them in some virtual os- or have a dedicated system where you don't do anything but run trojan horses.

Don't trust AV to detect these.

True Peter. I was wondering why the firewall did not detect packets being sent out by an application :confused:

Just to clarify - VirusTotal does not submit files to different AV companies. It merelt scans the uploaded file with the different AV products and reports on whatever the products find.

IIRC, AV vendors are obligated to share samples with other vendors, but this obligation is only takes effect 2 or 3 days after the sample was first recieved. So a particular vendor may have exclusive detection for a day or two before the other companies are able to recieve it from them (if the other companies haven't already obtained a sample from one of their honeypots).

As for the different naming conventions by the same product - the AV product you mentioned is not the only one that does it. This generally occurs when newer versions of the product contain a rebuild of the scanning engine/s with different features and /or detection "sequences". When a virulent sample gets submitted, the newer engine is able to detect it in a certain way. If the sample is not able to be detected in the same way by the older engine, then a different means of detecting the sample is added to the older engine, and this is usually a different name (which goes according to the family of viruses that exhibits similar characteristic detection).

Another possibility is the fact that certain viruses are injectors - injecting their code into existing files. It may so happen that a particular virus injects its code into an existing virulent executable. So now, there's two viruses in one exe :) You then notice different names based on what your AV detects first.

Hope this simple explanation helps...

Wishblade, that's some awesome insight...
Peter - I'm trying out smoothwall express 3.0 and dansguardian... I will see if it is capable of alerting me...

Wishblade, that's some awesome insight...
Peter - I'm trying out smoothwall express 3.0 and dansguardian... I will see if it is capable of alerting me...

Comodo will. I did a post on this a couple months back in the Security forum with some examples.

Very interesting. Seems that the more unknown anti-virii apps are detecting it.

Just one point.

What are or is a "virii"?

Virus originates from Latin. The plural is therefore viruses. Virii is not plural for viruses.

My thoughts exactly...

Not at all.

AV softs have heuristic engines AND they have signatures. They are very helpful. However, they don't work against all forms of spyware - for example they would OK Bonzi Buddy because that's not a virus but a program containing commercial spyware. A trojan on the other hand may not be picked up either because it can be new or no-one has realised that it connects to the internet
and uploads certain information after all it doesn't replicate itself the way a virus does, nor does it hide itself (well -- not usually). Best is - not to run strange EXEs.

If you have Windows you need a decent AV scanner, unless your pc is standalone without internet and you don't connect anything to your machine.

Just one point.

What are or is a "virii"?

Virus originates from Latin. The plural is therefore viruses. Virii is not plural for viruses.

Yes, please do drag this off topic :rolleyes:

Comodo will. I did a post on this a couple months back in the Security forum with some examples.

Comodo is a pain in the @ss to admin - nice for one PC but I'm not helping every noob in the office to fix their internet difficulties and update comodo etc etc...

Not at all.

AV softs have heuristic engines AND they have signatures. They are very helpful. However, they don't work against all forms of spyware - for example they would OK Bonzi Buddy because that's not a virus but a program containing commercial spyware. A trojan on the other hand may not be picked up either because it can be new or no-one has realised that it connects to the internet
and uploads certain information after all it doesn't replicate itself the way a virus does, nor does it hide itself (well -- not usually). Best is - not to run strange EXEs.

If you have Windows you need a decent AV scanner, unless your pc is standalone without internet and you don't connect anything to your machine.Sure, define decent AV scanner... name one.

People should use the hash search on VirusTotal first, save alot of resources and time in general.


Comodo is a pain in the @ss to admin

That's one hell of an understatement lol. Comodo is ridiculous compared to other firewalls, their rules creation is a total joke. I used it for a few months because it's free, but honestly I wouldn't use it again as is unless they gave me a salary.