- Dec 12, 2016
- 1,287
That's literally me. I've been using it (Norton) for probably less than a year now, and I've fallen in love with how light and efficient it is. But I do not feel as protected as with Kaspersky, basically because it lacks an Application Control module. And after today, I am even more worried. This is literally the only time the Behaviour Blocker should've popped up (since I never commited a mistake like this) and it didn't... at all. Yes, maybe it 1/100 and the other 99 attacks would've been blocked, but the very first opportunity it had, it failed. Sad....About Norton, I'm using it at the moment because it's incredibly light, practically zero impact on PC activities and especially on browsing, but I confess that I don't feel as protected as when I use Kaspersky, Bitdefender or even ESET.
System Infected: Redline Stealer Activity 2Any more details about the malware strain you contracted?
Interesting, which of these products in your tests do you like more? ESET seems to be the one with the best signatures/heuristics as expected ...A silly mistake, but it happens to the best of us.
I very often test products against this type of malware targeted to home users that can be found on Google search, YouTube Search and torrent sites.
From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.
Glad that in the end everything worked out well. Still, Youtube is the worst option to download software from. I'm sure you have learned from that mistake tho.Hi everybody, funny how you see a new thread of mine after some time and it's a story of how I suffered what I thought I'd never suffer again, since I've been malware free for more than a decade. I'm sharing this with you to let you know, and specially let novice users how careful we must be, since it's not even hard to get infected.
Today I commited a mistake. One single mistake, that costed me an infection, even when I thought I was truly protected. May this be a lesson for everybody, that if you, the user, are not careful enough, there will not be enough software to protect you.
HOW IT STARTED
I had to download a specific software today. Since the version I needed to install wasn't on the official site anymore, I headed to a Youtube video that would let me download it via Mediafire or MEGA.
I clicked the video, made a quick check of it, checked comments to see what users said about this download, and since everything was positive, I downloaded the file.
THE INFECTION
- Norton Antivirus didn't pop when downloaded, so the first test was done.
- A right click context scan didn't show malware, so second test was done.
- I decided not to upload the file to VirusTotal, since Norton came clean and Youtube comments were positive.
I launched the executable file, and after some seconds, nothing happened. That's when I knew something was wrong. I immediately opened Process Explorer and Task Manager to see any possible suspicious process, and before these two even open, my theory became a reality.
View attachment 271441
Norton detected suspicious activity too. But here's the catch. Norton didn't detect the malware process. What we're seeing up there is Norton Intrusion Prevention System, which is basically like a firewall. It scans network traffic for attack signatures, such as social threats and outbound attacks, that identify attempts to exploit vulnerabilities in your operating system or in a program that you use.
And here's the other catch. The malware was still active in my system. and we had a loop. The malware process was a type of trojan that steals all the system's stored passwords. It was when this malware tried to contact home that Norton realised this was supicious activity and realised what was going on. But here are three problems:
Wanna guess who did detect it?
- Norton wasn't smart enough to quarantine the file calling constantly home
- Each network connection malware tried to do was blocked, but malware was still active
- Neither Norton's "smart" or full scan were able to detect the malware, even when it was triggering Norton's IPS
RESOLUTION AND CONCLUSSION
Yup, probably guessed right.
View attachment 271442View attachment 271443
Long story short; malware neutralized, no information stolen and day saved.
Once this was over, I headed to the Youtube video where I downloaded the file, and realised the mistake I had made: everything was fake.
Yes, the cybercriminal had uploaded a fake video, paid for almost 50 bot comments and I slipped right in. I wasn't careful enough. I might be getting old.
- Unknown author
- Literally posted 6 hours ago and already had 47 comments
- Video title was in spanish and all coments in english
- All comments were positive and posted at literally the same time
Hopefully this is a lesson for everybody, most specially for me, that mistakes can be made and can cost us a lot. Luckily, I was spared to live some years more.
Also, after the semi-failure I saw today in Norton's protection, I might be re-thinking my comeback to Kaspersky.
I am unfamiliar with this stain, can you go more in-depth? Are they common with modified versions of official apps? Who is most likely to be targeted?System Infected: Redline Stealer Activity 2
Pretty self explanatory, Redline or some other kind of info-stealer, like VIDAR or Racoon/Recordbreaker.
Redline stealer or other stealer malware are probably one of the most common malware families these days. They steal your stored cookies and other browser data like passwords (If saved in the browser). Best way to mitigate the risk is to store passwords in a password manager and also delete cookies on browser exit.I am unfamiliar with this stain, can you go more in-depth? Are they common with modified versions of official apps? Who is most likely to be targeted?
redline stealer is malware as a service on dark web, the platform can produce a redline stealer executables of various typesI am unfamiliar with this stain, can you go more in-depth?
redline stealer has been disquised as fake cracks, warez, gaming modules, even fake ccleaner crack and microsoft updatesAre they common with modified versions of official apps?
users that want to use stuff, as is the case in this incidentWho is most likely to be targeted?