Not as much analysis as a report.

NatsuruHaveALife :D

Level 2
Thread author
Verified
May 18, 2015
54
I did a large scale AV test. Numerous vendors, Free and Paid. The EXEs in question were Zbot/botnet/trojan kind of programs, with a high focus on Zbot, and Zbot Code based trojans.
Avast picked up all but 86 of the trojans. Something like that. Qihoo missed about 234. out of the remaining, MBAM caught 2, and Emsisoft detected none of them.
Keep in mind These Trojans are dormant. But nonetheless. This is not good. appears to be a whole lot of Zbot.exes in the wild that could all be using Zero Days. And i mean a lot.
For KIS, and major vendors to not have caught these, despite being on Zeustracker, Its... kind of a bad sign. Theres supposedly only 19 files associated with zbot now, but i guarantee with this detection rate, and the number of sites, and fastflux and servers popping up and disappearing, Its a whole lot more, And this is probably Large Scale Botnet activity. Its definitely not a good sign. If you can't detect the trojans dormant, its going to be a lot harder to catch them alive.
Since firefox caught the zip file with all the exes, thats good. But i intentionally downloaded it from Zeustracker. And who's to say all of these will be caught. Also some new Adware that isn't being detected i found today. They appear to be dropping other things as well. 1.4 gb of zbot exes, 9000 something exes. but, have only tested 3296 of them. i haven't even tested the cfg files yet.
 
Last edited by a moderator:

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
A lot of vendors cannot detect Adware, but they are improving.. gradually. Other methods to detect Adware may be more effective, for example, signature-less detection, IP Blocking (ex: Unchecky).

One test does not signify anything, especially if Emsisoft didn't detect the remaining 200 dormant files. Were any of the files executed?

Many users that get infected are more at risk from current or new threats.
 
D

Deleted member 178

if EAM is set on "detect when read" , it should have detected them unless EAM is so strong that it doesn't care :D
 

NatsuruHaveALife :D

Level 2
Thread author
Verified
May 18, 2015
54
Was on demand test next will be full test

if EAM is set on "detect when read" , it should have detected them unless EAM is so strong that it doesn't care :D
yeah I was wondering why when it usually does good

if EAM is set on "detect when read" , it should have detected them unless EAM is so strong that it doesn't care :D
On demand test... Sorry bout that :D kind of want to delete thread now... It wasn't realtime/heuristic, so not a good test.
 
Last edited by a moderator:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
The problem is really persist and can be also lifetime irrevokable:

No AV's can fully protect via cloud or traditional signatures no matter how latest technology research they have, because its a full widespace to collect a lot of samples and its from the user who willingly to report the false negative to them.

Considered the region and prevalence will make it always a hindrance.
 
  • Like
Reactions: NatsuruHaveALife :D

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top