Advice Request G DATA VS a New Banking Trojan

[Mahesh Sudula]

Hey guys,
Today I was a bit a free and decided to give G DATA a test..Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name). Bitdefender missed it and so its friends, however G DATA gave me back a Surprise Kick ..)

Verdict: It indeed caught it pro actively (Unknown Malware)..BB triggered and so the BankGuard as well asked a restart which took 15 min> ..with a clean disinfection...Sexy isn't it..)

 

[Libera Milanesi]

G-DATA are a pretty good vendor in my humble opinion. I like them and they have good services. They write interesting blog articles every now and then as well.

If you can, could you please share the VirusTotal report URL? Would be helpful.

 

[MoriartyOW]

another example :

 

[Mahesh Sudula]

Guys an important thing :-
This sample behaves in two ways : When I ran it with admin privileges the above massacre taken place.
However ran it now normally ...BB detected a suspicious process after restart of few minutes of the system..however Bank Guard left silent.
This is the first time seeing a sample like this ..Does ADMIN privileges cause such a difference since entire attack process seems to differ when ran with admin rights as compared to normal.

 

[BigWrench]

Hey guys,
Today I was a bit a free and decided to give G DATA a test..Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name). Bitdefender missed it and so its friends, however G DATA gave me back a Surprise Kick ..)

Verdict: It indeed caught it pro actively (Unknown Malware)..BB triggered and so the BankGuard as well asked a restart which took 15 min> ..with a clean disinfection...Sexy isn't it..)

View attachment 196307View attachment 196308

Love it!!!
VERY sexy.

 

[Libera Milanesi]

Does ADMIN privileges cause such a difference since entire attack process seems to differ when ran with admin rights as compared to normal

The sample may do nothing if it cannot obtain sufficient privileges for deploying its attack. However, it may go down another route if it can with limited privileges. It's sample dependent... It depends on the sample.

An example of this scenario would be the Rombertik ransomware, which will attempt to destroy the users documents if it fails at reading and writing to the Master Boot Record (regardless of the reason).

As long as the browser process is not elevated (which would be a security risk anyway in the event of web-based exploitation with the intention of compromising the browser process), the sample should still be able to open a handle to the browser process and use the handle with virtual memory operations. Then again, the sample may not be relying on techniques like this for its banking malware functionality. This is also sample dependent and there's numerous ways of stealing banking credentials aside from touching the virtual memory of the browser process directly.

 

[JM Safe]

Good, nowadays AVs have solid and reliable heuristic and behaviour blocking engines.

 

[sepik]

Hi,
Does anyone know how early GData firewall component starts when you boot the system? Is there early network protection during the boot? I've heard that Zonealarm Firewall is one of the best of this, because its low-level kernel firewall module starts right after the boot and it blocks any connections during the boot. Some sophisticated malwares can connect to internet during early boot(before firewall component is started).
Im currently trialling GData IS and im really like it so far. Maybe i'll go to GData antivirus with Zonealarm Firewall Pro(just because of early network boot protection).

 

[Sunshine-boy]

Bitdefender missed it and so its friends

How you do know about That BB and their cloud?

 

[Mahesh Sudula]

How you do know about That BB and their cloud?

At the time of test..Bit defender failed both dynamically and on static.
However Bit defender now detects the file with Trojan.GeneriKD.xxxxx and so his friends on static
Trend did a complete block. so kaspersky (Pro actively) including Norton (Sonar was busy after 10 min of sample execution)..
after few mins i did a vt scan and was caught by Norton cloud immediately..ESET Avast Qihoo Ikarus had the signature when i tested,

 

[sepik]

Well, i do like to see "real" BB test. Without internet connection. Disable all but the BB module and then test it against several types of malwares.

 

[Mahesh Sudula]

Well, i do like to see "real" BB test. Without internet connection. Disable all but the BB module and then test it against several types of malwares.

The point here is not about malwares its about BANKING Trojans..how effective are the AV shields against an unknown EMOTET
As i expected 4-5 vendors did a good job..especially TREND blocked it just after 3 min exactly..ML seems to do the trick
All the other AV reacted after 8-10 min..all of them fought well.However no AV is perfect

 

[sepik]

Detectin is not the same than removing the malware? Like i said on my previous post, never ever rely on "security suites" that uses windows firewall.
If the system gets compromised, malware can get internet connection during early boot up and bypassing "security suite" firewall component easily.

 

[sepik]

Oh well, decided to go GData Antivirus+Zonealarm Pro+Spyshelter combo. Of course i disable Zonealarm Pro hips and use it as a firewall only.

 

[Mahesh Sudula]

Palo Alto and Sophos would block on pre-exec. Most like symantec would need BB like sonar. After damage done.

Symantec not only works on Sonar..they have multiple modules like file reputation, Cloud engine, Behaviour heuristics(Very good), Sonar , Download insight, Npe based detection..
Indeed Symantec is a strong and a reliable vendor..we can trust him!

 

[sepik]

Thats good enough. Hows the system load?

Task manager shows 0-1% cpu time when idle. No lags when using the internet. Speedtest by Ookla shows max upload/download bandwidht.
So im quite happy with this combo.

 

[Ink]

Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name).

As readers, how can we (or anyone) verify that this sample is as new as you claim?

Nevertheless, thanks for sharing.

 

[sepik]

If you have a VT enterprise sub then you can see the threat timeline from first upload. Basically it goes from X/64 - 54/64 within three days. Which is too long. Top ten AVs within first 12H

12H...damage is done within that timeframe. Just use wireshark to see how in early boot stage your "firewall component" actually kicks in.

 

[sepik]

"3rd-party Firewall - Network security provided by a trusted vendor"
Go for zonealarm for low-lever kernel (ring 0) boot network protection.