Mahesh Sudula

Level 12
Verified
Hey guys,
Today I was a bit a free and decided to give G DATA a test..Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name). Bitdefender missed it and so its friends, however G DATA gave me back a Surprise Kick ..)

Verdict: It indeed caught it pro actively (Unknown Malware)..BB triggered and so the BankGuard as well asked a restart which took 15 min> ..with a clean disinfection...Sexy isn't it..)

G DATA BANKGUARD.PNG
BANKING TROJAN.PNG
 
Last edited by a moderator:

Mahesh Sudula

Level 12
Verified
Guys an important thing :-
This sample behaves in two ways : When I ran it with admin privileges the above massacre taken place.
However ran it now normally ...BB detected a suspicious process after restart of few minutes of the system..however Bank Guard left silent.
This is the first time seeing a sample like this ..Does ADMIN privileges cause such a difference since entire attack process seems to differ when ran with admin rights as compared to normal.
 

BigWrench

Level 5
Verified
Hey guys,
Today I was a bit a free and decided to give G DATA a test..Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name). Bitdefender missed it and so its friends, however G DATA gave me back a Surprise Kick ..)

Verdict: It indeed caught it pro actively (Unknown Malware)..BB triggered and so the BankGuard as well asked a restart which took 15 min> ..with a clean disinfection...Sexy isn't it..)

View attachment 196307View attachment 196308
Love it!!!
VERY sexy. :love:
 
Reactions: JB007 and BryanB
Does ADMIN privileges cause such a difference since entire attack process seems to differ when ran with admin rights as compared to normal
The sample may do nothing if it cannot obtain sufficient privileges for deploying its attack. However, it may go down another route if it can with limited privileges. It's sample dependent... It depends on the sample.

An example of this scenario would be the Rombertik ransomware, which will attempt to destroy the users documents if it fails at reading and writing to the Master Boot Record (regardless of the reason).

As long as the browser process is not elevated (which would be a security risk anyway in the event of web-based exploitation with the intention of compromising the browser process), the sample should still be able to open a handle to the browser process and use the handle with virtual memory operations. Then again, the sample may not be relying on techniques like this for its banking malware functionality. This is also sample dependent and there's numerous ways of stealing banking credentials aside from touching the virtual memory of the browser process directly.
 

sepik

Level 1
Hi,
Does anyone know how early GData firewall component starts when you boot the system? Is there early network protection during the boot? I've heard that Zonealarm Firewall is one of the best of this, because its low-level kernel firewall module starts right after the boot and it blocks any connections during the boot. Some sophisticated malwares can connect to internet during early boot(before firewall component is started).
Im currently trialling GData IS and im really like it so far. Maybe i'll go to GData antivirus with Zonealarm Firewall Pro(just because of early network boot protection).
 

Mahesh Sudula

Level 12
Verified
How you do know about That BB and their cloud?
At the time of test..Bit defender failed both dynamically and on static.
However Bit defender now detects the file with Trojan.GeneriKD.xxxxx and so his friends on static
Trend did a complete block. so kaspersky (Pro actively) including Norton (Sonar was busy after 10 min of sample execution)..
after few mins i did a vt scan and was caught by Norton cloud immediately..ESET Avast Qihoo Ikarus had the signature when i tested,
 
Last edited:

Mahesh Sudula

Level 12
Verified
Well, i do like to see "real" BB test. Without internet connection. Disable all but the BB module and then test it against several types of malwares.
The point here is not about malwares its about BANKING Trojans..how effective are the AV shields against an unknown EMOTET
As i expected 4-5 vendors did a good job..especially TREND blocked it just after 3 min exactly..ML seems to do the trick
All the other AV reacted after 8-10 min..all of them fought well.However no AV is perfect
 
Reactions: JB007 and endsecure

sepik

Level 1
Detectin is not the same than removing the malware? Like i said on my previous post, never ever rely on "security suites" that uses windows firewall.
If the system gets compromised, malware can get internet connection during early boot up and bypassing "security suite" firewall component easily.
 
Reactions: JB007 and endsecure

sepik

Level 1
If you have a VT enterprise sub then you can see the threat timeline from first upload. Basically it goes from X/64 - 54/64 within three days. Which is too long. Top ten AVs within first 12H
12H...damage is done within that timeframe. Just use wireshark to see how in early boot stage your "firewall component" actually kicks in.
 
Reactions: JB007 and endsecure

sepik

Level 1
"3rd-party Firewall - Network security provided by a trusted vendor"
Go for zonealarm for low-lever kernel (ring 0) boot network protection.