Advice Request G DATA VS a New Banking Trojan

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
Hey guys,
Today I was a bit a free and decided to give G DATA a test..Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name). Bitdefender missed it and so its friends, however G DATA gave me back a Surprise Kick ..)

Verdict: It indeed caught it pro actively (Unknown Malware)..BB triggered and so the BankGuard as well asked a restart which took 15 min> ..with a clean disinfection...Sexy isn't it..)

G DATA BANKGUARD.PNG
BANKING TROJAN.PNG
 
Last edited by a moderator:

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
Guys an important thing :-
This sample behaves in two ways : When I ran it with admin privileges the above massacre taken place.
However ran it now normally ...BB detected a suspicious process after restart of few minutes of the system..however Bank Guard left silent.
This is the first time seeing a sample like this ..Does ADMIN privileges cause such a difference since entire attack process seems to differ when ran with admin rights as compared to normal.
 

BigWrench

Level 17
Verified
Top Poster
Well-known
Apr 13, 2014
845
Hey guys,
Today I was a bit a free and decided to give G DATA a test..Got on hands a Dangerous Banking Trojan from an Ikarus Analyst which is just 1-2 hrs old.. VT scan attached (Ikarus came up a bit closer detection name). Bitdefender missed it and so its friends, however G DATA gave me back a Surprise Kick ..)

Verdict: It indeed caught it pro actively (Unknown Malware)..BB triggered and so the BankGuard as well asked a restart which took 15 min> ..with a clean disinfection...Sexy isn't it..)

View attachment 196307View attachment 196308

Love it!!!
VERY sexy. :love:
 
  • Like
Reactions: JB007 and vtqhtr413

Libera Milanesi

Level 2
Verified
Aug 19, 2018
52
Does ADMIN privileges cause such a difference since entire attack process seems to differ when ran with admin rights as compared to normal
The sample may do nothing if it cannot obtain sufficient privileges for deploying its attack. However, it may go down another route if it can with limited privileges. It's sample dependent... It depends on the sample.

An example of this scenario would be the Rombertik ransomware, which will attempt to destroy the users documents if it fails at reading and writing to the Master Boot Record (regardless of the reason).

As long as the browser process is not elevated (which would be a security risk anyway in the event of web-based exploitation with the intention of compromising the browser process), the sample should still be able to open a handle to the browser process and use the handle with virtual memory operations. Then again, the sample may not be relying on techniques like this for its banking malware functionality. This is also sample dependent and there's numerous ways of stealing banking credentials aside from touching the virtual memory of the browser process directly.
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Hi,
Does anyone know how early GData firewall component starts when you boot the system? Is there early network protection during the boot? I've heard that Zonealarm Firewall is one of the best of this, because its low-level kernel firewall module starts right after the boot and it blocks any connections during the boot. Some sophisticated malwares can connect to internet during early boot(before firewall component is started).
Im currently trialling GData IS and im really like it so far. Maybe i'll go to GData antivirus with Zonealarm Firewall Pro(just because of early network boot protection).
 

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
How you do know about That BB and their cloud?
At the time of test..Bit defender failed both dynamically and on static.
However Bit defender now detects the file with Trojan.GeneriKD.xxxxx and so his friends on static
Trend did a complete block. so kaspersky (Pro actively) including Norton (Sonar was busy after 10 min of sample execution)..
after few mins i did a vt scan and was caught by Norton cloud immediately..ESET Avast Qihoo Ikarus had the signature when i tested,
 
Last edited:

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Well, i do like to see "real" BB test. Without internet connection. Disable all but the BB module and then test it against several types of malwares.
 

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
Well, i do like to see "real" BB test. Without internet connection. Disable all but the BB module and then test it against several types of malwares.
The point here is not about malwares its about BANKING Trojans..how effective are the AV shields against an unknown EMOTET
As i expected 4-5 vendors did a good job..especially TREND blocked it just after 3 min exactly..ML seems to do the trick
All the other AV reacted after 8-10 min..all of them fought well.However no AV is perfect
 
  • Like
Reactions: JB007 and endsecure

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Detectin is not the same than removing the malware? Like i said on my previous post, never ever rely on "security suites" that uses windows firewall.
If the system gets compromised, malware can get internet connection during early boot up and bypassing "security suite" firewall component easily.
 
  • Like
Reactions: JB007 and endsecure

Mahesh Sudula

Level 17
Thread author
Verified
Top Poster
Well-known
Sep 3, 2017
818
Palo Alto and Sophos would block on pre-exec. Most like symantec would need BB like sonar. After damage done.
Symantec not only works on Sonar..they have multiple modules like file reputation, Cloud engine, Behaviour heuristics(Very good), Sonar , Download insight, Npe based detection..
Indeed Symantec is a strong and a reliable vendor..we can trust him!
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
If you have a VT enterprise sub then you can see the threat timeline from first upload. Basically it goes from X/64 - 54/64 within three days. Which is too long. Top ten AVs within first 12H
12H...damage is done within that timeframe. Just use wireshark to see how in early boot stage your "firewall component" actually kicks in.
 
  • Like
Reactions: JB007 and endsecure

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
"3rd-party Firewall - Network security provided by a trusted vendor"
Go for zonealarm for low-lever kernel (ring 0) boot network protection.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top