How I got infected last time thread

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Thank you for the samples! I see they have already been analyzed, but here are the results for RedLine in case anyone is interested...

RedLine1.PNG


RedLine2.PNG


as @ScandinavianFish pointed out, files that are artificially inflated to files sizes greater than 500 MB can be problematic for cloud analysis (including WLC). From what I have seen and read, most malware samples have tiny file sizes so they are quick and the download is not interrupted. I think the stat is something like 90% of all malware is less than 1 MB. Thankfully VoodooAi properly detected both samples in this case. But the problem is that there just are not that many large malware samples in the wild to add to the VoodooAi training data set. So I am guessing that ML / Ai is much smarter than we think ;).

We could increase the WLC file size limit from 500 MB to 2,000 MB, I am going to check into that. Thank you guys!
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
Yeah, all these fake crack redline or other stealers are large in size. It is done to bypass AV products' cloud scanning/detection, specially something like Microsoft Defender. These are filled with empty bytes that can be deleted by a hex editor to reduce the size down to 1-5 MB on average.
Microsoft Defender's engine also have a weird issue that even after submitting and their malware analyst telling you that a signature has been created, it won't get detected by Microsoft Defender if you access or scan the file. This happens a lot. I even discussed this with Andy Ful, and he was able to make Microsoft Defender analysts to fix it for some samples that I sent to him. But it keeps happening over and over again, so I gave up. Here's one example. The final determination is malware, but MD won't detect it on access or on scanning, only after execution.
1.png
This has happened a couple of times with Norton as well. I saw a changelog in SEP (Symantec Endpoint Protection) regarding improving protection for large files. But that was under behavior blocker, not the scanning engine. But probably Norton is aware of the issue. Don't know if Microsoft are.
@Shadowra did a great explanation above and even shared a VT sample link. But I see that he has shared a rar file in VT which triggered Bitdefender's "Trojan.Hulk.Gen.5" detection. Sometimes it also triggers, "Trojan.Hulk.Gen.2". But it is misleading in a way. This signature is only detecting that the actual file inside the archive is much larger than the archive itself. If the archive is password protected, and you unzip it then there would no detection from Bitdefender for this file. All similar samples are usually always password protected and may even contain readme file like this 😄
1671644370239.png
Those who asked me about what I saw regarding the redline stealers that's in the wild now, I would say that I'm someone who like offline signatures a lot, but I guess file based signatures/heuristics sometimes can be a hit or miss when it comes to detecting malware like this. Talking about ESET, it seems ESET's engine is very capable of removing many layers of obfuscation and can reveal the code which helps them to identify a lot of threats for file based and in memory detection. But it might not help when something new comes up. So it's important for an AV to be able to detect malware like this by behavior. Norton's IPS is quite good at detecting malicious traffic. IPS is one of the most important part of Norton, while Bitdefender and Kaspersky seem to invest a decent amount of money in R&D regarding behavior blocking and other similar things.
BTW, I'm no expert. I'm just another geek on a geeky forum, so I could be wrong about some things too.
Theoretically, Norton/Symantec should be doing better, since it seems that they are always quite reactive on the threat landscape. I love reading their daily protection bulletins, which talks about recent threats and how Symantec/Norton is updating their protection features to cover the threats. I would recommend interested readers to bookmark this page to have fun reading and learning:
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Theoretically, Norton/Symantec should be doing better, since it seems that they are always quite reactive on the threat landscape.
It would be interesting if the "Norton File reputation service" (forgot the exact name) in Norton Internet Security would give some "red flags".
Thanks @RoboMan for sharing your story and reminding us that it can happen to everyone :)
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
It would be interesting if the "Norton File reputation service" (forgot the exact name) in Norton Internet Security would give some "red flags".
They call it Norton Insight. Norton File Insight for files, Download Insight for download file.
I couldn't test Norton but tested SEP which didn't react. Maybe the file size is an issue.
 

devjit2020

Level 2
Apr 7, 2022
91
Hi everybody, funny how you see a new thread of mine after some time and it's a story of how I suffered what I thought I'd never suffer again, since I've been malware free for more than a decade. I'm sharing this with you to let you know, and specially let novice users how careful we must be, since it's not even hard to get infected.

Today I commited a mistake. One single mistake, that costed me an infection, even when I thought I was truly protected. May this be a lesson for everybody, that if you, the user, are not careful enough, there will not be enough software to protect you.

HOW IT STARTED

I had to download a specific software today. Since the version I needed to install wasn't on the official site anymore, I headed to a Youtube video that would let me download it via Mediafire or MEGA.
I clicked the video, made a quick check of it, checked comments to see what users said about this download, and since everything was positive, I downloaded the file.
  • Norton Antivirus didn't pop when downloaded, so the first test was done.
  • A right click context scan didn't show malware, so second test was done.
  • I decided not to upload the file to VirusTotal, since Norton came clean and Youtube comments were positive.
THE INFECTION

I launched the executable file, and after some seconds, nothing happened. That's when I knew something was wrong. I immediately opened Process Explorer and Task Manager to see any possible suspicious process, and before these two even open, my theory became a reality.

View attachment 271441

Norton detected suspicious activity too. But here's the catch. Norton didn't detect the malware process. What we're seeing up there is Norton Intrusion Prevention System, which is basically like a firewall. It scans network traffic for attack signatures, such as social threats and outbound attacks, that identify attempts to exploit vulnerabilities in your operating system or in a program that you use.

And here's the other catch. The malware was still active in my system. and we had a loop. The malware process was a type of trojan that steals all the system's stored passwords. It was when this malware tried to contact home that Norton realised this was supicious activity and realised what was going on. But here are three problems:
  1. Norton wasn't smart enough to quarantine the file calling constantly home
  2. Each network connection malware tried to do was blocked, but malware was still active
  3. Neither Norton's "smart" or full scan were able to detect the malware, even when it was triggering Norton's IPS
Wanna guess who did detect it?

RESOLUTION AND CONCLUSSION

Yup, probably guessed right.

View attachment 271442View attachment 271443

Long story short; malware neutralized, no information stolen and day saved.

Once this was over, I headed to the Youtube video where I downloaded the file, and realised the mistake I had made: everything was fake.
  1. Unknown author
  2. Literally posted 6 hours ago and already had 47 comments
  3. Video title was in spanish and all coments in english
  4. All comments were positive and posted at literally the same time
Yes, the cybercriminal had uploaded a fake video, paid for almost 50 bot comments and I slipped right in. I wasn't careful enough. I might be getting old.

Hopefully this is a lesson for everybody, most specially for me, that mistakes can be made and can cost us a lot. Luckily, I was spared to live some years more.

Also, after the semi-failure I saw today in Norton's protection, I might be re-thinking my comeback to Kaspersky.
A lot of thinks can be learnt from this thread (at least for me).

1) before downloading from YT not only is it necessary to check the comments but also to make sure the date and time for each comment so as to differentiate as if they were made by humans or bots.

2) No antivirus is 100% perfect and so it's always safe to keep back-up of the important files.(it also protects from hardware failure).

3) This one is purely my own suggestion. A program like Sandboxie or Shadow Defender comes handy when you want to test out a software that you're not sure of.

PS- I think a scan with NPE could also have caught the malware.

Stay safe and Merry Christmas and a happy new year to everyone. Thanks for sharing you experience. @RoboMan
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,619
1) before downloading from YT not only is it necessary to check the comments but also to make sure the date and time for each comment so as to differentiate as if they were made by humans or bots.
It is very difficult to differentiate because this kind of videos are released very regularly and cyber criminals know how to bypass the YouTube system... the best is to test the file on Hybrid Analyses or on a VM
 

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
A lot of thinks can be learnt from this thread (at least for me).

1) before downloading from YT not only is it necessary to check the comments but also to make sure the date and time for each comment so as to differentiate as if they were made by humans or bots.

2) No antivirus is 100% perfect and so it's always safe to keep back-up of the important files.(it also protects from hardware failure).

3) This one is purely my own suggestion. A program like Sandboxie or Shadow Defender comes handy when you want to test out a software that you're not sure of.

PS- I think a scan with NPE could also have caught the malware.

Stay safe and Merry Christmas and a happy new year to everyone. Thanks for sharing you experience. @RoboMan
1- So true! Also, we must be extremely careful and attentive when we download software which is not hosted on the official site.
2- Excellent conclussion. Both a file and an OS backup/image must be ready to be used at all time.
3- That's correct, I should've used a sandbox to test this.

Regarding NPE, it didn't catch it. NPE is embedded into Norton products and it did pop up when the malware initially triggered Norton's IPS. Nevertheless, it detected nothing.
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
1- So true! Also, we must be extremely careful and attentive when we download software which is not hosted on the official site.
2- Excellent conclussion. Both a file and an OS backup/image must be ready to be used at all time.
3- That's correct, I should've used a sandbox to test this.

Regarding NPE, it didn't catch it. NPE is embedded into Norton products and it did pop up when the malware initially triggered Norton's IPS. Nevertheless, it detected nothing.
Instead of switching products, you can instead simply switch SONAR to Aggressive and Insight an level higher to act as an default-deny.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Instead of switching products, you can instead simply switch SONAR to Aggressive and Insight an level higher to act as an default-deny.

1- There is no Insight level in Norton products, just in the enterprise versions (Symantec/Broadcom).

2- SONAR Agressive is not a silver bullet and none of this changes would act as an default-deny.

I am still using Norton despite its fail with @RoboMan, I just expected more from its behavior blocker ...
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
A program like Sandboxie or Shadow Defender comes handy when you want to test out a software that you're not sure of.
Actually, something like Sanboxie and of course Shadow Defender won't help you against data stealers like this one.
Besides, keep in mind that Norton actually protected his data. Signatures, heuristics, machine learning, behavior blocker failed but IPS prevailed. So there are multiple protection layers in a product like Norton.
But like @RoboMan & @Nightwalker said, we expect a bit more from its behavior blocker.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
Actually, something like Sanboxie and of course Shadow Defender won't help you against data stealers like this one.
Besides, keep in mind that Norton actually protected his data. Signatures, heuristics, machine learning, behavior blocker failed but IPS prevailed. So there are multiple protection layers in a product like Norton.
But like @RoboMan & @Nightwalker said, we expect a bit more from its behavior blocker.
Depends on the restrictions applied to Sandboxie I guess. If you restrict the network access or access to browser data, then it might work. Needs some advanced configuration of course.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
Depends on the restrictions applied to Sandboxie I guess. If you restrict the network access or access to browser data, then it might work. Needs some advanced configuration of course.
I see, you're right. But that would defeat the purpose of testing a suspicious file. Dedicated VM or even better, a dedicated system is better for testing.
 

devjit2020

Level 2
Apr 7, 2022
91
Instead of switching products, you can instead simply switch SONAR to Aggressive and Insight an level higher to act as an default-deny.
Would changing the levels to aggressive have made a difference? Maybe yes or maybe no. Norton Firewall is one of the best in the market if not the best. During the time I used Norton on my family PC I had set everything to Aggressive (Firewall, Heuristics, boot protection) and enabled download insight for all files. That PC was used by everyone in the family and Norton never let any malware pass through it as long as the file was downloaded from the internet. The only time the PC got infected with Norton was from a usb autorun virus. After that I stopped using Norton and switched to ESET. I still love Norton because it offers multiple layers of protection and no AV is bulletproof. Have they fixed the disk defragmentator problem in Norton? Last time I used it defragmented my SSD instead of TRIM.
 
  • Like
Reactions: Sorrento

devjit2020

Level 2
Apr 7, 2022
91
Actually, something like Sanboxie and of course Shadow Defender won't help you against data stealers like this one.
Besides, keep in mind that Norton actually protected his data. Signatures, heuristics, machine learning, behavior blocker failed but IPS prevailed. So there are multiple protection layers in a product like Norton.
But like @RoboMan & @Nightwalker said, we expect a bit more from its behavior blocker.
I'm sorry I didn't explain it clearly. SD or SB would have prevented the PC from being infected, not from the credential theft. Just a restart and your PC is back to clean state. I personally never store my passwords in any browser and the only place they are stored at is my password manager and the files are all kept encrypted in my PC as well as on my external HDD and Google drive backup.
 
  • Like
Reactions: Sorrento

devjit2020

Level 2
Apr 7, 2022
91
This is my last experience when I got infected- it was during 2019 while I was here at MT and used to test ESET at the hub. One of my college friends came to me with his huge set of pirated games collection on his external HDD. I generally don't install pirated games but I always wanted to play Assassin's creed rogue and my friend had an ISO. I mounted the ISO and started installing the game. Just as soon as the installation finished the PC restarted itself, went into safe mode, automatically opened a couple of command prompt windows and then again restarted itself into normal mode. Now here's the SHOCK: ESET has been completely uninstalled from the PC o_O:oops::eek:. I downloaded Malwarebytes and it found a trojan and a coinminer. I reinstalled ESET again and ran a full scan and it also detected a trojan. Anyways I decided to restore from my backup image and stay away from pirated software.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top