Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
How I got infected last time thread
Message
<blockquote data-quote="SeriousHoax" data-source="post: 1015894" data-attributes="member: 78686"><p>Yeah, all these fake crack redline or other stealers are large in size. It is done to bypass AV products' cloud scanning/detection, specially something like Microsoft Defender. These are filled with empty bytes that can be deleted by a hex editor to reduce the size down to 1-5 MB on average.</p><p>Microsoft Defender's engine also have a weird issue that even after submitting and their malware analyst telling you that a signature has been created, it won't get detected by Microsoft Defender if you access or scan the file. This happens a lot. I even discussed this with Andy Ful, and he was able to make Microsoft Defender analysts to fix it for some samples that I sent to him. But it keeps happening over and over again, so I gave up. Here's one example. The final determination is malware, but MD won't detect it on access or on scanning, only after execution.</p><p>[ATTACH]271475[/ATTACH]</p><p>This has happened a couple of times with Norton as well. I saw a changelog in SEP (Symantec Endpoint Protection) regarding improving protection for large files. But that was under behavior blocker, not the scanning engine. But probably Norton is aware of the issue. Don't know if Microsoft are.</p><p>[USER=92939]@Shadowra[/USER] did a great explanation above and even shared a VT sample link. But I see that he has shared a rar file in VT which triggered Bitdefender's "Trojan.Hulk.Gen.5" detection. Sometimes it also triggers, "Trojan.Hulk.Gen.2". But it is misleading in a way. This signature is only detecting that the actual file inside the archive is much larger than the archive itself. If the archive is password protected, and you unzip it then there would no detection from Bitdefender for this file. All similar samples are usually always password protected and may even contain readme file like this <img class="smilie smilie--emoji" loading="lazy" alt="😄" title="Grinning face with smiling eyes :smile:" src="https://cdn.jsdelivr.net/joypixels/assets/6.6/png/unicode/64/1f604.png" data-shortname=":smile:" /></p><p>[ATTACH]271478[/ATTACH]</p><p>Those who asked me about what I saw regarding the redline stealers that's in the wild now, I would say that I'm someone who like offline signatures a lot, but I guess file based signatures/heuristics sometimes can be a hit or miss when it comes to detecting malware like this. Talking about ESET, it seems ESET's engine is very capable of removing many layers of obfuscation and can reveal the code which helps them to identify a lot of threats for file based and in memory detection. But it might not help when something new comes up. So it's important for an AV to be able to detect malware like this by behavior. Norton's IPS is quite good at detecting malicious traffic. IPS is one of the most important part of Norton, while Bitdefender and Kaspersky seem to invest a decent amount of money in R&D regarding behavior blocking and other similar things.</p><p>BTW, I'm no expert. I'm just another geek on a geeky forum, so I could be wrong about some things too.</p><p>Theoretically, Norton/Symantec should be doing better, since it seems that they are always quite reactive on the threat landscape. I love reading their daily protection bulletins, which talks about recent threats and how Symantec/Norton is updating their protection features to cover the threats. I would recommend interested readers to bookmark this page to have fun reading and learning:</p><p>[URL unfurl="true"]https://www.broadcom.com/support/security-center/protection-bulletin[/URL]</p></blockquote><p></p>
[QUOTE="SeriousHoax, post: 1015894, member: 78686"] Yeah, all these fake crack redline or other stealers are large in size. It is done to bypass AV products' cloud scanning/detection, specially something like Microsoft Defender. These are filled with empty bytes that can be deleted by a hex editor to reduce the size down to 1-5 MB on average. Microsoft Defender's engine also have a weird issue that even after submitting and their malware analyst telling you that a signature has been created, it won't get detected by Microsoft Defender if you access or scan the file. This happens a lot. I even discussed this with Andy Ful, and he was able to make Microsoft Defender analysts to fix it for some samples that I sent to him. But it keeps happening over and over again, so I gave up. Here's one example. The final determination is malware, but MD won't detect it on access or on scanning, only after execution. [ATTACH width="197px" alt="1.png"]271475[/ATTACH] This has happened a couple of times with Norton as well. I saw a changelog in SEP (Symantec Endpoint Protection) regarding improving protection for large files. But that was under behavior blocker, not the scanning engine. But probably Norton is aware of the issue. Don't know if Microsoft are. [USER=92939]@Shadowra[/USER] did a great explanation above and even shared a VT sample link. But I see that he has shared a rar file in VT which triggered Bitdefender's "Trojan.Hulk.Gen.5" detection. Sometimes it also triggers, "Trojan.Hulk.Gen.2". But it is misleading in a way. This signature is only detecting that the actual file inside the archive is much larger than the archive itself. If the archive is password protected, and you unzip it then there would no detection from Bitdefender for this file. All similar samples are usually always password protected and may even contain readme file like this 😄 [ATTACH width="470px" alt="1671644370239.png"]271478[/ATTACH] Those who asked me about what I saw regarding the redline stealers that's in the wild now, I would say that I'm someone who like offline signatures a lot, but I guess file based signatures/heuristics sometimes can be a hit or miss when it comes to detecting malware like this. Talking about ESET, it seems ESET's engine is very capable of removing many layers of obfuscation and can reveal the code which helps them to identify a lot of threats for file based and in memory detection. But it might not help when something new comes up. So it's important for an AV to be able to detect malware like this by behavior. Norton's IPS is quite good at detecting malicious traffic. IPS is one of the most important part of Norton, while Bitdefender and Kaspersky seem to invest a decent amount of money in R&D regarding behavior blocking and other similar things. BTW, I'm no expert. I'm just another geek on a geeky forum, so I could be wrong about some things too. Theoretically, Norton/Symantec should be doing better, since it seems that they are always quite reactive on the threat landscape. I love reading their daily protection bulletins, which talks about recent threats and how Symantec/Norton is updating their protection features to cover the threats. I would recommend interested readers to bookmark this page to have fun reading and learning: [URL unfurl="true"]https://www.broadcom.com/support/security-center/protection-bulletin[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
