Hot Take Malicious website escaping secure dns

[Trident]

The link is detected by Norton and its family, but the malicious fake Chrome Updater is not detected.

It is the dll that is malicious. The installer probably had some functions (for reason unknown) in a module next to it. The attackers replaced the dll with a malicious one. When the installer calls the function as it normally would, it becomes a conduit for the malware. So Norton is right, the file is indeed trusted. The Symantec engines were much better at detecting sideloading.

 

[Divine_Barakah]

It is the dll that is malicious. The installer probably had some functions (for reason unknown) in a module next to it. The attackers replaced the dll with a malicious one. When the installer calls the function as it normally would, it becomes a conduit for the malware. So Norton is right, the file is indeed trusted. The Symantec engines were much better at detecting sideloading.

Thanks for the clarification.

Btw only a few products do detect this malicious DLL. BD and Eset do, but Kaspersky, McAfee, Norton, Malwarebytes do not.

 

[Parkinsond]

The link is detected by Norton and its family

Several times, I find Norton safeweb more accurate than VT for malicious links.

 

[Parkinsond]

It is the dll that is malicious. The installer probably had some functions (for reason unknown) in a module next to it. The attackers replaced the dll with a malicious one. When the installer calls the function as it normally would, it becomes a conduit for the malware. So Norton is right, the file is indeed trusted. The Symantec engines were much better at detecting sideloading.

SAC kicks in during such situations.

 

[Divine_Barakah]

Now Avast detects the malicious DLL file.

Edit:

detection name: Other:Malware-gen [Trj]

btw Norton does not remove the whole zip file, it only does remove the infected file within the archive. I am not sure how it does do that.

 

[Parkinsond]

Now Avast detects the malicious DLL file.

Edit:

detection name: Other:Malware-gen [Trj]

btw Norton does not remove the whole zip file, it only does remove the infected file within the archive. I am not sure how it does do that.

The current situation:

The website is flagged, even by SmartScreen

And the fake installer is flagged by B and ESET on VT, although several members kindly reported being detected by several AVs on machines.

 

[Divine_Barakah]

The current situation:

The website is flagged, even by SmartScreen
View attachment 293595

And the fake installer is flagged by B and ESET on VT, although several members kindly being detected by several AVs on machines.

View attachment 293596

That was a good test on how fast products can flag malicious websites and files, but I do understand that it might not be accurate depending on vendors policies.

They might choose not to flag sth not to bloat their databases with unnecessary detections.

I have submitted the file to Kaspersky, but they still have not added a detection for it for example.

 

[Parkinsond]

They might choose not to flag sth not to bloat their databases with unnecessary detections

This security gap could not be filled, except by common senese, which requires common cybersecurity knowledge.

 

[Divine_Barakah]

This security gap could not be filled, except by common senese, which requires common cybersecurity knowledge.

I'm not sure if this is a gap. What are the chances that you might get to that particular website? You found it on Reddit and I bet you would have never encountered it in real life.

 

[Parkinsond]

I'm not sure if this is a gap. What are the chances that you might get to that particular website? You found it on Reddit and I bet you would have never encountered it in real life.

Still there is a chance to visit and download the fake installer; your AV will save you hours later, but not hours ealier; such hours are a security gap.

Only your suspicion, not AV, not app control, not encrypted dns, not firewall, will save you.

 

[Sorrento]

I missed most of this, however as my router broke I can't be blamed too much so its been replaced

 

[Parkinsond]

I missed most of this, however as my router broke I can't be blamed too much so its been replaced

Enjoy your new router; we also missed your delightful particpation here

 

[TairikuOkami]

Only your suspicion, not AV, not app control, not encrypted dns, not firewall, will save you.

True, but they decrease the risk, like you can lock your doors, but you can also lock windows and chimney, every little bit of security can plug some hole hackers like to abuse.

 

[Zero Knowledge]

chimney,

Santa Claus malware coming through the internet pipes

 

[Parkinsond]

True, but they decrease the risk, like you can lock your doors, but you can also lock windows and chimney, every little bit of security can plug some hole hackers like to abuse.

All togethe; security is an integrated process.

 

[TairikuOkami]

Santa Claus malware coming through the internet pipes

Poor guy going the the garbage disposal, still people will do anything to get inside, not just hackers.

A Brief History of People Getting Stuck in Chimneys and Dying

No joke: chimneys will ##### you up.

www.vice.com