Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Malware bypass Comodo Firewall @ CS settings
Message
<blockquote data-quote="cruelsister" data-source="post: 623849" data-attributes="member: 7463"><p>Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).</p><p></p><p>(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)</p><p></p><p>As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.</p><p></p><p>The original: <a href="https://www.virustotal.com/en/file/190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb/analysis/1493501579/" target="_blank">Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal</a></p><p>Messing with it slightly: <a href="https://www.virustotal.com/en/file/f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac/analysis/1493500771/" target="_blank">Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal</a></p><p></p><p>Or more extremely: <a href="https://www.virustotal.com/en/file/d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e/analysis/1493500202/" target="_blank">Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal</a></p><p>These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.</p><p></p><p>But my compliments to AV Gurus for bringing this to everyone's attention!</p><p></p><p></p><p>Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?</p></blockquote><p></p>
[QUOTE="cruelsister, post: 623849, member: 7463"] Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted). (Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware) As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file. The original: [URL='https://www.virustotal.com/en/file/190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb/analysis/1493501579/']Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal[/URL] Messing with it slightly: [URL='https://www.virustotal.com/en/file/f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac/analysis/1493500771/']Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal[/URL] Or more extremely: [URL='https://www.virustotal.com/en/file/d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e/analysis/1493500202/']Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal[/URL] These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year. But my compliments to AV Gurus for bringing this to everyone's attention! Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately? [/QUOTE]
Insert quotes…
Verification
Post reply
Top