A PHP file was just uploaded to me via ftp,
SHA256 0cd58bfd0ba0c1222ef6bb5938002052108420746839fc2b4c4404b83255cc69
It's an obfuscated PHP script. What these usually do, is give open access to anyone and then they can completely control your server.
I sent it to VirusTotal. Only six products flagged it as malware.
The following products saw no problem:
ALYac
AVG
AVware
Ad-Aware
AegisLab
Agnitum
AhnLab-V3
Alibaba
Antiy-AVL
Arcabit
Baidu-International
BitDefender
ByteHero
CAT-QuickHeal
CMC
ClamAV
Cyren
DrWeb
ESET-NOD32
Emsisoft
F-Prot
F-Secure
Fortinet
Jiangmin
K7AntiVirus
K7GW
Kaspersky
Malwarebytes
McAfee
McAfee-GW-Edition
MicroWorld-eScan
Microsoft
Panda
Rising
SUPERAntiSpyware
Sophos
Symantec
Tencent
TheHacker
TrendMicro
TrendMicro-HouseCall
VBA32
VIPRE
ViRobot
Zillya
Zoner
nProtect
The interesting thing about this particular specimen, is that it was first uploaded to Virustotal three years ago, on November 5, 2012. Three years!
How can this be? VirusTotal says "Files and URLs sent to VirusTotal will be shared with antivirus
vendors and security companies so as to help them in improving their
services and products.". Good idea. So how come the companies listed above, have not added this malware to their detection?
I have no answer to that question.
No comments:
Post a Comment