Pages

Thursday, 5 November 2015

Very old malware

A PHP file was just uploaded to me via ftp,

SHA256 0cd58bfd0ba0c1222ef6bb5938002052108420746839fc2b4c4404b83255cc69 

It's an obfuscated PHP script. What these usually do, is give open access to anyone and then they can completely control your server.

I sent it to VirusTotal. Only six products flagged it as malware.

The following products saw no problem:

ALYac        
AVG        
AVware        
Ad-Aware        
AegisLab        
Agnitum        
AhnLab-V3        
Alibaba        
Antiy-AVL        
Arcabit        
Baidu-International        
BitDefender        
ByteHero        
CAT-QuickHeal        
CMC        
ClamAV        
Cyren        
DrWeb        
ESET-NOD32        
Emsisoft        
F-Prot        
F-Secure        
Fortinet        
Jiangmin        
K7AntiVirus        
K7GW        
Kaspersky        
Malwarebytes        
McAfee        
McAfee-GW-Edition        
MicroWorld-eScan        
Microsoft        
Panda        
Rising        
SUPERAntiSpyware        
Sophos        
Symantec        
Tencent        
TheHacker        
TrendMicro        
TrendMicro-HouseCall        
VBA32        
VIPRE        
ViRobot        
Zillya        
Zoner        
nProtect


The interesting thing about this particular specimen, is that it was first uploaded to Virustotal three years ago, on November 5, 2012. Three years!

How can this be? VirusTotal says "Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products.". Good idea. So how come the companies listed above, have not added this malware to their detection?

I have no answer to that question.



No comments:

Post a Comment