Pages

Wednesday, 28 October 2015

Another DOC file

This claims to be a fax, I'm supposed to read it using MS Word.

SHA256: 92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8 

It's malware, of course. 28 people on VirusTotal have flagged it as malware, and 9/54 products flag it. Here's the ones that don't detect any problem:

ALYac        
AVG        
Ad-Aware        
AegisLab        
Agnitum        
AhnLab-V3        
Alibaba        
Antiy-AVL        
Avast        
Baidu-International        
BitDefender        
Bkav        
ByteHero        
CAT-QuickHeal        
CMC        
ClamAV        
Comodo        
Cyren        
DrWeb        
Emsisoft        
F-Prot        
Fortinet        
GData        
Ikarus        
Jiangmin        
K7AntiVirus        
K7GW        
Kaspersky        
Malwarebytes        
McAfee        
McAfee-GW-Edition        
MicroWorld-eScan        
Microsoft        
NANO-Antivirus        
Qihoo-360        
Rising        
SUPERAntiSpyware        
Symantec        
Tencent        
TheHacker        
VBA32        
ViRobot        
Zillya        
Zoner        
nProtect


According to VirusTotal, it was first uploaded 7 hours ago. This is the same file as I uploaded a few hours ago "Another incoming DOC file", you can tell because it has the same SHA256. So, in the last few hours, four more products have started to flag it.

25 years ago, viruses spread very slowly; quarterly updates were good enough - monthly if you were paranoid. I'd tell people "If you see a virus today, I probably saw it six months ago". Actually the lag was more than a year.

Today, it's a completely different situation. This file, according to its internal stats, was last updated on 2015:10:28 08:19:00 - that's today! For the signature-scanning-with-updates approach to work today, products need to be updated more often than hourly.

I suspect that's not possible. The virus lab would have to acquire the specimen, sufficiently analyse it, choose a scan string that wouldn't give false alarms, test all this and upload it to all their customers. To do all this within an hour? And they're in a race. The malware distributor sent out a million emails, all these have arrived at your customers' mailboxes, and now you get to see a specimen. You're racing against your customers opening the file, reading the message, and deciding to open the DOC file because it's really really important.

Better, would be to disable automated running of macros. But, of course, if you do that, you don't need an antivirus to flag this as malware.


... later ...


14 hours after it was first uploaded to Virustotal, 22 out of 55 products flag it as malware. The products still failing to flag it are:

ALYac        
AVG        
AegisLab        
Agnitum        
AhnLab-V3        
Alibaba        
Antiy-AVL        
Avast        
Avira        
Baidu-International        
Bkav        
ByteHero        
CAT-QuickHeal        
CMC        
ClamAV        
Comodo        
Jiangmin        
K7AntiVirus        
K7GW        
Malwarebytes        
McAfee-GW-Edition        
NANO-Antivirus        
Qihoo-360        
Rising        
SUPERAntiSpyware        
Symantec        
Tencent        
TheHacker        
VBA32        
ViRobot        
Zillya        
Zoner        
nProtect         




No comments:

Post a comment