Pages

Wednesday 21 October 2015

Antivirus - not good enough.

I checked my email this morning, and among the real emails, the spams and the scams, were three emails with attachments; two zips and a doc. Inside the zip files were one exe file and an obfuscated javascript. I haven't done a deeper analysis, but they're obviously malware.

The Javascript is identified using Virustotal by 14 out of 56 products, and it's JS/Nemucod.q. It downloads something malicious to your computer.

The zip file containing the exe, is detected by 2 out of 55 products. I unzipped the file and tested the exe file with Virustotal. That should, if anything, make it easier to detect. But one of the products tested (Sophos) passed that as clean, whereas when it was zipped, it said it was malware. Very strange!

The doc file was passed as clean by all 56 products. Does that mean that it is, indeed, clean? Not likely. The file name was "Invoice 7500005791.doc"; it's claiming to be an invoice for something; that's a standard ploy to get you to open the file. Here's an analysis of it.

So there you have it. None of these 56 products are able to find all three of the malware that were emailed to me over the last 12 hours.

Not good enough.


 ... later ...

Two more arrived.

my_resume_3455.doc, found by 6 out of 56
Notification Email..pdf found by 0 out of 56
Secure Message.doc found by 0 out of 56

4 comments:

  1. Hello,

    Of course, it's important to also remember that VirusTotal's results are, of necessity, incomplete, as they only use CLI scanners from anti-malware companies and not their full engines, as noted at www.virustotal.com/en/faq/#statistics (amongst other places).

    The fact that a file was not reported on Virus Total by a program listed there does not necessarily mean it is missed by the full version of the program.

    Regards,

    Aryeh Goretsky

    ReplyDelete
  2. Lancs police were Tweeting like crazy that emails not from them. Annoying. "Their" emails no different from all of the others with malware received daily. BTW: Gmail usually traps them all.

    ReplyDelete
  3. Why would the Command Line Interface scanner be any worse than their "full engine"? Are you suggesting that some companies have more than one issue of their product, and that some issues of the same product are better than others?

    I know that this would not have been the case with the scanner that I wrote.

    ReplyDelete
  4. It's good that Gmail usually traps them all. But I doubt if many corporates get their email on gmail accounts!

    ReplyDelete