Today, another file arrived by email. It was a zip file, unpacked it was a scr file (which is really an exe).
Scanning the zip file, 23 out of 55 products flagged it as malware. Here's the ones that passed it as clean:
ALYac
AVware
AegisLab
Agnitum
AhnLab-V3
Alibaba
Antiy-AVL
Avast
Avira
Bkav
ByteHero
CAT-QuickHeal
CMC
ClamAV
Comodo
Fortinet
Jiangmin
K7GW
Kaspersky
McAfee-GW-Edition
Microsoft
NANO-Antivirus
Panda
Rising
SUPERAntiSpyware
Symantec
TheHacker
VBA32
VIPRE
ViRobot
Zillya
Zoner
I unzipped it and scanned the scr file.
SHA256:
7ef09594202e5b619ac0332ab122f722684e896f77a2b9839d13ba79f882243f
22 out of 55 flagged it as malware, the following passed it as clean.
ALYac
AVG
AVware
AegisLab
Agnitum
Alibaba
Antiy-AVL
Avast
Avira
Bkav
ByteHero
CAT-QuickHeal
CMC
ClamAV
Comodo
F-Secure
Fortinet
Jiangmin
K7AntiVirus
K7GW
McAfee-GW-Edition
Microsoft
NANO-Antivirus
Panda
Rising
SUPERAntiSpyware
TheHacker
VBA32
VIPRE
ViRobot
Zillya
Zoner
nProtect
I find it very surprising and disturbing, that so many products flag it when zipped but not when decompressed, or vice versa. Unzipping a file to scan the contents is very easy to implement (we had it implemented in Findvirus 25 years ago) and obviously important.
It's an exe file the accompanying email said, in this case,
Attached is the information for the duplicate payment of Invoice #39 for $53,182.78. We have applied it to your account as a prepayment. Let me know if you would like this to be applied to future invoices or refunded.
So it's an offer of $53,000; a nice inducement to at least click on the attachment, and clicking on the attachement will run the EXE file. What it does then, I'm guessnig, is download something from a remote server that does the real payload, whatever that is. I'm not interested enough to actually try it out. And anyway, the download could be different for each access (this is called server-side polymorphism, and is extremely difficult for an AV product to handle).
The fact that two dozen products flag it as malware probably means that it's been around for a while, so if the product that you're relying on doesn't flag it, you should be concerned.
But here's a much bigger concern, which I'll leave you to chew over.
Why isn't anyone else mentioning the issue of AV products being so dismal? It's very easy to make such a test; I'd guess that most people are getting several such files emailed to them each week, and it's very easy to use Virustotal.
Why the silence?
No comments:
Post a Comment