One Site, Four Days, Four Different Trojans
Analysis of the site everclipz.com provides a grim reminder of the challenges and limitations of anti-malware software. . (Warning:Please do not visit the site, it is potentially very very risky, downloading a variant of the Zlob trojan). I had first hit upon the site on the first of January, looking for an “additional media codec” to improve upon my malware collection. It was looking like a run of the mill spoof of PornTube, but it was linked to by plenty of other infected sites. (BTW, I have to thank Microsoft Live Search for getting the site, I was getting bored not getting plenty of infected links on Google, interesting for me perhaps, but it is extremely risky for the general public). I downloaded the “active X control” in my Opera browser and scanned it for viruses on Virus total. Only fourteen engines could detect it. Of course, I thought that it was a new variant, but was curious how the vendors would respond to this threat.
I followed up on the site again on the third of January, and was surprised. A new variant of the trojan was being downloaded, which was again detected by only fourteen new anti-viruses.The same story was repeated on the fourth and on the fifth. The malware distributor was moving before the anti-virus vendors could respond. Inspite of updated signatures showing slightly improved detection rates by anti-viruses, the risk to the end user visiting the site remained the same. Therefore, the updated signatures seem to be a giant waste of manpower and time for the anti-viruses. Making custom malware has become very common, with DIY kits being found in the underground.
|
| 1st January, 2009 | 3rd January 2009 | 4th January 2009 | 5th January 2009 |
| MD5 Hash | 4852a1513534cc72 52d5fe4bbd913951 | 162d9fda8047df161 90182a8ea4897f5 | a326a54e41a560832 89aa863d060cfad | a96a824f19c2da0b6 c90201fb01f4ef6 |
| Detected by how many viruses initially | 14 | 14 | 14 | 12 |
| Detected by how many viruses now (on 5th January) | 20 | 17 | 15 | 12 |
What is the moral of the story?
-
Do not depend on signature based detection. It is useful in some cases, but in the face of todays web based threats, it has lost its sheen
-
Additional protective measures must be used. In my case, even though Avast! Could not detect any of the viruses first time, it provided protection by recognizing and blocking the malicious url (pic given below). A similar functionality should be found in AVG Link Scanner. Look to prevent going to the sites. However, it has to be recognized that these mechanisms will also fail, as a result of which the following two points are extremely important.
-
Do not go searching for trouble. You, ultimately are responsible for your own security. And look out for potential signals of trouble. In this case, it was quite clear, a third party site spoofing as PornTube, and then asking for aan “Active X control “ in Opera.
Picture: Looking at the address bar shows that the website is fake. The "video Active X display" should make one even more suspicious. Finally, using a limited account with parental controls will go a long way in protecting you.
0 comments:
Post a Comment