Sunday, January 4, 2009

Malware Authors Present AntiMalware Vendors a Moving Target

One Site, Four Days, Four Different Trojans

Analysis of the site provides a grim reminder of the challenges and limitations of anti-malware software. . (Warning:Please do not visit the site, it is potentially very very risky, downloading a variant of the Zlob trojan). I had first hit upon the site on the first of January, looking for an “additional media codec” to improve upon my malware collection. It was looking like a run of the mill spoof of PornTube, but it was linked to by plenty of other infected sites. (BTW, I have to thank Microsoft Live Search for getting the site, I was getting bored not getting plenty of infected links on Google, interesting for me perhaps, but it is extremely risky for the general public). I downloaded the “active X control” in my Opera browser and scanned it for viruses on Virus total. Only fourteen engines could detect it. Of course, I thought that it was a new variant, but was curious how the vendors would respond to this threat.

I followed up on the site again on the third of January, and was surprised. A new variant of the trojan was being downloaded, which was again detected by only fourteen new anti-viruses.The same story was repeated on the fourth and on the fifth. The malware distributor was moving before the anti-virus vendors could respond. Inspite of updated signatures showing slightly improved detection rates by anti-viruses, the risk to the end user visiting the site remained the same. Therefore, the updated signatures seem to be a giant waste of manpower and time for the anti-viruses. Making custom malware has become very common, with DIY kits being found in the underground.


1st January, 2009

3rd January 2009

4th January 2009

5th January 2009

MD5 Hash









Detected by how many viruses initially





Detected by how many viruses now (on 5th January)





What is the moral of the story?

  1. Do not depend on signature based detection. It is useful in some cases, but in the face of todays web based threats, it has lost its sheen

  2. Additional protective measures must be used. In my case, even though Avast! Could not detect any of the viruses first time, it provided protection by recognizing and blocking the malicious url (pic given below). A similar functionality should be found in AVG Link Scanner. Look to prevent going to the sites. However, it has to be recognized that these mechanisms will also fail, as a result of which the following two points are extremely important.

  3. Protection by means of limited accounts and a policy of distrust towards web downloads goes a long way.

  4. Do not go searching for trouble. You, ultimately are responsible for your own security. And look out for potential signals of trouble. In this case, it was quite clear, a third party site spoofing as PornTube, and then asking for aan “Active X control “ in Opera.

    Picture: Looking at the address bar shows that the website is fake. The "video Active X display" should make one even more suspicious. Finally, using a limited account with parental controls will go a long way in protecting you.


jimi said...

You can now recover knowledge from pen drive simply. Pen drive brings us unpredictable risk along with nice convenience. the location is always accustomed to avoid wasting our handy files in a pen drive rather than in an exceedingly laptop.
windows 7 boot disc

Rebecca Lopez said...

You completely match our expectation and the variety of our information.

Isolde Alexeyeva said...

Great blog you people have maintained there, I totally appreciate the work.
pph bookmaking

Antic_Hero said...

Your site is very informative and your articles are wonderfuwebsite

Anonymous said...

драйвера e machines
графический драйвер ati
samsung 3530 драйвера скачать
автоматический загрузчик драйверов
драйвера nvidia 64

aparna john said...

Hi,Owning and planning internet sites is a thrilling experience. The technology allows web designers in Web Design Cochin to make fascinating and dynamic web sites. Thanks.....