Slow Anti-Virus signatures....
Thread Starter
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
Slow Anti-Virus signatures....
The following fairly unscientific test may interest some of you.
Over the last 72 hours I received a number of zero-day viruses fresh from the wild. What has interested me is the state of play in virus signatures being created by the vendors....
Commercial vendors F-Secure and Avira were the quickest in analysing my file and pushing out new definitions .... they did so within 2-3 hours of me submitting the file. The rest of the vendors had updates by the end of the day, except for all the freebie providers Avast, AVG, Malwarebytes etc. who didn't release updates until the afternoon of the next day.
Interestingly enough, for two of my files, little known Vietnamese AV company CMC already had definitions.....
But what's more interesting is the current state of play, I've just re-analysed the original file from the 1st of October .....
The following vendors all have definitions :
AVG,Ad-Aware,Avast,Avira,Baidu-International,BitDefender,CMC,ESET-NOD32,Emsisoft,F-Secure,Fortinet,GData,Ikarus,Malwarebytes,McAfee,Micro World-eScan,NANO-Antivirus,Norman,Panda,Qihoo-360,Sophos
But the virus still goes undetected in the following :
AVware,AegisLab,Agnitum,AhnLab-V3,Antiy-AVL,Bkav,ByteHero,CAT-QuickHeal,ClamAV,Comodo,Cyren,DrWeb,F-Prot,Jiangmin,K7AntiVirus,K7GW,Kaspersky,Kingsoft,McAf ee-GW-Edition,Microsoft,Rising,SUPERAntiSpyware,Symantec,Tenc ent,TheHacker,TotalDefense,TrendMicro,TrendMicro-HouseCall,VBA32,VIPRE,ViRobot,Zillya,Zoner
So I guess the old story remains with unsolicited attachments .... caveat emptor. Looks like the virus writers are currently temporarily ahead in the game at the moment....
Over the last 72 hours I received a number of zero-day viruses fresh from the wild. What has interested me is the state of play in virus signatures being created by the vendors....
Commercial vendors F-Secure and Avira were the quickest in analysing my file and pushing out new definitions .... they did so within 2-3 hours of me submitting the file. The rest of the vendors had updates by the end of the day, except for all the freebie providers Avast, AVG, Malwarebytes etc. who didn't release updates until the afternoon of the next day.
Interestingly enough, for two of my files, little known Vietnamese AV company CMC already had definitions.....
But what's more interesting is the current state of play, I've just re-analysed the original file from the 1st of October .....
The following vendors all have definitions :
AVG,Ad-Aware,Avast,Avira,Baidu-International,BitDefender,CMC,ESET-NOD32,Emsisoft,F-Secure,Fortinet,GData,Ikarus,Malwarebytes,McAfee,Micro World-eScan,NANO-Antivirus,Norman,Panda,Qihoo-360,Sophos
But the virus still goes undetected in the following :
AVware,AegisLab,Agnitum,AhnLab-V3,Antiy-AVL,Bkav,ByteHero,CAT-QuickHeal,ClamAV,Comodo,Cyren,DrWeb,F-Prot,Jiangmin,K7AntiVirus,K7GW,Kaspersky,Kingsoft,McAf ee-GW-Edition,Microsoft,Rising,SUPERAntiSpyware,Symantec,Tenc ent,TheHacker,TotalDefense,TrendMicro,TrendMicro-HouseCall,VBA32,VIPRE,ViRobot,Zillya,Zoner
So I guess the old story remains with unsolicited attachments .... caveat emptor. Looks like the virus writers are currently temporarily ahead in the game at the moment....
Join Date: Jan 2008
Location: Timbuktu
Posts: 962
Likes: 0
Received 0 Likes
on
0 Posts
Hmm. Interesting. I would have thought Kaspersky with dodgy Russian heritage would be quicker off the mark 
What kind of attachments / files are we talking about? Dodgy PDFs? Or something that can be filtered by an email server e.g. .exe or .bin or something?
What kind of attachments / files are we talking about? Dodgy PDFs? Or something that can be filtered by an email server e.g. .exe or .bin or something?
Thread Starter
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
I would have thought Kaspersky with dodgy Russian heritage would be quicker off the mark
What kind of attachments / files are we talking about? Dodgy PDFs? Or something that can be filtered by an email server e.g. .exe or .bin or something?
I'm guessing the rar must be self-expanding because not many people will have rar extractors installed (unless newer versions of Windows natively support rar ? its been a while since I tried).
One of the files I looked at leaves the following traces of its presence in the registry....
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\IP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\RTF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Text
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Word6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Write
The background process makes lookups to domain names that start with :
stahltech
jotoocourt
test.quimall
okmax
(I have omitted the domain suffixes)
Last edited by mixture; 3rd Oct 2014 at 13:45.
Thread Starter
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
You're doing copypasta from the sophos.com website and I claim my 5 pounds.
As I said, before I reported it to Sophos & others, their software did not detect the malware.
So there. I'll have 5 squid please.
