Useless virus scanners

Post Reply New Topic

For the last week or so I've been receiving malicious emails to one of my email accounts. They always contain a zip file attachment (31.7 kB size) and are obviously malicious so I don't open the zip file. Here is a one of the variations of the text of the email, I've had several themes from "here is a fax" "overdue invoice" and "e-cards" all with a small zip file attached:

Subject: E-Card from "07860 587 443"

Body of email:
Sender: 07860 587 443
Date: 2014.05.05 11:44:04 UTC.
Text: I love you too
ID: C58090C5674288.

Zip file attached: ecard_C58090C5674288.zip

A cursory search on Google indicates that all these emails are malicious and that the zip files contain an EXE with malware to install so called "ransomware". One of the most nasty viruses/trojans around which usually necessitates a disk reformat to get rid of it!

However, neither Malwarebytes Anti-malware nor Microsoft Security Essentials says there is anything malicious with these zip files or their contents!! !

Using my own software I've scanned the bytes inside the zip files and they contain an executable. Duh! Is virus detection really so poor with those two major anti-virus products that they can't see this blatant malware inside zip archives?

Gee that sucks... especially since malwarebytes and MSE are all I use on my winTab!

You should really be posting this over at the malwarebytes site... You should also post the suspect files so they can examine them, If you haven't already.

^ I don't know if they'd recognise the virus exe if I extracted it from the zip file; but as I know what's inside the zip file I'm reluctant to open it with third party software (e.g. 7zip, WinZip) because for all I know the zip files may be tampered with in such a way as to trigger a buffer overrun or exploit a weakness in the archiving software to actually trigger the virus! I know I'm erring on the super-cautious / paranoid side; but better that than end up facing a disk reformat especially when I know there's very nasty malware there anyway.

Yeah... I don't know. I'd think a good scanner would be able to detect the malware from within a compressed file.

Anyway, I cannot fault you for not wanting to pick at it too much. The one time I got infected by a piece of malware was from jacking around with an obviously infected email attachment.

That stuff is dangerous.

Avast Anti-virus is free and updates all the time. I also use Malwarebytes, Ad-Aware, and Spybot. They will each pick up on different things (as one can see from their names). I don't think Malwarebytes is specific to viruses. Try Avast

Obligatory evangelical Linux post.

Ransomware on smart TVs, that's actually a thing?

I know there are vulnerabilities in Android, and that's Linux based. Blame Google for that, if they weren't so bent on needing to know when and where you crap for advertising purposes, Android would be a little more secure. Its popularity makes it a target too.

For the average or even exceptionally thick Linux user (I'm in the latter category) not having antivirus software isn't a problem, and likely never will be.

I'm of the opinion that the entire (paid) antivirus industry is crooked anyway. I know criminals get rich from exploiting holes in security, but so do registered parasites like Symantec. The root of the problem is always the OS (Windows).

Stop keeping these arseholes in jobs!

Upload the .zip file. I have a few systems I use for malware analysis. I can take a look at what it is if you'd like.

It's not difficult to get around anti virus software though, so don't be surprised if it's not being flagged.

What would be nice would be to have a antivirus/antimalware scanner that would look at the code and try to determine what it is doing and flagging it as possible virus/malware based on criteria such as:

1) What registry keys does it try to create?
2) What files does it try to access?
3) Does it look for and modify any files found on the system?
4) Does it create any files? In which directories does it create files?
5) Does it try to open particular network ports?
6) Does it try to connect to other systems over the network?

To do this, I would think it would pretty much have to create a sandbox within the operating system in which to execute it without having any effect on the running operating system. The reason for the sandbox is that it wouldn't be difficult to make it difficult to figure out what is happening just by examing the object code itself -- you would need to have it run to make sure that you can determine what it is trying to do.

Of course, any program that would install software on the computer would be flagged as being a potential problem, but the user should know whether or not he is intentionally trying to install the program.

Grab some freebee tools off this site if you're still struggling:

http://www.bleepingcomputer.com/download/windows/?sort=dl

Roguekiller, Rkill, TDSSKiller, EEK, AdwCleaner, MBAM and JRT are my main go-to tools when struggling with malware in any form.

Watch with ComboFix though, only run it in safe mode without networking and without intensive background apps running at that moment, also don't use it in windows 8.1 and don't run it more than once a month.