Trojan.Zbot

[Jem 0]

I have no idea what Trojan.Zbot is but it arrived this morning by email, undetected by NOD32 7, but detected when saved and scanned manually with Malwarebytes. A manual scan with NOD32 declared it clean.

 

It's a zipped executable attached to an email from 'no-reply@hmrc.gov.uk' with the subject: 'You have received new messages from HMRC'.

 

I've submitted for analysis and used NOD32 to quarantine. But be warned...

 

I admit to being concerned that NOD32 is not catching this type of threat. It's the second time in as many weeks. I submitted the last one for analysis but had no feedback, although I provided my email address.

[Marcos 5,070]

It's probably Win32/TrojanDownloader.Small.AAB, the file was blacklisted about an hour ago. What ESET product and version do you use?

[Jem 0]

It's probably Win32/TrojanDownloader.Small.AAB, the file was blacklisted about an hour ago. What ESET product and version do you use?

NOD32 Antivirus 7. Signature: 8963. That's the last update - just checked.

[Marcos 5,070]

At what time did you receive the threat by email? It was blacklisted today at about 9 AM CET.

[Jem 0]

At what time did you receive the threat by email? It was blacklisted today at about 9 AM CET.

9.00 AM CET is 8.00 AM UK TIME (Until the clocks go back on Sunday morning). I posted here at 10.54 AM (11.54 CET), a few minutes after receiving the email. My second post above is 11.41 AM (12.41 CET), immediately after checking for a signature update - there was no update and the file remained undetected. This concerns me greatly as ESET clearly have an issue pushing updates out in a timely fashion - certainly in the UK. If MWB detected it early so should NOD32, particularly as it had already been blacklisted.

[Marcos 5,070]

Yes, the file was undetected when you scanned it, that's ok. LiveGrid file reputation is not applied on files scanned by the on-demand or on-access scanner. However, it should have been detected and blocked upon receipt provided that you had LiveGrid enabled. The detection would have looked like as follows;

 

 

__________ ESET NOD32 Antivirus warning, version of virus signature database 8953 (20131023) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Government Gateway Reg Form.zip - Suspicious Object - deleted
Government Gateway Reg Form.zip > ZIP > Government Gateway Reg Form.exe - Suspicious Object - was a part of the deleted object

[Jem 0]

Live Grid is enabled and always has been. I use secure IMAP email and consequently have SSL protocol scanning on for email and the web - other than that all settings at default. So, I'd like more feedback as to why this didn't get picked up - I did not receive any warnings whatsoever.

[Marcos 5,070]

Has ESET ever detected malware in incoming email? What email client do you use? Since you receive email via IMAPS, a plugin for your email client is required to scan email as long as SSL scanning is disabled (which is by default).

[Jem 0]

1) Yes, it has - on one occasion.

2) Outlook 2010

3) SSL scanning is enabled by me. And in any case the NOD32 plugin is installed in Outlook and always has been.

4) That's not the point though is it? You're telling me that LiveGrid should have picked this up - which it didn't

[Arakasi 549]

Marcos said live grid did Not detect it at the time you stated.

After the fact are what he is stating for Live Grid.

 

It should be detecting it now. Can you test again by e-mailing it to yourself then reporting back here ?

If it doesnt now, their may be a setup issue or something else !

Edited October 26, 2013 by Arakasi

[Jem 0]

Marcos said live grid did Not detect it at the time you stated.

After the fact are what he is stating for Live Grid.

 

It should be detecting it now. Can you test again by e-mailing it to yourself then reporting back here ?

If it doesnt now, their may be a setup issue or something else !

No, that isn't what Marcos said. He said that Live Grid reputation is not applied to a manual scan at the time I did it.....(I now quote):

 

"However, it should have been detected and blocked upon receipt provided that you had LiveGrid enabled." ...which, as I said in the next post, I did. From that I must assume that Live Grid (if up to date) will warn of a problem regardless of the state of the virus database used by a manual scan.

 

I cannot email it to myself using IMAPS as my email host is now trapping it at the server (so they are obviously now up to date). Good old British Telecom however is letting it through. So I sent and received it via my BT POP email account and NOD32 deleted it on receipt.

 

At the moment, based on my interpretation of the way NOD32 works I am still assuming that Live Grid was either:

 

1) Not functioning as intended - for whatever reason.

2) Not up to date - at least for users in the UK.

 

If ESET would like to respond fully, I am more than happy to carry out more tests. In the meantime it was a disappointing experience.

Edited October 26, 2013 by Jem

[Arakasi 549]

Sorry for your dissapointing experience.

A threat that may have been seen for the first time.

Definitions need to be updated so the product knows the proper way to clean or dispose of.

If your computer was the first to see it and report it to live grid, you could be potentially helping thousands of users who run into it next.

So thank you.

[Marcos 5,070]

I was talking about the last malware we received with "HMRC" in the subject so we'd need to compare the hash of our and your file to find out if they are same or different. Regardless of this, it's important to keep in mind that no antivirus protection provides 100% protection and opening unknown files is not safe and may lead to infection.

[Jem 0]

I was talking about the last malware we received with "HMRC" in the subject so we'd need to compare the hash of our and your file to find out if they are same or different. Regardless of this, it's important to keep in mind that no antivirus protection provides 100% protection and opening unknown files is not safe and may lead to infection.

Your second point about 100% protection is well understood and accepted. I'm questioning it as you originally seemed to think that Live Grid should have caught it based on the blacklist timing and when I received the e-mail. Also, the 'name' (Win32/TrojanDownloader.Small.AAB) is certainly what NOD32 is seeing now when I email it to myself here.

 

With the hash comparison, do you have the file I submitted or would you like me to submit it again / email it somewhere?

[afloyd 0]

Jem & Marcos,

 

I don't believe this is an isolated incident.  Twice now in the past month our network has been compromised with the Win32/Spy.Zbot.AAU trojan.  In both cases the systems infected reported an infection only after running a scheduled full scan.  The systems were compromised by the Trojan while running current real-time protecion under ESET NOD32 AntiVirus 4.2.76 and current definitions on Windows 7 PCs.  We were also have the Outlook Add-In installed on all our systems, and the there was no indication of a threat detected prior to the full manual scan.  Our company was blacklisted due to the infection.  What steps can be taken to mitigate future risk to our network?  I have also submitted a support request but would appreciate any feedback you may have.

 

We will be re-evaulating our anti-virus and anti-malware solution as our license expires next March.

[Arakasi 549]

afloyd, a few questions.

 

Do you host your own exchange ?

What service provider do you use for emails, and how is it setup in outlook? POP, IMAP, Exchange, Exchange ActiveSync or Webmail ?

 

Just a few questions so i can ponder on your current setup and any additional that may be available.

 

Thanks

[Jem 0]

I was talking about the last malware we received with "HMRC" in the subject so we'd need to compare the hash of our and your file to find out if they are same or different. Regardless of this, it's important to keep in mind that no antivirus protection provides 100% protection and opening unknown files is not safe and may lead to infection.

 

Marcos,

 

I'm interested in any feedback, including the hash comparison. Any update? I can see that this trojan has hopefully been cornered as I had another one today under a different name, but NOD32 caught it (zipped) as it came into my Inbox. So in answer to your original question "Has ESET ever detected malware in incoming email?" - clearly that does work, even with an IMAPS account. I have the Oultook plugin installed (as I always have) and SSL scanning is OFF (as per the default setting). Still a bit bothered about the Live Grid thing that you thought should have worked but according to VirusTotal, ESET are one of the few vendors detecting this one even now.

 

Thanks.

Edited October 30, 2013 by Jem

[Marcos 5,070]

I've tested LiveGrid blocking and it works fine. Should you come across a similar problem again, let me know and send me the malware attached to a personal message so that I can investigate when we started to block it.

[Jem 0]

I've tested LiveGrid blocking and it works fine. Should you come across a similar problem again, let me know and send me the malware attached to a personal message so that I can investigate when we started to block it.

OK. Thanks. I've re-installed everything from scratch in the meantime - completely clean install for good measure.

[afloyd 0]

Marcos,

 

Yes we host our own Exchange 2003 server and use it with Outlook, ActiveSync, and OWA.  We have ESET Mail Security 4.2.xx running on it, however, during my recent discussion with an ESET support rep I was informed the more recent 5.0.xx version has better spam and filtering capabilities so we're going to upgrade it this weekend.  We also have filtering at the external DNS level (via Barracuda RBL, SpamCop, Spamhaus SBL, and Spamhaus XBL), and at the router (via our SonicWALL Content Filter, Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, and Botnet protection).  None of these caught the Zbot intrusion either.  I will be reaching out to SonicWALL support to see what else we can do at the router level to prevent this.

 

The ESET rep was kind enough (after sending me a very basic security response and little else) to take a closer look at our current versions (hence the upgrade) and current configuration (to determine it was in good shape).  I got the spiel about 'methods of attack are always changing and sometimes we are not able to anticipate new attack vectors'. I understand no security product will ever be 100% effective.  But, I don't really want to argue the harsh reality of IT Security - I'm much more interested in what can be done with our current resources (or ones we haven't considered) to minimize our vulnerability as much as possible.

 

Thanks again for responding.

-Aaron

[toxinon12345 32]

LiveGrid file reputation is not applied on files scanned by the on-demand or on-access scanner.

So, the LiveGrid option in ThreatSense engine parameters  is some type of background file-queue for building file reputation across all users?

Reputation blocking should be enabled for Web-Mail protection even if data recopilation for LiveGrid is off.

[Marcos 5,070]

LiveGrid file reputation is not applied on files scanned by the on-demand or on-access scanner.

So, the LiveGrid option in ThreatSense engine parameters  is some type of background file-queue for building file reputation across all users?

Reputation blocking should be enabled for Web-Mail protection even if data recopilation for LiveGrid  is off.

 

Partially. In order to use file reputation for blocking malicious files, you'd need to have "Participate in ESET LiveGrid" option enabled under Tools -> ESET LiveGrid. Probably the separate LiveGrid setting in the ThreatSense setup will be removed in future versions.