0xDEADBEEF 43 Posted April 17, 2018 Share Posted April 17, 2018 (edited) Seems to me there are certain malware types that always fall in ESET sample collection's "long tail", i.e. they can be kept undetected for days unless someone manually submit them to the ESET viruslab. For example, the sample SHA1: AA32D03E383A9C843DBA9E591321858349127790, apparently a password stealer, appeared a day ago and now around half of the engines on VT detected it. However ESET didn't detect it even for now (the PUA detection doesn't count). From other detection names, apparent some are on the aggressive detection side though Edited April 17, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
itman 1,748 Posted April 17, 2018 Share Posted April 17, 2018 Well, both GData and Sophos detect it as a PUA. Bitdefender, Emsisoft, Symantec, and TrendMicro didn't detect at all. Neither did Microsoft and a number of others. My guess is its packed malware bundled in an installer. Until the installer is run and the PUA is executed, malware properties won't manifest. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted April 17, 2018 Author Share Posted April 17, 2018 (edited) On 04/17/2018 at 4:16 PM, itman said: Bitdefender, Emsisoft, Symantec, and TrendMicro didn't detect at all Yes, this one is a bit tricky from my view because it doesn't show many suspicious behaviors (not a installer anyway), more of a social engineering malware. Another sample: e728ff3f0a1a3f1658c6c9d8757c10eb9981dc4cbb9c0901d5124ffe46b7f47d I was amazed by how some vendors were able to detect this at the very early phase, if you are able to see the scan result on VT at different time points. Of course this might be simply due to the fact that some vendors collect samples from VT but ESET (seems) doesn't... Collecting such sample from user computer seems hard because petya immediately destroys the endpoint. Some new observations in the later post Edited May 22, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Tornado 3 Posted May 21, 2018 Share Posted May 21, 2018 Don't forget that there's other factors that you need to consider, just because ESET doesn't have a zero-day in its signatures there's LiveGrid, HIPS, Firewall and other layers in which it could dynamically detect malware. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted May 22, 2018 Author Share Posted May 22, 2018 (edited) On 04/17/2018 at 4:37 PM, 0xDEADBEEF said: due to the fact that some vendors collect samples from VT but ESET (seems) doesn't Some more testing reveals that some vendors closely monitor and quickly blacklist VT samples. They can get very bad detection rate when the samples fall outside VT collections This forms a severely biased result: for people who test these products for fun, the samples are likely to be collected from VT or at least been scanned in VT (note that a lot of online sandbox also upload sample to VT as a static verdict). Vendors which closely monitor and blacklist VT samples might get pretty good result because they always get the sample before one can get it due to such sampling bias, so it creates an illusion that these vendors always detect malware samples (ahead of time). In reality, this is not the case, because wide-spread samples might not be on VT and rare samples might be on VT. A recent non-VT sample collection I got had pretty bad result in those high-scored vendors but ESET still performs well. Further tests reveals some simple MD5 modify techniques can easily bypass those VT vendors blacklist signatures (including detection names like GenericKD, UDS, Gen... all are common ones from vendors with good scores on AVC), while ESET's signature and cloud signature have good robustness against such basic technique. So great job ESET Edited May 22, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Recommended Posts