Jump to content

Malware response speed


Recommended Posts

Seems to me there are certain malware types that always fall in ESET sample collection's "long tail", i.e. they can be kept undetected for days unless someone manually submit them to the ESET viruslab.

For example, the sample SHA1: AA32D03E383A9C843DBA9E591321858349127790, apparently a password stealer, appeared a day ago and now around half of the engines on VT detected it. However ESET didn't detect it even for now (the PUA detection doesn't count). From other detection names, apparent some are on the aggressive detection side though

Edited by 0xDEADBEEF
Link to comment
Share on other sites

Well, both GData and Sophos detect it as a PUA.

Bitdefender, Emsisoft, Symantec, and TrendMicro didn't detect at all. Neither did Microsoft and a number of others.

My guess is its packed malware bundled in an installer. Until the installer is run and the PUA is executed, malware properties won't manifest.

Link to comment
Share on other sites

On ‎04‎/‎17‎/‎2018 at 4:16 PM, itman said:

Bitdefender, Emsisoft, Symantec, and TrendMicro didn't detect at all

Yes, this one is a bit tricky from my view because it doesn't show many suspicious behaviors (not a installer anyway), more of a social engineering malware.

Another sample: e728ff3f0a1a3f1658c6c9d8757c10eb9981dc4cbb9c0901d5124ffe46b7f47d

I was amazed by how some vendors were able to detect this at the very early phase, if you are able to see the scan result on VT at different time points. Of course this might be simply due to the fact that some vendors collect samples from VT but ESET (seems) doesn't... Collecting such sample from user computer seems hard because petya immediately destroys the endpoint.

Some new observations in the later post

Edited by 0xDEADBEEF
Link to comment
Share on other sites

  • 1 month later...

Don't forget that there's other factors that you need to consider, just because ESET doesn't have a zero-day in its signatures there's LiveGrid, HIPS, Firewall and other layers in which it could dynamically detect malware.

Link to comment
Share on other sites

On ‎04‎/‎17‎/‎2018 at 4:37 PM, 0xDEADBEEF said:

due to the fact that some vendors collect samples from VT but ESET (seems) doesn't

Some more testing reveals that some vendors closely monitor and quickly blacklist VT samples. They can get very bad detection rate when the samples fall outside VT collections

This forms a severely biased result: for people who test these products for fun, the samples are likely to be collected from VT or at least been scanned in VT (note that a lot of online sandbox also upload sample to VT as a static verdict). Vendors which closely monitor and blacklist VT samples might get pretty good result because they always get the sample before one can get it due to such sampling bias, so it creates an illusion that these vendors always detect malware samples (ahead of time). In reality, this is not the case, because wide-spread samples might not be on VT and rare samples might be on VT. A recent non-VT sample collection I got had pretty bad result in those high-scored vendors but ESET still performs well.

Further tests reveals some simple MD5 modify techniques can easily bypass those VT vendors blacklist signatures (including detection names like GenericKD, UDS, Gen... all are common ones from vendors with good scores on AVC), while ESET's signature and cloud signature have good robustness against such basic technique.

So great job ESET:)

Edited by 0xDEADBEEF
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...