0xDEADBEEF

Malware response speed

Recommended Posts

Posted (edited)

Seems to me there are certain malware types that always fall in ESET sample collection's "long tail", i.e. they can be kept undetected for days unless someone manually submit them to the ESET viruslab.

For example, the sample SHA1: AA32D03E383A9C843DBA9E591321858349127790, apparently a password stealer, appeared a day ago and now around half of the engines on VT detected it. However ESET didn't detect it even for now (the PUA detection doesn't count). From other detection names, apparent some are on the aggressive detection side though

Edited by 0xDEADBEEF
persian-boy likes this

Share this post


Link to post
Share on other sites

Well, both GData and Sophos detect it as a PUA.

Bitdefender, Emsisoft, Symantec, and TrendMicro didn't detect at all. Neither did Microsoft and a number of others.

My guess is its packed malware bundled in an installer. Until the installer is run and the PUA is executed, malware properties won't manifest.

persian-boy likes this

Share this post


Link to post
Share on other sites
Posted (edited)
On ‎04‎/‎17‎/‎2018 at 4:16 PM, itman said:

Bitdefender, Emsisoft, Symantec, and TrendMicro didn't detect at all

Yes, this one is a bit tricky from my view because it doesn't show many suspicious behaviors (not a installer anyway), more of a social engineering malware.

Another sample: e728ff3f0a1a3f1658c6c9d8757c10eb9981dc4cbb9c0901d5124ffe46b7f47d

I was amazed by how some vendors were able to detect this at the very early phase, if you are able to see the scan result on VT at different time points. Of course this might be simply due to the fact that some vendors collect samples from VT but ESET (seems) doesn't... Collecting such sample from user computer seems hard because petya immediately destroys the endpoint.

Some new observations in the later post

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

Don't forget that there's other factors that you need to consider, just because ESET doesn't have a zero-day in its signatures there's LiveGrid, HIPS, Firewall and other layers in which it could dynamically detect malware.

Share this post


Link to post
Share on other sites
On ‎04‎/‎17‎/‎2018 at 4:37 PM, 0xDEADBEEF said:

due to the fact that some vendors collect samples from VT but ESET (seems) doesn't

Some more testing reveals that some vendors closely monitor and quickly blacklist VT samples. They can get very bad detection rate when the samples fall outside VT collections

This forms a severely biased result: for people who test these products for fun, the samples are likely to be collected from VT or at least been scanned in VT (note that a lot of online sandbox also upload sample to VT as a static verdict). Vendors which closely monitor and blacklist VT samples might get pretty good result because they always get the sample before one can get it due to such sampling bias, so it creates an illusion that these vendors always detect malware samples (ahead of time). In reality, this is not the case, because wide-spread samples might not be on VT and rare samples might be on VT. A recent non-VT sample collection I got had pretty bad result in those high-scored vendors but ESET still performs well.

Further tests reveals some simple MD5 modify techniques can easily bypass those VT vendors blacklist signatures (including detection names like GenericKD, UDS, Gen... all are common ones from vendors with good scores on AVC), while ESET's signature and cloud signature have good robustness against such basic technique.

So great job ESET:)

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.