sky7 19 Posted August 11, 2014 Share Posted August 11, 2014 (edited) - xss.exehttps://www.virustotal.com/en/file/1cef89e21d000eaab69eab90c78a32adb0f1d10ed4e90c180d1b116d0e0b2ab4/analysis/1407790800/I reported this file and I checked it later ESS 7.0.317.4 (vsd: 10233) didn't detect this.I emailed again and ESS 7.0.317.4 (current vsd: 10238) still doesn't detect this. Edited August 11, 2014 by sky7 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted August 11, 2014 Administrators Share Posted August 11, 2014 Probably because we hadn't received it until today? Looking at the VT results, most AVs detect it heuristically due to the packer used. We too recognize the packer but don't want to detect it as it could produce many false positives (apparently some vendors don't care about that). The sample will be looked at and a detection will be added if it actually turns out to be functional malware. I would be more concerned about prevalent functional malware that is virtually detected only by ESET at VT Link to comment Share on other sites More sharing options...
Arakasi 549 Posted August 11, 2014 Share Posted August 11, 2014 Excellent response. This is why ESET is superior to other vendors. Link to comment Share on other sites More sharing options...
sky7 19 Posted August 11, 2014 Author Share Posted August 11, 2014 Probably because we hadn't received it until today? Looking at the VT results, most AVs detect it heuristically due to the packer used. We too recognize the packer but don't want to detect it as it could produce many false positives (apparently some vendors don't care about that). The sample will be looked at and a detection will be added if it actually turns out to be functional malware. I would be more concerned about prevalent functional malware that is virtually detected only by ESET at VT It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware - xss.exe MD5 : 5bf42a43f4efc10c0fdf9f0a0379ee3e Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted August 12, 2014 Administrators Share Posted August 12, 2014 It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware It was first delivered by email to ESET's malware lab just yesterday. Link to comment Share on other sites More sharing options...
sky7 19 Posted August 12, 2014 Author Share Posted August 12, 2014 It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware It was first delivered by email to ESET's malware lab just yesterday. It's strange. ESS 7.0.317.4 (vsd: 10240) detects xss.exe (MD5 : 5bf42a43f4efc10c0fdf9f0a0379ee3e) finally. Threat name is "Win32/TrojanDropper.Agent.QRL" It's not fast dealing (passed more than 6 updates Virus Signature database) Unlike before, I don't receive any email from ESET Malware Response Team. I always receive email from ESET Malware Response Team (as you know they send email when they add reported threat in vsd.) Anyway ESET detects this malware now. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted August 12, 2014 Share Posted August 12, 2014 I don't always get e-mails back from the team, especially if multiple people submitted, they may just send one out to the first person that appears to them. Also, ESET keeps a strict evaluation of submissions to ensure the low false positives that ESET retains, some vendors don't evaluate or examine and just add based off other vendors, have seen this many times. ESET has a very nice malware research team and although they were not in haste for this particular variant, I would be interested in the origination of the file ? Was it on a download site, through a drive-by js on a bad web server? Submitted from a malware pack ? Bundled in legitimate software etc ? Is it in-the-wild ? Link to comment Share on other sites More sharing options...
rugk 397 Posted August 12, 2014 Share Posted August 12, 2014 BTW: Here is the virus radar description of the threat: hxxp://www.virusradar.com/en/Win32_TrojanDropper.Agent.QRL/description If you look at the statistics yet it not seems in the wild, but I don't know how quick the statistic is refreshed. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted August 12, 2014 Administrators Share Posted August 12, 2014 Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all. Link to comment Share on other sites More sharing options...
rugk 397 Posted August 12, 2014 Share Posted August 12, 2014 Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all. Dangerous malware. Link to comment Share on other sites More sharing options...
sky7 19 Posted August 12, 2014 Author Share Posted August 12, 2014 (edited) Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all. Maybe data based on ESET's Live Grid. Sometimes facts can be misleading. I don't undervalue ESET Live Grid and don't want to argue about that. Anyway that's not true. Most well known AVs detect this malware at this point so we don't need to say it's dangerous 'now'. "The malware wasn't found to be running on any computer worldwide at all." It would be misleading These days Cybercrime used to silently spread malware to computers for only number of days within a very short period of time (making hit-and-run guerrilla style attacks) It is 'Trojan Dropper' that drop other malware files onto the compromised PC. Edited August 12, 2014 by sky7 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted August 12, 2014 Administrators Share Posted August 12, 2014 "The malware wasn't found to be running on any computer worldwide at all." It would be misleading. These days Cybercrime used to silently spread malware to computers for only number of days within a very short period of time (making hit-and-run guerrilla style attacks) It is 'Trojan Dropper' that drop other malware files onto the compromised PC. Most well known AVs detect this malware at this point so we don't need to say it's dangerous 'now'. It's not misleading at all. Out of all users with Live Grid enabled, it was downloaded only on one computer which I now confirm by looking at most current stats. The point is that a detection was added on the same day we received it. On the contrary, there's quite a lot of dangerous malware including ransomware that is missed by almost all AV vendors but ESET and which is undetected even after > 24 hours. Link to comment Share on other sites More sharing options...
Recommended Posts