Related articles:
See these other Keyliner articles for detailed virus removal Instructions; these instructions will work on most viruses.
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials
I was reading an article on the recent "USPS.gov website infected with Blackhole Exploit kit" (zscaler.com). The article briefly described how encoded Javascript was used to re-direct browsers to the virus and how the code installed without any user help.
But of more interest was almost a footnote in the article. It showed the payload filenames and described how poorly they were detected by antivirus programs. The virus installs a half-dozen different programs and most programs allowed them to arrive Scott-free.
On 2011.04.07 (apparently a month after the virus was first unleashed), the virus was only detected by 5 out of 41 virus-scanning vendors -- with AVG being the only major vendor. Other payloads from the same infection were detected by a none of the vendors. The Virus is a variant of previously-seen code and even though vendors have heuristic-scanning, they could not see through the attack. Here is a table showing the four detections early in the attack: VirusTotal.com
Roughly 3 days later, detection rates climbed to 26/42 -- which is both amazing and disappointing when you consider how they must see the virus before they can clean it -- but at least the statistics improved (updated details at VirustTotal, and tabled below). Later, most of the major vendors were detecting the virus, but it took a while.
VirusTotal Scan Results
(Results on 2011.04.10 - three days after the first statistic -- showing a 60% detection rates. But this is still approximately one month after the virus was unleashed. Newer results not published. This means nearly 1/2 of the scanners still miss the infection.)
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.04.10.01 | 2011.04.10 | Win-Trojan/Tdss.102400.EA |
| AntiVir | 7.11.6.20 | 2011.04.10 | TR/ATRAPS.Gen2 |
| Antiy-AVL | 2.0.3.7 | 2011.04.10 | - |
| Avast | 4.8.1351.0 | 2011.04.10 | Win32:Olmarik-B |
| Avast5 | 5.0.677.0 | 2011.04.10 | Win32:Olmarik-B |
| AVG | 10.0.0.1190 | 2011.04.10 | Win32/Heur |
| BitDefender | 7.2 | 2011.04.10 | Trojan.Generic.KD.181230 |
| CAT-QuickHeal | 11.00 | 2011.04.10 | - |
| ClamAV | 0.97.0.0 | 2011.04.10 | - |
| Commtouch | 5.2.11.5 | 2011.04.06 | - |
| Comodo | 8294 | 2011.04.10 | - |
| DrWeb | 5.0.2.03300 | 2011.04.10 | BackDoor.Tdss.4951 |
| Emsisoft | 5.1.0.5 | 2011.04.10 | Virus.Win32.Heur!IK |
| eSafe | 7.0.17.0 | 2011.04.10 | Win32.TRATRAPS |
| eTrust-Vet | 36.1.8261 | 2011.04.08 | - |
| F-Prot | 4.6.2.117 | 2011.04.10 | - |
| F-Secure | 9.0.16440.0 | 2011.04.10 | Trojan.Generic.KD.181230 |
| Fortinet | 4.2.254.0 | 2011.04.09 | - |
| GData | 22 | 2011.04.10 | Trojan.Generic.KD.181230 |
| Ikarus | T3.1.1.103.0 | 2011.04.10 | Virus.Win32.Heur |
| Jiangmin | 13.0.900 | 2011.04.09 | - |
| K7AntiVirus | 9.96.4347 | 2011.04.09 | - |
| Kaspersky | 7.0.0.125 | 2011.04.10 | Trojan.Win32.Jorik.TDSS.gm |
| McAfee | 5.400.0.1158 | 2011.04.10 | DNSChanger.cl |
| McAfee-GW-Edition | 2010.1C | 2011.04.10 | Artemis!B01326CA8533 |
| Microsoft | 1.6702 | 2011.04.10 | Trojan:Win32/Alureon.CT |
| NOD32 | 6031 | 2011.04.10 | a variant of Win32/Kryptik.MMD |
| Norman | 6.07.07 | 2011.04.10 | W32/Suspicious_Gen2.KSGTX |
| Panda | 10.0.3.5 | 2011.04.10 | Trj/CI.A |
| PCTools | 7.0.3.5 | 2011.04.07 | - |
| Prevx | 3.0 | 2011.04.10 | - |
| Rising | 23.52.06.03 | 2011.04.10 | - |
| Sophos | 4.64.0 | 2011.04.10 | Sus/UnkPack-C |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.04.10 | Trojan.Agent/Gen-FakeAntiSpy |
| Symantec | 20101.3.2.89 | 2011.04.10 | Trojan.FakeAV!gen42 |
| TheHacker | 6.7.0.1.171 | 2011.04.10 | Trojan/Jorik.TDSS.gm |
| TrendMicro | 9.200.0.1012 | 2011.04.10 | TROJ_FAKEAV.RHE |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.04.10 | TROJ_FAKEAV.RHE |
| VBA32 | 3.12.14.3 | 2011.04.08 | - |
| VIPRE | 8980 | 2011.04.10 | Trojan.Win32.Generic!BT |
| ViRobot | 2011.4.9.4402 | 2011.04.10 | - |
| VirusBuster | 13.6.297.0 | 2011.04.10 | - |
VirusTotal is a free, independent service, that takes submitted files and tests them through all of these virus scanners. I am unclear about how quickly viruses are submitted to the site and this may explain some of the lag-times.
The point is this: You can't rely on a current virus scanner to catch the bad guys because the viruses quickly mutate. Although careful surfing habits go a long way to help, it clearly doesn't work all the time. The last defense is Windows 7's UAC (the Nag screens), but as I've written in the past, most people ignore it and infect their own machines anyways. If you are on XP, it is time to change.
Related articles:
See these other Keyliner articles for detailed virus removal Instructions
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials
0 comments:
Post a Comment