I’m glad to announce that Win32:SuspBehav – an advanced heuristic set of detections - is back on track now. It has been in a maintenance mode quite a while because there were some scheduled changes made to the underlying emulator. Following these changes, I was really curious about what the real-world feedback would be and this is what I found:
Wait! There’s a path to the legitimate IncrediMail installation directory. Hmmm, it is either a false positive or something really strange is going on here…..
I can confirm that we at the Virus Lab “love” product specifications and documentation. My recent experience shows a discrepancy between MSDN and the real behavior of VirtualAlloc.
I’m currently revising and tweaking the memory management inside one of the emulators used in the avast! antivirus engine. The goal of my effort is to bring this emulated environment closer to the real world environment, thus I decided to make the memory management conform precisely with MSDN. But after doing that…. suddenly….. about a sixth of my test set (around 400 malware families in total) refused to emulate deep enough (as usual). And the problem was in VirtualAlloc emulation:
Yes, an immortal virus seems to exist … at least in comparison to the usual life cycle of malware. While there are lots of malware families with very short half-life, there are only few with a long life. Parite (aka Pinfi) – a real long-playing evergreen – is one of them. Parite will reach the 10-year milestone this October. Gosh! Ten years! Can you remember what your computer looked like ten years ago? Ten years is an eternity in the world of IT. Just try to list what has changed and evolved during this period. There’s the obvious evolution of Windows and antivirus software for starters. But, despite all these changes, Parite is still with us.
Another day, another entry in the avast! Virus Lab submission system for reporting false positives:
Processing hundreds of possible false positives each day is usually routine work, but a submission from a live internet link is always interesting and needs more individual attention. The reason is obvious – it can do more harm to potential site visitors than a file on a local system which isn’t linked anywhere. Considering the fact that we detect this bit of malware with two different detection systems (regular detection for Sality along with a heuristic detection) is a clear hint – there’s definitely something fishy here.
Have you ever heard about the Morphex PE32 Loader? You are certainly not alone. Even the mighty “Uncle Google” can’t find the proper results:
But … it definitely does exist.
Even if this is an “unknown” name, you should be concerned. Morphex PE32 Loader is supporting the most successful and fastest growing AutoRun worm of 2011.
There is a market for gift-wrapping services in cyberspace – especially for malware.
There are thousands of malware variants out in cyberspace, including the well-known Alureon, Koobface, FakeAV, and Zeus. Behind this myriad assortment is a surprisingly small group of packers with the task of slipping malware past antivirus programs. These packers can generate an almost unlimited number of unique instances of a single underlying malware binary. And what is good news for the bad guys – and rather bad news for the rest of us – is that these software packages make malware more accessible to the more “average” cybercriminal.
Malware writers seem to never sleep and this time their activity refers also to my last article (published yesterday). How is it possible? When I used google today to find references to my blog post, these results appeared:
It is always nice when we know what a file does, where it comes from, etc. Most of the time spent on deeper file (samples) analysis goes to uncovering this information. But, sometimes we don’t have to try when everything is obvious like in this case:
Trust brings together two hot topics that concern our users. First topic – Win32:Injected-AZ which is suspected by many users of being a false positive. Second topic – the reliability of digital signatures (authenticode). Here these two topics intersect with some interesting circumstances (that will be soon elaborated):