Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New malwarebytes Chameleon???


  • Please log in to reply
3 replies to this topic

#1 mute20

mute20

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 05 January 2012 - 01:13 PM

SAS just picked this up as a dangerous item.

Trojan.Dropper/SVCHost-Fake
C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\CHAMELEON\SVCHOST.EXE

Should I be worried in the slightest or is it just a false positive. Already sent a false positive report to sas. Anyone want to weigh in.

BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' Bama Belle


  • Global Moderator
  • 7,723 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Tuscaloosa, Alabama
  • Local time:11:37 PM

Posted 05 January 2012 - 01:30 PM

The latest realease of Malwarebytes includes Chameleon Technology. It's likely a false positive. Maybe someone who knows more than I do will be able to let you know whether it is a threat or not.

I have the same folder in Malwarebytes. I just had SuperAntiSpyware scan and it did not tell me the same thing it told you.

Have you run across a pesky malware infection that made it hard if not impossible to run Malwarebytes Anti-Malware? Then take heart because Malwarebytes has been updated with Chameleon Technology to get it up and running even when blocked by infections.

Malwarebytes Chameleon Technology gets Malwarebytes Anti-Malware running even when blocked by infection.

http://www.howtogeek.com/101837/malwarebytes-anti-malware-updated-adds-chameleon-technology/


Edited by Queen-Evie, 05 January 2012 - 01:56 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:37 AM

Posted 05 January 2012 - 03:33 PM

Malwarebytes Chameleon Technology is a new feature introduced starting with v1.60.0. Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, you can now use Chameleon which essential allows renamed versions/file extensions of the tool that can be used when the normal .exe file is blocked from running by the malware.

This is similar to RKill which also uses renamed versions of files after critical systems files because malware usually leaves them alone. However, sometimes they are detected by anti-virus programs as a threat. The detections are false positives and can be ignored.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 06 January 2012 - 06:41 AM

Should I be worried in the slightest or is it just a false positive. Already sent a false positive report to sas. Anyone want to weigh in.


Probably a false positive. Check if the file C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\CHAMELEON\SVCHOST.EXE has a digital signature from MB, and check if it is OK. If it is OK, you can be sure it's a false positive.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com
Microsoft MVP 2011-2014 Consumer Security
MVP_Horizontal_BlueOnly.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users