Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bloodhound Exploit 101


  • Please log in to reply
3 replies to this topic

#1 MikeQ

MikeQ

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 11 November 2009 - 08:10 AM

Hello, I am receiving numerous reports of Bloodhound Exploit 101 from NIS2009 today. I suspect a false report but am not sure.

I store all my music on a ReadyNASDUO (Netgear LAN Drive) in WMA lossless format. I have just finished ripping it all to my DUO. Earlier this morning I ran a scan of the DUO and found no viruses. Later I started to get warnings from NIS2009 (Norton Internet Security)e.g.

HTTP WMP File Parsing Code Exec x3 today
Bloodhound.Exploit.101 x3 today

Has anyone seen this before?
Any ideas if this is a positive report or a false report?

This happened this morning as I was listening to my music on the Laptop (wirelessly). 1 of 3 PC's connected to the DUO
I am using an Acer 6930G with Wndows 7 installed.

Edited by MikeQ, 11 November 2009 - 08:11 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 PM

Posted 11 November 2009 - 08:50 AM

NIS/NAV has the ability to detect unknown viruses of various types using heuristic algorithms known as Bloodhound Technology. According to Symantec, files that are detected as Bloodhound.Exploit.101 are a heuristic detection for the Windows Media Player ASF Invalid Codec Entries Count Vulnerability (as described in Microsoft Security Bulletin MS06-078). Under the Technical Details tab, Symantec indicates files that are detected as Bloodhound.Exploit.101 may or may not be malicious. Symantec asks that you Submit Virus Samples detected as this threat to the Symantec Security Response Team.

Symantec's technology uses an expert system to analyze the cataloged behaviors and assess the likelihood of viral infection. Bloodhound is not the name of a virus, but a message displayed by NAV when it thinks it may have found a new virus which is categorized as Exploit, Packed variants in their defintion files.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" if virus detection technology (AutoProtect Settings) are set to High for Bloodhound and the heuristic analysis flags a file as suspicious or infected that contains no malware. You may want to Reset Bloodhound to default settings and try scanning again.

NAV is doing its job when alerting to a Bloodhound exploit but from personal experience and testing, I have found some of these alerts to be a false positive. You need to investigate further and follow Symantec's instructions for submitting samples.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MikeQ

MikeQ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 11 November 2009 - 08:59 AM

Excellent support. I will do this.
Regards
Mike Q

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 PM

Posted 11 November 2009 - 10:35 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users