Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

clear impersonation but why not detected by antimalware?


  • Please log in to reply
6 replies to this topic

#1 anniyan

anniyan

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:12:38 PM

Posted 15 May 2014 - 07:37 AM

https://www.virustotal.com/en/file/730007cbf624e3301ec3b4629e6a324933c326a3170cab1424e680fb47446455/analysis/1400154331/

 

this exe file is a clear impersonation of the famous Internet Download Manager by Tonec Inc. [looking at the file details]. so does that mean it is malware? if yes, why is it not detected by any antimalware? maybe it is 0-day malware? threat experts can analyse its code any take necessary actions.



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 AM

Posted 15 May 2014 - 03:44 PM

If you're dealing with zero-day malware it's unlikely the anti-virus testing is going to detect anything. It takes time for new malware to be reported, samples collected, analyzed, and tested by anti-virus researchers before they can add a new threat to database definitions.

Most Internet Download Managers are not an infection in the typical sense...but more accurately classified as a Potentially Unwanted Program (PUP). Anti-virus programs general scan for infectious malware which includes viruses, Trojans, worms, rootkits and bots. PUPs, Potentially Unwanted Applications (PUAs) and Potentially Unsafe Applications do not fall into any of those categories and that is the primary reason some anti-virus programs do not detect or remove them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 anniyan

anniyan
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:12:38 PM

Posted 18 May 2014 - 12:40 PM

i meant to convey that this file is suspicious not in the aspect of being a Download Manager, but its digital signatures try to impersonate the legitimate software from Tonec Inc.'s http://www.internetdownloadmanager.com. i was not sure if its ulterior motive was malicious and hence posted it here to warn anti-malware experts about it. thank you.



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 AM

Posted 18 May 2014 - 05:39 PM

According to ProcessChecker, the file belongs to Tonec.

...idman7.1.exe is known as Internet Download Manager and it is developed by Tonec, Inc


However, I did find cracked versions of the file with the same name.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 anniyan

anniyan
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:12:38 PM

Posted 21 May 2014 - 12:10 PM

this file is an impostor with phony digital signatures. because http://www.internetdownloadmanager.com/news.html can clearly tell the latest version number (which has never yet reached 7.1) and its icon.



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:08 AM

Posted 21 May 2014 - 12:33 PM

It's definitely not a new file, it was first uploaded to VirusTotal a year and 9 months ago.

 

I would say it's either not malicious, or has not been sent to AV to be detected. Considering that heuristics of a few AVs would normally pick up a malicious file, I'm guessing the former. This is just guesswork based on what I know about how AVs work however, so know knows.

 

xXToffeeXx~


Edited by xXToffeeXx, 21 May 2014 - 12:33 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 AM

Posted 21 May 2014 - 06:05 PM

Regardless of the signature, these types of utilities (even if legit) are more likely to be detected as a PUP.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users