Jump to content

Hackers incorporating legitimate software to increase a malware's potential


Batu69

Recommended Posts

A .NET malware abusing legitimate ffmpeg

Malwarebytes has discovered a new cyberattack modus operandi that has hackers incorporating legitimate apps into their malware to make it stronger and accomplish specific tasks.

 

Although the cybersecurity firm did not name the malware used as an example in its report, the company did note that this hacking methodology is representative of what is happening in the wild and becoming more prevalent.

 

The example used by Malwarebytes recently found a banking trojan that once installed on the victims machines downloaded FFmpeg, a free software that produces libraries and programs for handling multimedia data. This ability, along with several others already included in the malware, allows the hacker to not only grab screenshots, but full video of the victim's computer.

 

Essentially, once the malware recognizes that the computer is on a banking site it turns on its various capture capabilities to grab login credentials and other personal data. The malware itself is unsophisticated, easily defeated and poorly obfuscated, but Malwarebytes warns that despite these shortcomings it is highly capable of spying and even backdooring the victim's computer.

 

This malware is prepared by an unsophisticated actor, Malwarebytes said. Neither the binary nor the communication protocol is well obfuscated. The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. It's capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly because even a simple threat actor can cause a lot of damage when neglected.

 

Article source

Link to comment
Share on other sites

  • Replies 3
  • Views 864
  • Created
  • Last Reply

What goes around comes around.  We are going back to the late 80s and early 90s when legitimate software was configured to carry a virus. Only change is that the malware is getting to be selective and not one size fits all.  And as viruses did back then this will also mature and change over time into something else with each new change causing more infections until the AV companies identify and update their software.  Heuristics is still as lousy now as it was 30 years ago, catching more valid files than invalid ones, so that has not been and is not now the answer to the problem.  If you want a good example of terrible AV software you need look no further than ESET whose heuristics have caught 100 valid files for every invalid file over the life of the program.

Link to comment
Share on other sites

19 hours ago, straycat19 said:

  If you want a good example of terrible AV software you need look no further than ESET whose heuristics have caught 100 valid files for every invalid file over the life of the program.

Show me any proof of this  even any AV test ran on  ESET show very low false positives on file detection , In AV test  it's typical of a Antivirus that score very high like at finding real positives like 100% to have many false positives  from my own testing using ESET every day since 2014 i have never had any such false positives only false positives I ever had would be with 1 crack out of  50 or something like that .IT never detected any legit programs ever.

 

Now if you turn on PUP protection  witch is conman sense not too install programs with adware and i never turn this on  in my setup you will find more false positives as far as cracks goes.  If you want good examples of false positive Antivirus .. Avast , AVG ,Avira and and Norton would be better examples than ESET.

 

From my own testing Avast has always been nothing but wall too wall false positives  not only  flagging almost all cracks  but deleting  components in legit programs as well some of them critical too do with drivers and things .  Avira use too be so bad  it was worse than  Avast  and the others i listed  are on my shit list because I caught a virus using AVG before back in the early 2000s and people cry wolf  in the comments of warez sites  about false positives with  Norton and AVG  as long as I can remember .

 

ESET use too not be as good as it  now, Kaspersky use too beat it hands down in my own testing but ESET never had false positives you claim even when i tested it years ago . But in recent years i've not had no problems  with anything getting by ESET in real time not in a lab.

 

So I have too call you out on that part of you're comment as total BS as i had a different experience with  ESET all together .

 

I do have something  installed now im testing now that has bad  heuristics it's called Zemana antimalware but most every anti malware program like these I ever tested ... Malwarebytes , SAS , Hitman PRO and others had false positives too.. but i think   Zemana antimalware takes the cake.

 

I always have proof of what I say they only thing ESET has detected on my end in the last month was some web sites adware and iframe Trojan that it blocked on websites.

 

vmXIJay.png

 

If  i wasn't trying too visit websites i never been too before i would not even got these hits.

 

i found in Zemana antimalware so far about a 100 false positives in the last 4 days that most of them was caused by me editing things like adding extra search engines and hacking exes too change a apps looks. I keep logs like most people do and have real proof of it.

 

I doubt Ill keep Zemana antimalware because I been running NOD32  since 2014  and hardly had any false positives and when i test  other antimalware programs they find nothing but false positives and nothing real .

 

Even the malware in the 1st post NOD32  detected  it QWXSDERFD.js  ESET-NOD32 MSIL/Agent.ACU

https://virustotal.com/en/file/b920e5f907caced96cebd946cbf6aad02b10676712c2663f2187a8a9fad5b311/analysis/

Microsoft or Kaspersky did not detect the JavaScript dropper NOD32 will block a website with this and you could not visit unless you whitelist the site..

 

Microsoft and  Kaspersky detected the exe dropper   after it was drooped from the js dropper.

https://www.virustotal.com/en/file/91df20cfd25c140da8728f67e004dc42277922aac62b8dce7589ee82f84ca52a/analysis/

I think ill Keep NOD32  were it blocks the website for most threats before it can get on my computer the only website i have whitelisted in NOD32  is this one  . I don't use TNOD anymore  i know were find keys for all versions without using this,

.

Link to comment
Share on other sites

I disagree with the ESET comment I have used it for years and it is a pain to exclude cracks and keygens but I have never had a false positive as a matter of fact virus bulletin gives it a VBone hundred award with the lowest number of false positives.  Av comparatives I dont believe the results and av-test I dont believe the results I do believe the results with virus bulletin.  I have avast installed on my moms computer and it never has a problem with false positives yes I agree do NOT turn on Potentially Unwanted Programs or Potentially Unwanted Applications cracks keygens and many files on this site are going to get detected including the eset fix.  Now where ESET falls short I think is anti-stealth which is anti-rootkit (I have tested that back in the day and it wasnt very good).  I am going to test it again to see if they have improved it I just have to find time to do it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...