Still Doesn’t Like Kaspersky

Note: This entry has been restored from old archives.

Seeing more of those emails that try to hurt Kaspersky’s feelings. An interesting note about them. If you download with an IE useragent string you get something different that what you get with a Firefox useragent string. If the UA string isn’t FF or IE you get simple HTML with just the link to the exploit .exe file. The obvious difference between the FF and IE versions is that the FF version of the code doesn’t insult Kaspersky.

Beyond that the FF and IE have very different payloads attached. The IE payloads I see now are very similar to the weekend’s, some minor differences that seem to mainly revolve around the different IP address. The decoded script contains a variety of nastiness, including downloading “file.php” which is another PE executable, yet another version of Zhelatin/Nuwar/Storm. This site’s version of video.exe is labor.exe (Labor Day in US). Both PEs are detected as Zhelatin vars by KAV. KAV catches the IE version of the web script, but not the FF version. Overall scan results are pretty average (heh, these guys probably use sites like virustotal.com to test their damn malware).

   File             | Caught By | As %
--------------------+-----------+--------
IE Script           |   6/31    | 19.36% 
IE Script (decoded) |  15/32    | 46.88% 
FF Script           |   7/31    | 22.59% 
FF Script (decoded) |  12/32    | 37.50% 
labor.exe           |  16/32    | 50.00% 
file.php            |  12/32    | 37.50% 

(The /31 entries are where the Prevx1 scanner wasn’t included for some unexplained reason.)

The FireFox post-xor payload is much shorter than the IE version. It seems to contain just a couple of simpler exploits. One of which is for Windows Media Player plugin EMBED bug MS06-006. The other looks like something intended to do some stack smashing in the FF javascript engine.

Also worth noting, each time you download you get a script that has used a different value for the xor key (well, probably random rather than specifically different). Both versions have the same obvious xor decrypt though. Getting closer to some difficult form of polymorphism?

Seen only a couple of IPs hosting this creature so far. In both cases they’re RoadRunner owned IPs in the US.

Finally, here’s a coverage summary from a script that processes virustotal.com results. This data is by no means a meaningful representation of anything at all. Top points to Webwasher, although AFAIK they uses multiple AV engines. I’ve never even heard of half these scanners outside of virustotal.com scans.

                                 FF-dec FF IE-dec IE file.php labor.exe  COVERAGE
Webwasher-Gateway (2007.09.03):       Y  Y      Y  Y        Y         Y     100%
              AVG (2007.09.03):       x  Y      Y  Y        Y         Y      83%
          AntiVir (2007.09.03):       Y  x      Y  x        Y         Y      66%
      VirusBuster (2007.09.03):       x  x      Y  Y        Y         Y      66%
        Kaspersky (2007.09.03):       x  Y      Y  x        Y         Y      66%
           McAfee (2007.09.03):       Y  Y      Y  Y        x         x      66%
         F-Secure (2007.09.03):       Y  Y      Y  x        x         Y      66%
         Symantec (2007.09.03):       Y  x      Y  x        Y         Y      66%
      BitDefender (2007.09.03):       Y  x      Y  x        Y         Y      66%
       eTrust-Vet (2007.09.03):       Y  x      Y  x        x         Y      50%
        Microsoft (2007.09.03):       x  x      Y  Y        x         Y      50%
            eSafe (2007.09.03):       x  Y      x  Y        x         Y      50%
           Sophos (2007.09.03):       Y  x      x  x        Y         Y      50%
           Rising (2007.09.03):       Y  x      Y  x        x         x      33%
            Ewido (2007.09.03):       x  Y      Y  x        x         x      33%
    CAT-QuickHeal (2007.09.03):       x  x      x  x        Y         Y      33%
            DrWeb (2007.09.03):       x  x      x  x        Y         Y      33%
          Sunbelt (2007.08.31):       x  x      x  x        Y         Y      33%
           Norman (2007.09.03):       Y  x      x  x        x         Y      33%
           Ikarus (2007.09.03):       Y  x      x  x        x         x      16%
            Panda (2007.09.03):       x  x      x  x        Y         x      16%
       Authentium (2007.09.02):       x  x      Y  x        x         x      16%
            VBA32 (2007.09.03):       Y  x      x  x        x         x      16%
           F-Prot (2007.09.02):       x  x      Y  x        x         x      16%
            Avast (2007.09.03):       x  x      x  x        x         x       0%
        AhnLab-V3 (2007.09.03):       x  x      x  x        x         x       0%
          NOD32v2 (2007.09.03):       x  x      x  x        x         x       0%
      FileAdvisor (2007.09.03):       x  x      x  x        x         x       0%
         Fortinet (2007.09.03):       x  x      x  x        x         x       0%
           Prevx1 (2007.09.03):       x  O      x  O        x         x       0%
           ClamAV (2007.09.03):       x  x      x  x        x         x       0%
        TheHacker (2007.09.02):       x  x      x  x        x         x       0%

[[[FYI I’m a big fan of using different AV scanners. I.e. use one product on your desktop, another on your mail server, and yet another at the gateway. I have a leaning towards McAfee and KAV, in the rather unrepresentative example above they make a perfect combination. šŸ˜‰ It’s a bit expensive though, and you’re not going to get any “seamless integration” this way. Could be some call for a meta-AV company. The meta-AV company creates a UTM, remote desktop management system, and messaging (mail, etc) server scan interface with one unified management system. What would make it different from the alternatives I’ve seen around is that rather than being single-vendor based the aim would be to allow different AV products to plug in to each location.

Another semi-related thought is that you could have a system where a business has n different AV products installed across it’s desktop systems. Most employee desktops do stuff-all with their mega-cpu-power, so let’s put it to some good use. What you get is a “farm” of AV engines that your email/proxy infrastructure can call out to for scanning. To make it even more distributed you could have employee mail clients and web browsers pulling their traffic through their peers in such a way that each peer links through a peer with a different AV product. It’s a bit rough around the edges. Can you trust a desktop platform to do the job of secure proxy server? What about the added latency, is it significant? AV scanning tends to be slow.]]]