Jump to content

MalwareBytes Missing Trojan.Win32.GenericISB.0 in .zip file


Recommended Posts

I received an email with an attachment. The message was SPAM and originated from CERFNET (ATT).

The attachment was a zip file. Inside was an .exe containing a trojan. When composing my email to ATT, I tested the zip to see if it was infected.  MalwareBytes said no. Managed Antivirus (Vipre) said yes. (see attached)

 

I uploaded the zip file to Jotti's Malware Scan. 10/23 scanners said it was infected.

 

http://virusscan.jotti.org/en/scanresult/679a689bafe97cf1f235d3e9d40e1e2c1a48915e

 

If this is a new signature, I would expect some may not have it yet. However, if it is not, WTH? This is the scary scenario where users fail to act responsibly relying on their AV product to protect them. Had their primary AV been MalwareBytes or any of the other 13 AV products listed at Jotti, that failed to detect this infection, this could have been troubling. Before I scanned, I performed an update.

 

I know if one of my users had tried to save or unzip this attachment, the AV would have caught it. However, if that service had been off for any reason, this could have been a very bad thing considering this in a financial institution. I will need to report to GFI to see why their email scanner missed it when Vipre (threatattack.com) caught it.

 

I'm concerned that MalwareBytes missed it and gave it an OK.

 

Here is the scan log: (Personal details obfuscated: XXXXXXXX)

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.15.05
 
Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXXXX :: COMPUTERNAME [XXXXXXXX]
 
10/15/2013 1:40:49 PM
mbam-log-2013-10-15 (13-40-49).txt
 
Scan type: Custom scan (C:\Documents and Settings\XXXXXXXX\My Documents\Downloads\danger\PaymentAdvice15102013.zip|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 3 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
I did not include the zip file as an attachment because I don't want it to be publicly available. Please let me know if you need this infection for review and where to upload it.
 

post-34522-0-71910400-1381865646_thumb.p

Link to post
Share on other sites

Ron...

 

At 11:32am CDT, it was not being detected. I just updated again and NOW it is being detected. Your response reads as if there was an error on my part.

 

So, fair enough. I checked the scan logs.

 

Maybe this is the issue:

I ran an update before scanning but the log shows this:

Database version: v2013.04.04.07

 

After running another update, which should use the latest:

Database version: v2013.10.15.06

 

It reports this: Database version: v2013.10.15.05

 

So, I closed MB and rescanned:

Now I get the right engine reporting: Database version: v2013.10.15.06

 

It was my understanding you don't have to restart MB after an update. Apparently you do. Can you confirm? I don't mind if that is the procedure but I've never restarted after updating before a scan.

Link to post
Share on other sites

  • Root Admin

No the issue I was thinking about is different.  It would seem that it was just a missed database update, timing issue.
 
This does point out though why having a mulch-layered approach to security is needed.  Our program is not an antivirus product and not a replacement for one either.  We work in conjunction with your antivirus to help shore up other areas where your antivirus may miss things.  
 
As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

In your case here it would seem that automated updates are not enabled or you're using the Free version. 
 
If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 
If you are using the PRO version then I'd recommend changing the scheduled update settings.
 
 
Resetting the Malwarebytes Anti-Malware schedules from the command line.
 
There is a 15 minute randomized delay in the scheduler for MBAM updates so + or - 15 minutes is normal for updates with the scheduler. Scans will run at the time set for though.

From an elevated admin command prompt please do the following.
How to Open an Elevated Command Prompt in Windows 7

Please type the following and press the Enter key at the end of the line.
You can check here if you're not sure if your computer is 32-bit or 64-bit

On Windows XP and Windows 7 x86
CD "%ProgramFiles%\Malwarebytes' Anti-Malware"

On Windows 7 x64
CD "%ProgramFiles(x86)%\Malwarebytes' Anti-Malware"

Please type the following and press the Enter key at the end of each line. There will not be any feedback normally unless you type it wrong.


mbam.exe /unschedule /all
mbam.exe /schedule /update /silent /hourly /every 4 /starting 10/04/2013 16:15:00 /recover 2
mbam.exe /schedule /scan -quick -log -silent -remove -reboot /silent /daily /every 1 /starting 10/04/2013 17:30:00 /recover 23

Now open the MBAM program and go to the Protection tab and click on the Scheduler button
If completed correctly it should look very similar to the image below.

scheduler_settings_zps5f895d05.png

Link to post
Share on other sites

Trojan.Win32.Generic!SB.0 is  pretty old threat.  Recorded around April, 2011.  Even if still around, it would be a Antivirus software job at detection and removal.

 

As David Stated

 

 

Malwarebytes' Anti-Malware (MBAM) is not a historical anti malware solution.  That means that MBAM only targets in-the-wild malware found infecting computers "Today" and not last year or 5 years ago.  That means that something like the BugBear which was seen in 2005 will not be targeted by MBAM.

 

Therefore, periodically, Malwarebytes will look at their detection signature database and cull detections of malware that has basically dropped off the radar.

 

 

Found HERE

Link to post
Share on other sites

Thanks for the info, Ron, but the bottom line is, if the app informs you it needs to update the defs db, then it needs to use it. If it needs a restart, issue one or notify the user. I believe there's an issue. I've looked back through the logs and the log prior to today doesn't have a scan showing the 04-04 update. However, all the logs prior to that the dates match.

Link to post
Share on other sites

Trojan.Win32.Generic!SB.0 is  pretty old threat.  Recorded around April, 2011.  Even if still around, it would be a Antivirus software job at detection and removal.

 

As David Stated

 

 

Found HERE

 

Following that philosophy, if it's not an AV product, not supposed to detect malware or remove malware, then what good is it? (O:=

I think you're missing my argument. The issue is NOT what it is or isn't. The issue is does it use the currently download defs db without a restart or not? If not, then please notify the user. If so, then please fix the bug. I seriously doubt the answer is "just wait an undetermined amount of time after updating the defs before scanning." The developers are too good for that to be the rule.

Link to post
Share on other sites

  • Root Admin

As I said previously.  This specific infection was recently added and probably to the .06 rules.  You ran it with the .05 rules so it did not know it.  Scanning with the .06 rules detects it and removes it you do not need to restart the computer.   This rule was probably picked up from you posting it to Jotti as we scour and add detections from all the major players as well.

 

If there is nothing else then we should be all set here.

Link to post
Share on other sites

Sorry, Ron. I think I'm confusing you.

 

First, the problem is solved. The first scan was with an outdated database, as you first responded.

 

There was an old version of MB on the server dated last year. I open it and it said it downloaded the app, then wanted to install the new version. After installation I realized, I just wanted to scan one file. So I scanned from Explorer and it said no infections found. I just realized that when it updates the app, it has the 2013-04-04-07 db. It doesn't try to update the defs until you open the app directly.

 

I just scanned the zip file again and it reported no infection. That is with the 2013-10-15-06 db.

I just ran an update to 2013-10-16-03. It also fails to detect the infection in the archive.

It does detect it outside the archive.

 

I also noticed, unless you choose to remove the infection, the log will show it detected 0 infections, even though the popup says there was one.

 

And, I checked. The settings are to scan for infections in the archive.

 

So, instead of having to restart the app (not the computer), it fails to detect the infection inside the archive even with the latest database but does detect it otherwise.  Are there any known issues for that?

 

I didn't know you guys were connected to Jotti so good to know.

Link to post
Share on other sites

  • Root Admin

Well that is a bit different as you did a program update not a rule update.  In theory as long as everything works 100% correctly you should not need to reboot but unfortunately there really are some potential issues that can come up and I would recommend a reboot anytime you do a new install unless the system has been recently rebooted and you're certain the system is not having any issues or errors in the Event Logs.  Not too many computers are in pristine condition all the time.  Also if you're upgrading over a version that is more than one version back I would really recommend a reboot.  If in doubt reboot and retest.

 

Please zip and attach the file and I'll test it myself and see what I get if you like.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.