Jump to content

Sweetpacks PUP Cluster Completely Emasculates MBAM


Recommended Posts

Your magic is weak, MBAM...

 

I hope that you guys have noticed the pattern. Note how many users are reporting a pre-scan crash. The difference between what others are reporting and this report is that I am pretty sure that the perpetrator involved is something left by one of the Sweetpacks PUPs. You are several steps from being able to assist any customers in getting rid of it.

 

Both your regular anti-malware products, and Chameleon insist on updating the product before scanning. This is your Achilles heel. The PUP plugs your update IP, and feeds your program garbage. However, the act of trying to access this port on that IP apparently results in them getting your process ID (via the Sockets API's - look it up), no matter how hard you try to mutate . So, both regular MBAM and Chameleon are easily terminated. In fact, I'll bet they didn't even have to change anything to defeat Chameleon.

 

I managed to bypass this behavior about 1 out of 100 times by giving it many instances to kill at one time. Here is the kicker, though:

 

YOU CAN'T FIND THE MALWARE DURING THE SCAN!

 

So, you are trying to update the free sites that you use to distributed your software on the cheap too infrequently, but - more importantly - you are giving those people WAY too easy an attack vector on you. You have to stop unconditionally forcing an update check. It is suicide.

 

It must be a point of pride with those guys to terminate your process, as it appears that you are completely unable to detect them.

 

If I can find the file, I'll let you know, but I just want my computer to work, so I can't spend a lot of time on this. Perhaps I can find the process id of the offending file.

Link to post
Share on other sites
  • Staff

Your magic is weak, MBAM...

 

I hope that you guys have noticed the pattern. Note how many users are reporting a pre-scan crash. The difference between what others are reporting and this report is that I am pretty sure that the perpetrator involved is something left by one of the Sweetpacks PUPs. You are several steps from being able to assist any customers in getting rid of it.

 

Both your regular anti-malware products, and Chameleon insist on updating the product before scanning. This is your Achilles heel. The PUP plugs your update IP, and feeds your program garbage. However, the act of trying to access this port on that IP apparently results in them getting your process ID (via the Sockets API's - look it up), no matter how hard you try to mutate . So, both regular MBAM and Chameleon are easily terminated. In fact, I'll bet they didn't even have to change anything to defeat Chameleon.

 

I managed to bypass this behavior about 1 out of 100 times by giving it many instances to kill at one time. Here is the kicker, though:

 

YOU CAN'T FIND THE MALWARE DURING THE SCAN!

 

So, you are trying to update the free sites that you use to distributed your software on the cheap too infrequently, but - more importantly - you are giving those people WAY too easy an attack vector on you. You have to stop unconditionally forcing an update check. It is suicide.

 

It must be a point of pride with those guys to terminate your process, as it appears that you are completely unable to detect them.

 

If I can find the file, I'll let you know, but I just want my computer to work, so I can't spend a lot of time on this. Perhaps I can find the process id of the offending file.

 

How did you figure this out?. We have yet to see this behaviour at all from pups or any malware for that matter.

 

IF you dont update then Mbam is useless against the fresh malware stuff that is out there. There is a reason we release over 10 database updates a day because of all the morphing pups and other malware do.

 

If you know what file installed these and i could duplicate it would be appreciated. Self protection in 2.0 should prevent them from terminating the process. Also chameleon should stop it also.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.