Jump to content

Beware imgburn....saved by Malwarebytes and Kaspersky


Recommended Posts

I downloaded imgburn which I heard is a great program for burning ISOs from disks, ran both Kaspersky and Malwarebytes scans of the installation file and both scans indicated clean.  Then executed the installation.  After being unpacked...Kaspersky flagged as malicious, deleted the program and rolled back due to the damage caused by the malware. Malwarebytes at the same time blocked several websites the malware was apparently attempting to open some backdoors.

I feel stupid...not having uploaded to virus total like I usually do a file before executing...which after the fact was flagged by something like 27 or so virus engines out of 60..with all kinds of nasty malware names.

The point is this...imgburn may be a good product, but many download sites pack it with all kinds of adware, trojans, malware and who knows what else. So be careful from where you download your programs.

 Still, between Kaspersky and Malwarebytes working in unison...the malware was stopped dead in its tracks, other websites blocked, the malware deleted and damage to files and registry entries rolled back.

The moral...Malwarebytes is a great program but still better to utilize in combination with another top ranked anti-virus protection.  And any beware suspect programs run through total virus...when they are packed...the viruses cannot be detected until executed.

 

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

You wouldn't happen to have a link to the exact copy you downloaded or at least a link to the VirusTotal scan results handy would you?  I'd really like to pass it on to the Research team for analysis (and to inspect it myself as I'm also curious to see what nasties they've packed into it; which are most likely PUPs (adware etc.) as you suspect, as that's most often what we see with such modified/bundled installers).

Link to post
Share on other sites

@exile360 I went and download the one from the main site and my Symantec Endpoint protection alerted and cleaned the exe file

http://download.imgburn.com/SetupImgBurn_2.5.8.0.exe

VirusTotal Results:
https://www.virustotal.com/#/file/d7dea2819edc77bc44db637cd324e61942b54930cb3034f8f1a417b7dd27b514/detection

 

detection.jpg

Edited by Firefox
Link to post
Share on other sites

Wow, that is quite a few detections and based on the vendor names being used by most of the AVs that hit it, it does indeed appear to be a typical bundled installer with PUPs onboard/a downloader/installer for PUPs (not actual malware, but most likely not stuff that you want on your computer; i.e. probably some kind of adware or junk/useless software that tries to convince you to purchase it etc.).

@Firefox would you pass this info on to the Research team or would you like me to do so?

Link to post
Share on other sites

Just for what it is worth, these imgburn download websites are all over the place..and i noticed the downloads are sometimes larger..sometimes smaller, depending on the website offering the download...the larger ones containing more malware.  I have read the cleanest down load is on majorgeeks...but there is some sort of malware even in its download.

I leave it to you guys to decide if the many sites with this program should be flagged or not.....but its pretty bad when you can download a packed program that malwarebytes and antiviruses do not detect until you start installing and unpacking....and then find yourself possibly infested with all sorts of malware.  I didn't even know malware in packed files was impervious to detection until I read about it after my near death experience :-)

Link to post
Share on other sites

Well, true 'packed malware' isn't really the same thing as a bundled installer (which is likely what these Imgburn installers are).  When you hear the term 'packer' or 'malicious packer' etc. in technical/threat research discussions, what they're referring to is actually a specific type of compression and encryption used for obfuscating code to prevent analysis (i.e. scanning etc.) of the file's contents.

In the case of these installers, it's probably just that they're using some off-the-shelf installer package technology which isn't typically scanned by most AV/AM vendors so the bad components aren't seen directly until the installer extracts them to a temporary location in preparation for installing them (something I've seen happen often, and in fact have had Malwarebytes detect/block/quarantine such components during the install of an otherwise good/safe program, leaving me with only the program I intended to install on my system in the end).

In this case, it sounds like some of these aren't just bundling stuff directly into the package, but may also be downloading additional components to try and install them (hence the web blocks from Malwarebytes).

With all of that said, nothing stops Malwarebytes or the AV vendors from detecting these installation packages directly.  It's just a matter of the Research team acquiring samples and analyzing them then generating signatures to target them, assuming they are deemed to be PUP or malicious.

Edited by exile360
Link to post
Share on other sites

Digmorcrusher....it depends which site you download it from.  Some of the sites load it up with malware...I think the cleanest sites is the majorgeeks site.

 

Ghost....my malwarebytes blocked the backdoors.....so that no additional software could be downloaded to the computer....what Kaspersky did was to stop the malware in its tracks while it was starting to make changes to my registry entries, etc., eliminated the malware and rolled back all of the changes....so they worked in Unison.  Of course if I didn't have malwarebytes, perhaps kaspersky would have blocked the backdoors itself.  But I am not willing to experiment and find out :-)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.