Jump to content

Can Spyware.Banker latch onto innocent files?


lingyai

Recommended Posts

About a month ago I got a new laptop. I installed MBAM (of course) and among other things, an audio editing / fx program called Acid Pro 7, made by Sony. It is legally purchased, not cracked. It came bundled with some FX plugins which make audio sound as though it is being played through a guitar amplifier. It is made by a reputable company called Native Instruments.

Anyway, I have updated MBAM and run full scans a number of times since then, and made no changes to Acid or the plugins. Each time MBAM said I was clean until today, when it said it found 9 infections. All were id'd as being Spyware.Banker, infecting files relating to this FX plugin.

I read about Spyware.Banker on this forum and quarantined / deleted all 9 files at MBAM's suggestion. Having said that ...

a) how is this possible, that MBAM could miss these infections several times previoulsy, and then detect them now, when I've made no change to these files?

:( I am reasonably confident that Native Instruments is a legit vendor -- they are well-established / regarded in their niche. I doubt they would distribute malware. Is it possible the spyware latched onto the FX files somehow?

c) Is it safe to reinstall the plug-in from the installation CD?

Here is the MBAM log:

===================================

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5773

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

16/02/2011 16:09:50

mbam-log-2011-02-16 (16-09-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 241909

Time elapsed: 31 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\common files\digidesign\DAE\Plug-Ins\acboxcombo.dpm (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\common files\digidesign\DAE\Plug-Ins\plexicombo.dpm (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\common files\digidesign\DAE\Plug-Ins\twangcombo.dpm (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\vstplugins\acboxcombo.dll (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\vstplugins\plexicombo.dll (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\vstplugins\twangcombo.dll (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\native instruments\guitar combos\ac box combo\acboxcombo.exe (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\native instruments\guitar combos\plexi combo\plexicombo.exe (Spyware.Banker) -> Quarantined and deleted successfully.

c:\program files\native instruments\guitar combos\twang combo\twangcombo.exe (Spyware.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Thanks both of you for your responses.

-- This might not be a f/p after all.. Meanwhile I've found a claim of a discovered vulnerability in my Native Instruments product as well as others:

(from http://www.securityfocus.com/bid/44989 )

"Native Instruments Multiple Products DLL Loading Arbitrary Code Execution Vulnerability

Multiple products from Native Instruments are prone to multiple vulnerabilities that let attackers execute arbitrary code.

An attacker can exploit these issues by enticing a legitimate user to use a vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.

The issues affect the following:

Guitar Rig 4 Player 4.1.1

KONTAKT 4 PLAYER 4.1.3.4125

Service Center 2.2.5

REAKTOR 5 PLAYER 5.5.1.10584"

No patch or other solution was known when this was posted in late November 2010. I found no mention of this on the Native Instruments site. I have posted about it on the forum to see if other users have encountered it.

-- I did install the MBAM update you mentioned, and ran a full scan, which found nothing malicious. Having said that, as I'd already quarantined them at the end of the previous run which detected them, I woyuld be surprsed if they'd appear again, at least so soon.

-- I can take them out of quarrantine as you suggest, but in light of the claimed vulnerability mentioned above, is that safe?

regards

Ken

Link to post
Share on other sites

Yeah reading the post it seems it's a in person attack from a network share. So it should be safe to restore if you need to use it.

Restore them anyway for the time being first and re run the scan to make sure we don't hit them.

Ok, I can dod this tonight after work, and will let you know. Though I'll point out that this PC has never been networked

Link to post
Share on other sites

Just scan them with Malwarebytes and make sure they are no longer detected. It should be fixed.

I scanned them with DB version 5785. No malicious items found. I reckon this means that earlier I got a false positive. Can you please confirm this? I've raised a semi-alarm on some music forums, and so want to give the all-clear now (assuming that's warranted)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.