Located a Conficker Site

  • Thread starter Thread starter K.M.Kirby
  • Start date Start date
This site may have been taken down now.


Although the original site would have had you downloaded the original
"setup.exe" file, the above URL offers a larger and older piece of
"setup__.exe" malware.


Hello VG:

Through manual submission, to as many sites as I'm aware of, you'd find
that 18+ vendors flag the 88,075 byte setup.exe file as malware now.

Surprisingly, some of the biggest names in the business had to be urged
to re-examine the setup.exe file based on increasing positives by their
competitors. Then, even when other big name antimalware vendors flag
the 88K file, the other end of the pipeline is slow in getting to the
released signature files.

Speculation leads me to believe that workload, no weekend staff, poor
skills, and probably a dozen other reasons lead to what we're seeing.

However, they do lead one to the conclusion that if the public doesn't
submit the suspected malware, we aren't going to have the needed
protection till we do.

Pete
Click to expand...

Now take a look at the latest analysis. Only through resubmissions was
the malware count as high as it is now. Also note who are those whose
assessment & re-assessments failed to recognize the MS AntiSpyware 2009
as a threat. I wonder if their criteria is too restrictive or if it's
procedural shortcomings or a combination of several other factors
included? This wasn't a very good result.

Pity.

Pete
 
27 / 40

http://www.virustotal.com/analisis/1752a7e81697cc2796b0d90ac39227ec

Those that don't detect it include:

- Nod32
- Symantec
- TrendMicro
Click to expand...

Hello VG:

Yes - and I'm getting 30 / 40 with:

<https://www.virustotal.com/analisis/d8187b77416d1521598569d145f66c40>

....and BitDefender, and ClamAV. I wish I had an inkling this was going
to happen and I would have kept better records of my attempts to
convince those vendors who didn't pickup on what the others found.
Maybe if we were to file another round of follow-up submissions we would
gain another few.

It was one thing when the first round of submissions received only a few
hits. Back then, it was a relatively new variant. Even so, a effective
scanning engine might have picked up on this. Perhaps the management
has told the contractors & programmers to keep the embarrassing false
positives down and try to be a little bit better than the competition.

However, with /my/ second round of submissions, the antimalware vendors
were further assisted with 1) "Your competitors see it as a positive for
a Rogue" /and/ 2) This *will* install a "MS AntiSpyware 2009" source.

Then, this is a bit sad. Only a few of the big names were there with
the correct diagnosis at the beginning. Only a few more picked it up
with our first submission efforts. Only another handful picked it up
when the facts were made much more clearly. We shouldn't need to be
this diligent.

On the one hand, if I were submitting that 88,075 KB setup.exe file now
and saw the 75% positive return, personally I wouldn't need any more
convincing that this was malware. However, its chilling to think that
an average consumer might come to these newsgroups with a familiar
refrain: "My son is running all the good stuff you folks told me to have
him run and they don't report any problem!" "Yet, I know his computer
is infected because he sees this persistent popup nagging him to fix
hundreds of infections!" "You guys told me to loose his ISP's free
antimalware suite and get the best of the individual antimalware
applications!"

Of course the more paranoid of us will say that if the consumer had run
multiple, non-interfering, overlapping protection, that this would be
much less likely to happen, and mathematically they would be right. But
the average consumer is even less likely to do this.

Oh well...

Pete
 
1PW said:
Hello VG:
Yes - and I'm getting 30 / 40 with:
<https://www.virustotal.com/analisis/d8187b77416d1521598569d145f66c40>
...and BitDefender, and ClamAV. I wish I had an inkling this was
going
to happen and I would have kept better records of my attempts to
convince those vendors who didn't pickup on what the others found.
Maybe if we were to file another round of follow-up submissions we
would
gain another few.
It was one thing when the first round of submissions received only a
few
hits. Back then, it was a relatively new variant. Even so, a
effective
scanning engine might have picked up on this. Perhaps the management
has told the contractors & programmers to keep the embarrassing false
positives down and try to be a little bit better than the competition.
However, with /my/ second round of submissions, the antimalware
vendors
were further assisted with 1) "Your competitors see it as a positive
for
a Rogue" /and/ 2) This *will* install a "MS AntiSpyware 2009" source.
Then, this is a bit sad. Only a few of the big names were there with
the correct diagnosis at the beginning. Only a few more picked it up
with our first submission efforts. Only another handful picked it up
when the facts were made much more clearly. We shouldn't need to be
this diligent.
On the one hand, if I were submitting that 88,075 KB setup.exe file
now
and saw the 75% positive return, personally I wouldn't need any more
convincing that this was malware. However, its chilling to think that
an average consumer might come to these newsgroups with a familiar
refrain: "My son is running all the good stuff you folks told me to
have
him run and they don't report any problem!" "Yet, I know his computer
is infected because he sees this persistent popup nagging him to fix
hundreds of infections!" "You guys told me to loose his ISP's free
antimalware suite and get the best of the individual antimalware
applications!"
Of course the more paranoid of us will say that if the consumer had
run
multiple, non-interfering, overlapping protection, that this would be
much less likely to happen, and mathematically they would be right.
But
the average consumer is even less likely to do this.
Oh well...
Click to expand...

Already morphed...
Is now "vsm_free_setup.exe" this has been running rampant on foxnews.com
for at least a month...
BTW, Symantec does catch these variants heuristically. Guess virustotal
doesn't run Symantec in heuristic mode...

-jen
 
jen said:
Is now "vsm_free_setup.exe" this has been running rampant on
foxnews.com for at least a month...
Click to expand...

This was started on April 12. Here's an interesting post:

http://www.broadbandreports.com/forum/r22225362-foxnewscom-infected~time=1240194878

I found this included link interesting:

-----
Warning - This is a viral pdf file:

hxxp://78.47.132.222/a12/pdf.php?u=i_6_0
----

Even if you alter most of the above link, it will still feed you a pdf
file, but never the same one.

VT scan:

http://www.virustotal.com/analisis/143c818735e4e1a5c828399ae13755fe

VT score: 7/40

Kudos to McAfee (x2) and Symantec, and shame on everyone else.

Playing around with the above URL led that server to feed me a blank web
page containing this URL in an iframe:
 
Already morphed...
Is now "vsm_free_setup.exe" this has been running rampant on foxnews.com
for at least a month...
BTW, Symantec does catch these variants heuristically. Guess virustotal
doesn't run Symantec in heuristic mode...

-jen
Click to expand...

Hello Jen:

Yes. I'm sure we know it would, and has morphed. However, VG and I
were *freezing* that one 88,075 KB setup.exe rogue installer and dealing
with it. VG's point in the beginning was his 4/40 hit ratio with the
initial submission to the legitimate & popular on-line scanning
services. (VT & so forth) Though VG might not have checked your
Symantec observation at the time, only one or so other big name
antimalware vendors saw this installer as a threat back then. (Avira)

My main point is that with persistent resubmission, the hit ratio is 75%
after a week. Also, I'm fearful that some less knowledgeable folks may
confuse Symantec products with Norton products and vice versa. I
haven't checked my own Symantec product here, but I think that
heuristics might be defaulted to off.

Thank you for your heuristic observation with Symantec.

Pete
 
Back
Top