Late last night I was surfing some forums looking at interesting posts and I noticed one about an MD5 Cracker that utilized various Free Online Services.
Intrigued I downloaded this utility, However suspecting a virus or trojan of some kind, I ran this utility through 37 Anti-Virus Scanners via VirusTotal - Free Online Virus and Malware Scan. Nothing!!. Every scanner on the market gave it a clean-chit including every single heuristic feature these scanners boast.
Being as paranoid as I am, I finally ran this utility through Sandboxie. A few seconds later, Comodo Firewall Pro came up with an alert: The utility was trying to connect to an FTP Server. Instantly I ran Wireshark and sniffed the Username/Password credentials for the FTP Server.
I put these details into Filezilla and in a few seconds I was connect to the server. The server was filled with log files from hundreds of users. The malware had dumped Saved Passwords from IE, Chrome, Firefox etc and uploaded these log files onto the server. After downloading a few of these files for deeper investigation, I deleted every file on the server to ensure that the compromised users would not have their information hi-jacked.
On further investigation of the log files, the virus seemed to be one from mutX.org. I was thoroughly disappointed that a known virus-strain could evade every single Anti-Virus scanner on the market even though it had such obvious heuristic traits such as: dumping information from browsers, msn messenger and uploading it to a rogue ftp server.
This entire episode reminded me about a Podcast I heard last week where Robin Bloor was a guest discussing AVID (Antivirus is Dead). After this particular incident, I couldn't agree more with Robin. If this particular incident had targeted an Organization as opposed to some Security Forums, it could have cause massive damage and probable financial loss to these organizations.
I have always been a fan of Layering Security and in this particular instance layering Avira Antivir, Comodo Firewall Pro, Sandboxie etc together really paid off.
Monday, December 8, 2008
Subscribe to:
Post Comments (Atom)
Posts
3 comments:
Though admittedly I can't understand half of what you wrote, I got the gist of it. Yeah, when it comes to security, one solitary AV -- be it any of renowned names -- has often been found wanting against the tougher nuts.
i do agree parts of as same one of my website blog had also been effected with conficker but most of the online scanner passed it but one video was always hitting the screen.....like a bomb ticker..... antivirus are updated only when a new virus is there antivirus never comes before virus..virus comes before antivirus
we shouldnt forget that..
This technical post helps me to improve my skills set, thanks for this wonder article I expect your upcoming blog, so keep sharing.
Regards,
Informatica training in chennai
Post a Comment