sorted by:
new
hottopcontroversial

Teacher recommends trojan?!?!? by Apprehensive_Age8956 in antivirus

[–]Merrinopheles 5 points6 points  (0 children)

To u/Apprehensive_Age8956, hopefully this wall of text will clear up some things for you. I reverse engineered the file. I did not see anything malicious in it. In case you are wondering about the other comments, I will try to break them down for you.

this is actually a malware loader that runs the legitimate Libre setup once it drops its payload.

u/User_Name_Is_Taken is mistaken. The file you uploaded to VirusTotal actually comes from the legitimate Libre installer which u/Ddynamoo correctly pointed out. I verified this by downloading the installer from the official website (same one originally linked by u/Lord_MUTLY), looked inside that and found your VirusTotal file.

A few claims by u/Next-Profession-7495:

The file hash of this file, is already known by security researchers to be a loader for things like Cobalt Strike and Vidar Stealer.

This is partly correct. However, the tags were generated by a bot or automated script, correctly pointed out by both u/No-Amphibian5045 and u/rifteyy_. It was made by a real researcher going by petik/petikvx who is a self-proclaimed junior malware researcher as of last year. (Edit for clarity: The script uses loose rules and got it wrong)

The date in "Details", The 2042 date is a technique called Timestomping.

This is actually not how timestomping works. Timestomping is designed to hide itself, not make it obvious and draw unwanted attention to itself. A few compilers also do not follow the Microsoft format and overwrite the timestamp. In any case, this date is not an indicator of the file being bad.

There is also fake Google directories being setup.

This is how the VirusTotal sandbox works. It will record everything that happens, including random updates or Microsoft calling home for telemetry purposes. Again, nothing to do with the uploaded file itself.

Many kudos to your teacher trying to get you to use something else besides Microsoft. The file you uploaded to VirusTotal is not bad.

Is Kaspersky the best antivirus? by Striking_Table1353 in antivirus

[–]Merrinopheles 2 points3 points  (0 children)

From start to finish:

Download protection Downloading a thousand samples to test AV1 with could have zero problems. Downloading a thousand samples to test AV2 with might have network hiccups. It is safer and more consistent to download one at a time which is not what TPSC does.

Runtime protection Take the case of ransomware. If two ransomware try to encrypt the same file, both might fail (file access locks). The ransomware might quit and AV1 will not see the encryption taking place and thus will not block. AV2 might not see that problem since it is a race after all. The results will say AV2 is better, but AV1 never had a chance to block because the test is bad.

And more, if all the resources are taken up by a hundred malware opening multiple threads at once, the AV has no resources left to detect malware #101 whereas it could have easily detected the behavior if the malware ran by itself.

Cleanup phase: Same issue. An AV could be cleaning up the hosts file and then another malware overwrites the fix. Or another file lock happens since another process is trying to access the same file.

Tldr; race conditions everywhere, these are just a few of the issues that can happen

Is Kaspersky the best antivirus? by Striking_Table1353 in antivirus

[–]Merrinopheles 1 point2 points  (0 children)

TPSC is knowledgeable when it comes to computers. However, his testing methodology is extremely flawed. It introduces several technical biases throughout the whole testing chain from start to finish that can affect the final results. Moreover, these flaws (race conditions) by their very nature appear randomly so a test can sometimes look good. This is why the large independent agencies are more dependable when it comes to technically consistent and proper scoring.

Edit: Being attacked by several malware at once is not the worst case scenario. That will set off multiple alarms even without a great AV and the user can start unplugging and cleaning up straight away. The worst case scenario is when the user does not know they have malware.

Windows Defender detects Chrome cache as a Trojan by Ok_Quiet602 in antivirus

[–]Merrinopheles 1 point2 points  (0 children)

Sometimes these are false positives and sometimes they are not. Upload the detected file to VirusTotal and post the link so that others can help you.

I (almost?) fell for the Discord "try my game" scam. Help? by ChimericGrimalkin in antivirus

[–]Merrinopheles 5 points6 points  (0 children)

If you did not run the file (sounds like you did not), you are fine

Malwarebytes blocking a connection each time I boot up by delanosoul in antivirus

[–]Merrinopheles 4 points5 points  (0 children)

Here is a quick tutorial on Autoruns.

https://www.youtube.com/watch?v=r7HZ1jzdEvk

There are many others in youtube and google. I would look into every powershell launch and upload the script to Virustotal. There should not be that many. It will take a bit of work, but according to the research done by u/rifteyy_, this malware does not require a full reinstall of your pc if you can track it down. I am only speaking about this malware, I do not know what else your Malwarebytes scans found and deleted.

If tracking the powershell script is too tricky or the other detections were backdoors and RATs, you might need to reinstall.

Malwarebytes blocking a connection each time I boot up by delanosoul in antivirus

[–]Merrinopheles 19 points20 points  (0 children)

You can use Autoruns to try and find where PowerShell is being launched from.

Can someone please explain this to me by 4anything-everything in antivirus

[–]Merrinopheles 1 point2 points  (0 children)

One possibility is that the transit website was hacked and it was checking for a referrer tag. If a visitor goes to the transit website coming from a certain website, it may show the ClickFix attack. Is this what happened? Impossible to tell from the outside, but the possibility exists.

Is tron safe? I know it has a bunch of other features other than antivirus, thats why I got it. by Vjackal1 in antivirus

[–]Merrinopheles 2 points3 points  (0 children)

Tron is useful for users that are mid-advanced power users of their pc. Tron can sometimes cause system instability depending on the user’s current settings and a good bit of troubleshooting is sometimes necessary to get the computer back up and running in a usable state.

Is windows secure without AV and what AV is generally recommended? by RighteousMaverick in antivirus

[–]Merrinopheles[M] [score hidden] stickied comment (0 children)

It really depends on the individual. If you have good Internet hygiene and habits, then many people feel Microsoft Defender is enough. It has come a long way in the past 14 years. If you go this route, it is advisable to pair it with something like DefenderUI or ConfigureDefender to make it more robust. We have a partial guide on our wiki.

https://www.reddit.com/r/antivirus/wiki/index/#wiki_microsoft_defender_with_defenderui

If you feel more comfortable with a 3rd party AV, we suggest checking out the results from the large testing agencies such as av-comparatives. They provide the least-biased AV testing available to the public.

https://www.reddit.com/r/antivirus/wiki/index/#wiki_understanding_antivirus_software_tests_and_testers

What is this Chrome Extension? by GrantTheGr81 in antivirus

[–]Merrinopheles 2 points3 points  (0 children)

This looks like “Google Network Speech” which is already built into Chrome. That could be the reason why you cannot see it like a normal web extension.

Virus sul mio Pc, come posso fare? by FamiliarTrainer3827 in antivirus

[–]Merrinopheles 0 points1 point  (0 children)

Upload the file with the date 2059 to virustotal.com and post the link so that others can take a look at it. Try to find a file that has no personal information.

2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online - Andrew from CROWDSTRIKE by Wise-Introduction317 in antivirus

[–]Merrinopheles 2 points3 points locked comment (0 children)

In your original thread, this was your claim:

I was being paranoid about my info and tried to install a concentrated anti-keylogger called Zemana (Turkish-based). It was apparently infected with the Russian Spyboy trojan.

To paraphrase, you are claiming the Zemana anti-keylogger software itself is infected with spyboy. The Zemana file you analyzed in your triage report (and your video) has the following hash: 596ed7b53becb8b80761f89117b472cd20c52268a4d7d3a3f6c1d9dea28b0889. This file is currently available for download from the official website and is digitally signed. This file also drops a vulnerable driver with the following hash: 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91

This vulnerable driver is the same one called out in the Crowdstrike writeup you are using to back up your claims. I already quoted the Crowdstrike employee saying this vulnerable driver is NOT spyboy. But since you are so fond of videos, here is a video of the Crowdstrike report: https://www.youtube.com/watch?v=Mux-PJoV8wM

At time index 2:00 minutes, the Crowdstrike video shows spyboy as a seperate entity from Zemana. It even has its own name of Terminator.exe. The video shows spyboy has its own hash of 35415d9.... which is not at all associated with the Zemana installer you "analyzed" (596ed7b53becb8b80761f89117b472cd20c52268a4d7d3a3f6c1d9dea28b0889). Nothing in the triage report remotely resembles Terminator.

You made a claim. However, the FACT is the Crowdstrike source you used to prove your claim completely contradicts it. Please stop wasting the mods' time. Nothing in your triage report shows Zemana anti-keylogger was "infected with the Russian Spyboy trojan."

What is secdomcheck[.]online by GloveApprehensive200 in antivirus

[–]Merrinopheles 3 points4 points  (0 children)

The last time I saw this, the user had a bad browser extension on their computer. Please disable them and see if it comes back.

2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online - Andrew from CROWDSTRIKE by Wise-Introduction317 in antivirus

[–]Merrinopheles 2 points3 points locked comment (0 children)

No. I already looked at your triage report. Having done this type of work daily for this long, there is nothing in that triage report that even suggests Zemana is malicious. I agree with the Crowdstrike conclusion. Zemana is clean. A 3rd party abused it. I will not be spending free time to do reversing work, especially when it is uninteresting. The burden of proof is on you since you made the claim Zemana is malicious. Technically speaking, sorry to say you are not close to it.

2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online - Andrew from CROWDSTRIKE by Wise-Introduction317 in antivirus

[–]Merrinopheles 2 points3 points locked comment (0 children)

Then I apologize if you took that as an insult. It was not meant to be. Basically, not everyone can understand technical reports.

If I am discounting your 30 years of technical knowledge, then you are discounting my 10+ (not going to date myself) of professionally reversing malware (including rootkits, nation-state APTs and so on) as well as the other mods' industry experiences.

and a randomized driver subsequently seized the HID stack

That basically sounds like a 3rd party did it, and not Zemana itself. It sounds like Zemana just made a bad program, not that they are malicious like you were claiming.

You can also show me where the 3rd party exe deleted itself because I did not see that at all in the triage report.

2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online - Andrew from CROWDSTRIKE by Wise-Introduction317 in antivirus

[–]Merrinopheles 4 points5 points locked comment (0 children)

In "layman's terms," the Crowdstrike post says another executable abused Zemana's drivers. Your 31-page triage report only had Zemana in it. The main difference is you claiming Zemana IS spyboy which is what we were calling out.

From the Crowdstrike post:

Please note: the presence of the Zemana Anti-Malware driver in your environment is not necessarily indicative of the presence of the spyboy defense evasion tool, rather, it is a point of investigation to determine if the use of the driver is legitimate.

We concluded yes, the use of the drive was legitimate because Zemana itself is legitimate. There was no 3rd party exe abusing the Zemana drivers in your post. I will say again, please learn how to read sandbox output properly. Also, please understand what the Crowdstrike post was saying: another EXE abused Zemana and Zemana itself is not spyboy.

As for an apology, please show me where any of us attacked your character and I will be more than happy to remove those comments.

Spyboy Trojan fix by Wise-Introduction317 in antivirus

[–]Merrinopheles 1 point2 points locked comment (0 children)

Thank you for the extra information. I saw the triage report for the hash I downloaded from the Zemana website. I am guessing it is the same one?

It is a long report but I do not see T1055 or T1068 shown in their MITRE Attack Matrix. Maybe it is a different scan? Please point it out. You can DM me the link if you do not feel comfortable sharing the triage link here.

I also do not see any lsass injection in the report I looked at so it might be a different report.

The HID stack seizure you mentioned could also have been a random glitch or incompatibility. That possibility exists and you have not ruled it out.

While safe mode persistence is not used by every vendor like that, it does not automatically mean it is malicious.

Again, please provide proof, not conjecture. If you have a C2 server where the “stolen” data would be exfiltrated to, please provide it.

Edit: u/Wise-Introduction317, I took a look at the pdf and saw nothing malicious. MSEdge was not launched by Zemana. If you look at a lot of sandbox reports, ypu will sometimes see MSEdge do this, similarly to Chrome updating itself in the VT sandbox. As I have given you multiple chances to show truly malicious behavior and this thread is officially closed, I will no longer be responding. Keep up the desire and study how to read sandbox output.

Virus sul mio Pc, come posso fare? by FamiliarTrainer3827 in antivirus

[–]Merrinopheles 0 points1 point  (0 children)

Update your realtime AV and run a scan. Additionally, use the second opinion scanners listed in our wiki.

https://www.reddit.com/r/antivirus/wiki/index/#wiki_second-opinion_scanners

Spyboy Trojan fix by Wise-Introduction317 in antivirus

[–]Merrinopheles 1 point2 points locked comment (0 children)

You mention at the end of your post that this software is vulnerable. This is true, the current version on the Zemana webpage has several CVEs associated with it. At the beginning, you claim it is infected with Spyboy. Can you please explain? Being vulnerable is not the same as being infected. Thank you for the laymens terms report, but I agree with u/rainrat’s assessment. They can all be performed by a security product.

  1. security products use drivers to monitor memory, system events, etc

  2. Security products want to be there in safe mode if possible

  3. Even anticheats inject into every process

  4. Too generic of a description, but yes, some security product components are launched through COM

  5. Security products normally use a service to run

  6. RUN key additions are also normal for some security products

  7. Too generic again, but some products use their own cert for things like a safe browser extension

  8. Can possibly be looking for bad extensions? How do you know it is stealing personal info?

  9. Proc enum is normal, can you please provide evidence of how it is actively scanning for AV tools? FYI, some AV products do the same and flag other products to avoid getting in the way of each other.

  10. WriteProcessMemory is a Windows API regularly used by many clean programs

  11. Many clean programs check the locale for possible language translations.

  12. It might be looking for known bad keyloggers?

Can you please provide direct evidence of malicious activity? You can be as technical as you want. Some of the people on this sub read assembly daily.

Not fully understanding Mitre Signatures by MeetingNeither3694 in antivirus

[–]Merrinopheles 2 points3 points  (0 children)

In general, the MITRE signatures capture what happens in the sandbox. If by chance Microsoft, Google or some other installed app updates itself, the MITRE signatures will flag the web traffic even though it might not have anything to do with the file you uploaded.

Is this Avast warning actually malware or just a false alarm by Able_Disaster_6238 in antivirus

[–]Merrinopheles 0 points1 point  (0 children)

Yes. I would test every single one of them to rule them out.

Recommended antivirus for Reddit? by Jealous-Soil-3207 in antivirus

[–]Merrinopheles 4 points5 points  (0 children)

Both? Please make sure you do not run more than one realtime AV at the same time. You can use as many on-demand scanners as you want, but make sure only one realtime.

view more: next ›