This post is kind of random one. When we seen legit explorer.exe file in virustotal (popular online scanner for malware), it is flagged as clean (obviously clean, since it is legit file).
Interesting part in this submission is the comment section. A good amount of comments which we seen and we love to share it here.
User1:
exe has been exploited by varient of Trojan.backdoor and Trojan.VBS.Autorun Should be considered malicious in this instance. Executable is legit by default and belongs to the windows operating system, the trojan leaves little indication of its presence. Picked up in the wild, known to infect usb drives and spread through copying itself to usb, also picked up from malicious webpages, worm is usually dropped by the trojan after it gains entry. Tries to modify Regkey for SuperHidden to hide itself even if see hidden files is checked in settings. Also infects network drives and can spread through the network. Drops malicious code to any file it choses on the file system, esculates privliges, deletes files. Not known to damage hardware, copies itself to the root of every disk volume, replaces autorun.inf file so that it loads next time volume is mounted. Manual removal recommendation none, although most antivirus programs detect the worm itself and remove it, the damage created to the file system can not be fixed as easily. Recommendation for removal; Full format with windows disk , disconnect all devices from network, flush router, reset router, full reinstall on computers before connecting back to network. As with any worm of this type the risk for this infection is severe.
Additional Comments: Antivirus software is only an added layer of protection, when infected with Backdoors and Worms, the antivirus software may claim they are able to remove the threat (which in part is true), what are they are not able to do is repair the damage that the infection has created. When a system has been backdoored, the attacker then usually creates multiple backdoors by exploiting legit windows applications, along with creating new backdoors. Without being an NT/IT or having some other extensive knowledge about the windows file system and operating system, it is very hard to find and fix each exploit. While the original infection may be gone, there may be new infections still hiding, or worse while infected the attacker may have installed a rootkit which is nearly impossible to fix with a simple antivirus program, as many advanced rootkits can call on and modify data at the kernal level. They can intercept and modify system calls directly, or use hooks to catch the calls and then replace that with its own. Most antivirus say they can find rootkits, but that is what we tend to call "OverHype". Most rootkits avoid antivirus scan detection because they can read when the call is sent to run the antivirus engine, the rootkit can then temporarly replace the infect files with the original files, try to delay or stop the engine itself, replace the scan results of the antivirus with previous logged scans of a clean system, when it was still undetected, etc.
Antiviruses should never be considered a safe solution for bad habits. Users need to be careful of what they do online, just because you have a good antivirus does not mean you are safe. Prevention is the best solution. In my honest opinion, detection is only good for future prevention. Once a worm or virus is detected, it can then be reverse engineered to see how it works, and what it does. Once we know how it gains access and propagates, we can then find ways to restrict its access method, but for this to happen, someone/many someones will have to be infected first, then those someones will have to wait until either they show noticable symptoms and start requesting help from online sources such as https://bleepingcomputer.com or other help stations by performing multiple scans with multiple tools to fully diagnose the issue, or someone with computer knowledge notices subtle changes and starts investigating. Both of these situations could take days, to weeks, to months, to years. Then waiting for Microsoft to create a security patch could take years. This is why prevention is the key.
User2:
Authenticode signature block and FileVersionInfo properties
Copyright© Microsoft Corporation. All rights reserved.
Product Microsoft® Windows® Operating System
Original name EXPLORER.EXE
Internal name explorer
File version 6.1.7601.17567 (win7sp1_gdr.110224-1502)
Description Windows Explorer
Signature verification Signed file, verified signature
Signing date 8:16 PM 2/28/2011
Signers
Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
User3:
https://virustotal.com/en/file/acc5b8c77bb11e758190f3d44bf60fa09fe93436a4498dca6a597f52fc290c88/analysis/
https://virustotal.com/en/file/4da8e2b990ea518e19be92062bce2ea7a4a4f94faf605f7ef02aa5c29a13f72a/analysis/
https://virustotal.com/en/file/2742ff3417bc70fc799b1ce2700307e1f4b870ca5b1a15cdcde39dcd857bfacc/analysis/
https://virustotal.com/en/file/6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0/analysis/
https://virustotal.com/en/file/f9c00757c1965dd8bc152e7d2bf1c4286f233923246c48fe344fc93462e94c99/analysis/
Post made by
newWorld
Interesting part in this submission is the comment section. A good amount of comments which we seen and we love to share it here.
User1:
exe has been exploited by varient of Trojan.backdoor and Trojan.VBS.Autorun Should be considered malicious in this instance. Executable is legit by default and belongs to the windows operating system, the trojan leaves little indication of its presence. Picked up in the wild, known to infect usb drives and spread through copying itself to usb, also picked up from malicious webpages, worm is usually dropped by the trojan after it gains entry. Tries to modify Regkey for SuperHidden to hide itself even if see hidden files is checked in settings. Also infects network drives and can spread through the network. Drops malicious code to any file it choses on the file system, esculates privliges, deletes files. Not known to damage hardware, copies itself to the root of every disk volume, replaces autorun.inf file so that it loads next time volume is mounted. Manual removal recommendation none, although most antivirus programs detect the worm itself and remove it, the damage created to the file system can not be fixed as easily. Recommendation for removal; Full format with windows disk , disconnect all devices from network, flush router, reset router, full reinstall on computers before connecting back to network. As with any worm of this type the risk for this infection is severe.
Additional Comments: Antivirus software is only an added layer of protection, when infected with Backdoors and Worms, the antivirus software may claim they are able to remove the threat (which in part is true), what are they are not able to do is repair the damage that the infection has created. When a system has been backdoored, the attacker then usually creates multiple backdoors by exploiting legit windows applications, along with creating new backdoors. Without being an NT/IT or having some other extensive knowledge about the windows file system and operating system, it is very hard to find and fix each exploit. While the original infection may be gone, there may be new infections still hiding, or worse while infected the attacker may have installed a rootkit which is nearly impossible to fix with a simple antivirus program, as many advanced rootkits can call on and modify data at the kernal level. They can intercept and modify system calls directly, or use hooks to catch the calls and then replace that with its own. Most antivirus say they can find rootkits, but that is what we tend to call "OverHype". Most rootkits avoid antivirus scan detection because they can read when the call is sent to run the antivirus engine, the rootkit can then temporarly replace the infect files with the original files, try to delay or stop the engine itself, replace the scan results of the antivirus with previous logged scans of a clean system, when it was still undetected, etc.
Antiviruses should never be considered a safe solution for bad habits. Users need to be careful of what they do online, just because you have a good antivirus does not mean you are safe. Prevention is the best solution. In my honest opinion, detection is only good for future prevention. Once a worm or virus is detected, it can then be reverse engineered to see how it works, and what it does. Once we know how it gains access and propagates, we can then find ways to restrict its access method, but for this to happen, someone/many someones will have to be infected first, then those someones will have to wait until either they show noticable symptoms and start requesting help from online sources such as https://bleepingcomputer.com or other help stations by performing multiple scans with multiple tools to fully diagnose the issue, or someone with computer knowledge notices subtle changes and starts investigating. Both of these situations could take days, to weeks, to months, to years. Then waiting for Microsoft to create a security patch could take years. This is why prevention is the key.
User2:
Authenticode signature block and FileVersionInfo properties
Copyright© Microsoft Corporation. All rights reserved.
Product Microsoft® Windows® Operating System
Original name EXPLORER.EXE
Internal name explorer
File version 6.1.7601.17567 (win7sp1_gdr.110224-1502)
Description Windows Explorer
Signature verification Signed file, verified signature
Signing date 8:16 PM 2/28/2011
Signers
Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
User3:
https://virustotal.com/en/file/acc5b8c77bb11e758190f3d44bf60fa09fe93436a4498dca6a597f52fc290c88/analysis/
https://virustotal.com/en/file/4da8e2b990ea518e19be92062bce2ea7a4a4f94faf605f7ef02aa5c29a13f72a/analysis/
https://virustotal.com/en/file/2742ff3417bc70fc799b1ce2700307e1f4b870ca5b1a15cdcde39dcd857bfacc/analysis/
https://virustotal.com/en/file/6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0/analysis/
https://virustotal.com/en/file/f9c00757c1965dd8bc152e7d2bf1c4286f233923246c48fe344fc93462e94c99/analysis/
Post made by
newWorld
No comments:
Post a Comment