More dropper updates soon
 |
 |
|
- Home - Antivirus - Software - Articles - Support - Privacy - About - Links - Sitemap |
Trojan.Dropper
Trojan.Dropper is a generic term for a type of trojan. Droppers simply "drop other files" which are usually trojans.
So here we are, some time and day, and I randomly grab a recent ITW file - being scanned by Jotti's Online Malware Scan. I grabbed a "dropper" detection which was very recent. Droppers are very interesting as we will see. It is undetected by many antiviruses.
This "dropper" is no dropper at all - I find it is just a legitimate WISE extraction tool, which may not therefore be unpackable by many AV scanners. This is an installer not "dropper" - yet has the dropper effect. I'll update this article with more droppers soon.
Everything is then compressed like a ZIP file and unreadable so no point looking further for this simple article. Good antivirus scan engine!
Immediately on detecting a known installer, a good scan engine goes into archive analysis. This can then start additional heuristic rules and start judging the file.
Of course KAV detects the embedded trojan thanks to a rather feature complete antivirus scan engine. Dr Web also detects this one by a type of signature.. and then heuristic is added!
Here are the scans from JOTTI, where malware gets submitted Scan by submitter
Old results for HXRecordV28.exe Rescan
Not long later Antivirus response
KAV now appears to detect TWO files in the archive. Nice response. DrWeb appears to detect something else as well. This suggests something clever about DrWeb signatures - they are REWORKED to be "loose" in detection type, possible masks and other options for good variant detection. This is one way to fight obfuscation and needed for TROJANS.
Fast response by both, KAV again leads the way again. Try the security suite or KAV5 personal for the ultimate antivirus
Trojaned installers are getting more and more popular and can be seen for the last few years. I noticed a lot of them, and a lot of attempts at scanning with multiple scanners just to try to bypass being detected! Droppers are unique and powerful - they can be used sneakily.
Proactive protection like DiamondCS ProcessGuard is designed around ideas like this problem - the problem of droppers not getting detected. Execution Protection is all that is needed to stop all droppers creating new files and starting them - often from the TEMP FOLDER which gives them away. Anyone is capable of stopping every true dropper ! More droppers
Here are a couple more droppers downloaded a bit later. The first shows good detection on an ITW sample by most vendors.
Old results for test.exe
A few hours later Undetected
The second is undetected by nearly everything when first scanned (probably by an attacker checking it)
New results:
Trojan variant detection added. This will detect modified variants of the sample. Great stuff VBA32 !
This is the END of the otherwise "normal" file and then something on the end. The AV is most likely detecting this, sometimes viruses store a file as shown in the image - just the file in numbers. Pretty obvious what it is looking at it..
Update - see this article for a new dropper which many AV do not unpack correctly. Even the great KAV does not detect the NSIS archive and extract it, but installing the nasty extracts the file and then KAV detects the actual nasty. So no miss or risk, just a new NSIS unpack update needed.
|
TELL A FRIEND
|
The best antivirus
Specialist support
SPOTLIGHTTrojanHunter |
THE ULTIMATE - BEST BUY!Kaspersky |
Copyright © 2005-2007 AnySpyware.com. All rights reserved.