Even after raising this issue multiple times with avast! team and virus lab members I still don’t see a improvement when it comes to detecting js:numecod samples that downloads ransomware.
Not just that,avast! continues to be sloppy to add detection for these files.I am not sure why either their automated systems don’t see such files or they are just manually analyzing it.This specific family of malware is getting past avast and we are completely counting on IDP to detect it.I know I am repeating myself but I think there is something we can do to speed up the reaction process.
Also the big bummer is that avast! at times doesn’t detect the file on download it waits until I execute until the malware deobfuscates itself.I know kaspersky and some other vendors can see through that obfuscated code and block it.
This one malware family where avast has to wait till the end moment and when its not blocked the user is infected 90% of the time.
I am not impressed as this is a infection vector.I have even suggested some ideas of monitoring wscript specifically since most systems won’t have something running it by default anyway and how much % of good files use this? Very less I assume.I know I shared a similar idea of dual extension malware which I am seeing alot now but since my return from the roundtable I am seeing avast improving in this field.The reaction time to this threat family by avast is very poor.
By the time the lab adds detection there are new varients in town
But if you guys are looking for some help with this particular family I have alot more of these samples.I have like 25 pieces of the same family,most are couple days old and some new but all are not being detected I even submitted them
I will send you the files if you want.They just try downloading things from different URL’s in my experience and something eventually gets through.All avast can do is keep poping up with blocked messages but the machine still remains infected anyway.
If anyone wants to test this family PM me with your mail address.It will be interesting to know how the IDP performs against them.But still this is a problem.
Nice sharing, would you share with us how this malware attack the victim?
It seem the malware posing as microsoft document and send in attachment file.
thanks for samples, Did you try the whole infection vector? Because we have different detections, so mostly scripts, like nemucod downloader, are detected in email attachment which is a way how it is spread.
For example F6DE8183EC321DC491A3A27785056CBB94B06D5614EFEEA8C1BDC34060C4D2D7 was detected in last 3 day 82times, it doesn’t mean sample not detected on VT is not detected at all
Yes I did.First of all thanks for replying to this thread.
Most files were recieved from mails either with an attachment or a link to the malware download but avast was quite.I have seen some threads at the forums where people are infected something like this.I have sent the files to you from mail anyway.
By the way I don’t see what detection are you refering too…are there still some detection modules only working on execution? Why not detect the file once its downloaded if you have the detection,why wait till the point of execution?? Because they are obfuscated scripts avast should be able to scan through it on download just like other av’s do.
Some of these files have been scrapped from infected USB’s.
It’s still a interesting stat that you mentioned.I know VT detection isnt everything.
These samples should be blocked when you receive it through the email, so before downloading to your PC or execution.
In this case I am just wondering how it can infect USB because all files are just simple downloaders.
So is there a seperate database for mail shield I assume? Yes!! Atleast from what I have investigated some of the guys got it from usb which i am suprised as well
I would advise that samples are sent directly to avast and not posted using sharing links. You have no control over who downloads it/them from the sharing link, nor what purpose they use them.
Interesting obfuscation technique within a BAT file. Haven’t tried decrypting it yet, but I find it interesting the way it’s done (after checking it briefly).