I was wondering, the only bad thing in Avast detection IMHO, is the Brazilian trojan bankers that we keeping receiveing by email or orkut scraps… The other detections avast seems to be very well.
In the last month, I received 13 differents trojan bankers in my Email / Orkut.
Sadly, avast just found 1. The others, he missed badly.
Avira in the other way, found 12, and the other one it missed, he added one day later. From this 12 detections, 11 were with proactive protection (generic signature or heuristics). The other was with normal signature.
Is it possible to avast create this same kind of protection that avira made for trojan bankers here in Brazil?
This kind of malware keep growing, and I dont think that a based signature protection is enough to stop this thing to spread and stay undetected.
I think that it would greatly help if you could send the samples to avast virus@avast.com
Avast already has some proactive detection in terms of generic detection and avast 5 is supposed to deal with that issue.
For the mean time, you could add Threatfire-a free behaviour blocker to your security setup to help deal with zero day threats.
Alternatively there is also a free anti-Trojan called Comodo Boclean which you could use.
Speaking purely from an observational point of view…
avast! has the habit of performing poorly against “mainstream” malware, so to speak – by “mainstream” I refer to most of the popular families created and maintained by commercial malware writers. Detection for Zlob, rogue antivirus programs, and ecards are generally less than ideal, and what is even more confusing is that these samples take days to be added to the signature database – during which, of course, the malware families have already been updated multiple times.
If anyone knows about the Waledac (card.exe) trojans being spammed about lately, it’s being speculated as the potential successor to the Storm botnet – and another variant family that avast! seems to drag its feet in adding detection for as well.
Funny, and I think we’re pretty good in covering rogues, since we catch the scripts in their pages, we block all of their pages and we also detect the binaries. That’s three layers of protection.
Same applies to waledac - all of their distro sites should be blocked by the url blocker.
Regarding Brazilian bankers in particular - I believe we are getting quite a lot of samples from Bank of Brazil on a regular basis… so I would assume (now that’s really just an assumption, I really don’t know any objective data) that the detection should be quite good… ???
Speaking of Waledac distro sites - at least one is getting past (116.99.19.127), and 4 variants of the binary over the last 2 days are yet to be added to the signature database.
Avast is doing well, but I think it still can be improved.
Avast is not detecting this malware but it blocks the website from which it can be downloaded.
Well, four new Waledac distro IPs popped up during the last 2 hours, 3 of them hosting a binary with the same MD5 hash. avast! stopped none of them, neither domain nor binary.
Not to mention there’s still the handful of undetected variants from days ago. This whole “we block the malicious domains!” strategy is making me rather uneasy, to say the least.
Well, seeing as how VPS 090112-0 is hot off the oven but still does not include detection for the Waledac variants that appeared over the last few days, I’d imagine my conclusion was a rather reasonable one to arrive at…
Perhaps day-old variants are already rapidly falling off the radar and not worth detecting at this stage? ???
