False negative: phishing not detected

Phishing email not detected by avast!
You’re redirected to a Russian site.
VirusTotal detects nothing… Smart uh?
hxxp://devonrangers.com/nf-e.php
https://www.virustotal.com/en/url/f8c98c43652f2cf84e869d292e1918e9485e7d9ea79bdf868dcc05ce90b64fee/analysis/1408633498/

How can we improve phishing detection? :-[

How can we improve phishing detection?
report to PhishTank.com

link goes to a fake pdf.doc (actually .exe)
https://www.virustotal.com/en/file/d9751f939b5f423c186bfab05ce5005b9c3f4e62ac591f6c429f5c79c40a3bd2/analysis/1408635986/
https://www.metascan-online.com/en/scanresult/file/b37600510c15462d9e281440797a3343

on the way to avast inbox, and Malwarebytes :wink:

Another phishing email with infected file not detected by Avast.
On VirusTotal, (17/53)… So, hurry up.
File sent from Chest to analysis.

https://www.virustotal.com/en/file/d24cb1bd4a84ccd315856f3b0943d4eb91821572663d03ef09143cdd5dc2ab1d/analysis/1415307031/

Hi Lisandro,

There is other malware that has bot been detected by avast from that particular IP http://devonrangers.com is on, see:
https://www.virustotal.com/nl/ip-address/64.37.52.84/information/
Example: https://www.virustotal.com/nl/file/f8d0cd4b702e492be76e747c1b76d556ce21906241d4dd3f474ef2dbbb3c1a43/analysis/
and here avast fails: https://www.virustotal.com/nl/file/e805711a920013acabb42689c6c3eef1356c38543050006a7db184c70fabac00/analysis/
Here avast is one to detect: https://www.virustotal.com/nl/file/b0720dd97dfa80a0d21426d22e63ebdedba4d45b2402a2bdff6e52d816ee463c/analysis/

See what is here: http://support.clean-mx.de/clean-mx/phishing.php?id=3641241

This Bandoo variant malcode should be detected: http://www.herdprotect.com/ip-address-94.31.0.25.aspx

Damian

Thanks Polonus, but these misses make the picture even worse…

Note that posted VT links above are not fresh scan :wink:

Hi Poindus,

You are right some of the phishing sites do no longer exist or the phish was taken down before detection could take place or should be continued. Most malware exists for small periods, a couple of hours or so, is rotating or comes in perpetually chaging variants to go under the av detection radar. Malware campaigns as a rule do not last that long. This is a reason that slow reacting av detection has more false negatives, because they are slow reactors and this is less obvious after a couple of days when things gets evened out, well for signature detection that is.

Malcode that lasts longer than one day is rare. Malware that stays on for weeks is still there because of pure ignorance by parties that should take it down or cleanse, and malware that is with us even longer is called OVERDUE! malcode (exists for thousand hours and more) and is intentional malware and produced by cybercrime/malcreants and dubious hosters that condone it to be launched from their servers. One can easily see these patterns at clean MX resources (at the moment clean MX again under ddos attack, so take a look there later, look up clean mx in combination with malwarename or IP or URL.

polonus

How to get VT scanning the file again and without uploading it again?
In other words, how to update the results?

If it is a file you get a rescan button on first popup if the file have been uploaded before
You need to have the file as there is no rescan button on old result … Sometimes you will see a “see latest result” if someone have uploaded same file

If it is a URL you upload and scan again

It’s a pity… You always need to have the file again…

New scan: https://www.virustotal.com/en/file/d24cb1bd4a84ccd315856f3b0943d4eb91821572663d03ef09143cdd5dc2ab1d/analysis/1415360326/
Avast is detecting in VT.
Although Avast is NOT detecting locally (neither within Chest nor right-click scanning).

Hi Lisandro and Pondus,

But you two should know by now avast detection always have such issues with Borland Delphi (7) file detection.
It is a known pain in the back, also for the developers of such executables.
See the number of reports analyzed here: http://www.threatexpert.com/files/face.exe.html
Antivirus Report of face.exe:
face.exe Malware
face.exe Dangerous
face.exe High Risk
face.exe
We suggest you to remove face.exe from your computer as soon as possible.
Face.exe is Trojan/Backdoor.
Kill the process face.exe and remove face.exe from Windows startup.
Remove face.exe now!
Reviewed by:
by NightWatcher
face.exe Dangerous Rating: 5 out of 5 (info credits go to Alex Nightwatcher)

Therefore the free version of Revo Uninstaller and in advanced mode should always be ready to be used on on your desktop. :wink:

polonus