Trojan Hiloti not detected by avast..but detected by Network shield!

See: http://wepawet.iseclab.org/view.php?hash=747c7d6ab1d64eae28de473a29014601&t=1303924190&type=js

See: http://anubis.iseclab.org/?action=result&task_id=1684ce586b3f7f8e4c9ded2d703e8794e

VT results: http://www.virustotal.com/file-scan/report.html?id=ed97aac907b45a60ad794b838d0c07c50c9acda69b198e726cd1454851007a89-1303918570

Domain found dangerous: http://www.urlvoid.com/scan/cmdiutf.cz.cc

Emisoft detects here: http://vscan.urlvoid.com/analysis/904dc91a17d27b2639b8cdd0e63e2667/cmVhZG1lLWV4ZQ==/

DrWeb online URL checker detects:
Checking: hxtp://cmdiutf.cz.cc/k.php?f=45%26e=0
Engine version: 5.0.2.3300
Total virus-finding records: 2027552
File size: 112.00 KB
File MD5: 904dc91a17d27b2639b8cdd0e63e2667

htxp://cmdiutf.cz.cc/k.php?f=45%26e=0 infected with Trojan.Hiloti.based.2

Also reported via virus AT avast dot com

polonus

Status of the threat is online
MD5 hash 904dc91a17d27b2639b8cdd0e63e2667
Anubis report: http://anubis.iseclab.org/?action=result&task_id=177457871cb427b54cdeda1f7d692c02f
VT results: http://www.virustotal.com/file-scan/report.html?id=ed97aac907b45a60ad794b838d0c07c50c9acda69b198e726cd1454851007a89-1303918570

polonus

avast network shield blocks the domain :slight_smile:

Hi spg SCOTT,

Thanks for checking here, I appreciate that very much. The shields are a very important integral added protection layer of the avast av solution now, so much have been proven beyond any doubt. I have changed the title of this topic accordingly as you may have seen.
I particularly like the images of suspicious script you so often find time to add to your postings and how you contribute your findings from using malzilla. Recently I also came to appreciate the use of various new online script analyzers next to well known wepawet and Anubis (monkeywrench for instance). I like the way in which we inspire each other,

Damian

Is hiloti still under development?I thought this malware family had died.

Hi Left123,

Here read this write-up:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Hiloti-BV/detailed-analysis.aspx
(look at the first seen date) that some new variant(s) must have been (re-)created…
The old Hiloti branch dated from 2008, so this must be a “newly incarnated” malware family member…
Hiloti re-visited ;D
With new on the fly wrappers to make old malware go under the av radar, this isn’t such a surprise,

polonus