7 Replies Latest reply on Jan 3, 2011 8:49 PM by dknymd

    Malware not collected by Getsusp

    HBullock

      Analysis ID: 6422809

       

      Noticed because of HIPS 344 events.

      The data translates to "C:\Documents and Settings\usxxxx\Application Data\Uxote\xacou.exe"

       

       

      Threat Source Process Name:

      C:\WINDOWS\Explorer.EXE

      Threat Source URL:

      file:///C:\WINDOWS\Explorer.EXE

       

       

       

      New Data

      220043003a005c0044006f00630075006d0065006e0074007300200061006e006400200053006500 7400740069006e00670073005c00750073003000380034003900300036005c004100700070006c00 690063006100740069006f006e00200044006100740061005c00550078006f00740065005c007800 610063006f0075002e0065007800650022000000  

      Registry Value(s)

      \REGISTRY\CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\{B17B6089-6 4AD-5696-59E6-2887B0FE626C}  

      Workstation Name


       

       

      Message was edited by: HBullock on 12/13/10 8:14:21 PM CST
        • 1. Re: Malware not collected by Getsusp
          HBullock

          We have a many computers that exhibit the same type of issue. That being explorer.exe is causing many 344 HIPS signature triggers by writing to the registry to start some other program. Most of the target programs are in the user's profile. Some have been in the recycle bin.

           

          I have executed Getsusp via ePO on about a dozen similar computers. Getsusp has never returned any suspicious files when explorer.exe was the threat process. Why is it that whatever is injected into explorer.exe is not being uncovered by Getsusp?

          • 2. Re: Malware not collected by Getsusp
            HBullock

            Here is another example:

            Unknown  Files

            Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type
            UNKNOWN a443740fcd14bf86b18f373b07b87e3b C:\Documents and  Settings\FR016403\fr0164031 winlogon.exe A 1.00 1.00 339,968 12/13/2010 15:36 11/21/2010 13:11 Process

             

            This file was at least identified as unknown which is better than the occurrence in the original post. This is malware as identified by HIPS signature 344 event triggers.The difference is that the threat process in this case is svchost.exe. The registry value data identified the file above.

             

            Threat Source Process Name:C:\WINDOWS\system32\svchost.exe
            Threat Source URL:file:///C:\WINDOWS\system32\svchost.exe
            New Data 43003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400 740069006e00670073005c00460052003000310036003400300033005c0066007200300031003600 34003000330031005c00770069006e006c006f0067006f006e002e006500780065000000
            Registry Value(s) \REGISTRY\CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\NVIDIA  MEDIA CENTER LIBRARY

             

            It seems that Getsusp has difficulty evaluating what is running in Explorer.exe and does slightly better with svchost.exe yet still did not list it as suspicious. As a result I do not yet have a sample of this malware and will need to have local support capture it.

            • 3. Re: Malware not collected by Getsusp
              vinoo

              We've replicated the issue with xacou.exe. When GetSusp runs under the permissions of the SYSTEM account (while deployed via ePO), it is having issues reading entries under HKCU key. GetSusp when run using a local or domain user account does not have this issue.

               

              Thanks for reporting. The investigation is ongoing.

              • 4. Re: Malware not collected by Getsusp
                HBullock

                Will you be able to post a new build as a present for Christmas that addresses some of these outstanding issues?

                • 5. Re: Malware not collected by Getsusp
                  vinoo

                  We're ready with the next build that incorporates most of the requested features & fixes. It's our New Year present and will be sending you a copy shortly

                  • 6. Re: Malware not collected by Getsusp
                    HBullock

                    Thank you. I look forward to toasting the new release and giving it a workout.

                    • 7. Re: Malware not collected by Getsusp

                      Having just renewed my McAfee contract on January 2nd I was suprised to come home from work today January 3rd and see that my computer was beseiged by bankerfoxA. I followed the steps suggested and downlowded GetSusp 3.0 to a flash drive on my laptop and then restarted in safemode. I was successfull in running the GetSusp, but it did not detect any malicious or infected files. I called customer support thinking that surely they'd assist, as they have a banner running "Free 30 Days of support". However after waiting on hold for 20+ minutes I was told I'd have to fork over another $90 to speak to a virus specialist. I then followed some other threads and installed malwarebytes for FREE, which eradicated the problem in under 8 minutes. Can't wait to get a refund for my subscription from McAfee.