Endpoint protected machine compromised CASE# 411-396-061
We’ve identified a Trojan on a client machine XP SP3 that Endpoint 11.0.5002.333 did not detect. Following a report from a user who's personal online banking account was compromised with an unauthorized transaction, a full scan with Endpoint revealed no issue. Endpoint logs identified no threat. Using the free application Malwarebytes, a trojan was detected (details below). This is obviously a very serious security concern, as it would indicate that Endpoint is not providing the protection required.
A Google search indicates that this is a 'known trojan' with identified behaviour. Why does Endpoint not detect this threat?
Malwarebytes' Anti-Malware 1.44
Database version: 3741
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
15/02/2010 16:42:37
mbam-log-2010-02-15 (16-42-30).txt
Scan type: Quick Scan
Objects scanned: 162813
Time elapsed: 14 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.
Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
Comments 11 Comments • Jump to latest comment
Case# 411-396-061
The concerned SEP department has been intimated regarding the issue and the case number. Someone would follow up with you as soon as possible.
Thanks & Regards Sandip C Sali
What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect
http://service1.symantec.com/support/ent-security.nsf/docid/2001101708255048?Open&seg=ent
Prachand MCSE-2012 Symantec Technical Specialist (SCTS)
Thanks for the link. All of the suggested solution points are well understood, but none apply to this issue. This appears to be an instance of Trojan-Spy.Win32.Zbot that is undetected by Endpoint.
And you can find a million threads on this forum that says malwarebytes or some other scanner picked up something that SEP did not.
nothing new...
In this instance, the trojan was used by an attacker to steal the user's online banking login information, and her bank account was subsequently cleared of funds. SEP did not identify or log any risk or threat during this incident, The third-party application identified and removed the offending trojan. Our current position is that we are wide open to further security compromise with SEP until a resolution is identified.
They will fill an entire thread with reasons why their product failed and an-out-of-the-box free AV-AS found and cleaned it. They will tell you how effective it is with all the other kinds of threats. Just not "scareware" or RogueAV-malware. And bjohn is right - the forum is full of threads complaining of this same issue. The upshot is you're gonna need a third party scanner like Malwarebytes or Hitman to rid you of Scareware and it's residual code. I had high hopes for SEP - finally the AV community was going to address the browser-delivered malware epidemic. I guess not... This is what they are saying about not detecting what MBAM does:
Has anyone ever had MBAM pull a false-positive?
Keeping SEP aside. Yes there a lot of False Positives from MBAM that I have personally found. Even look at their detections logs.
If they say there are 10 infection 8 would be some left behind registry entries.That it shouldn't have flagged at the first place but it does just to make the count more. But yes since it is a freeware it has to do that for people to buy it.
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
I think I'd rather the odd false positive detection to funds being withdrawn from my bank account.
I too have had a customer who almost had funds stolen from their account if it were not for an alert bank employee. We are a Symantec reseller and personally I am tired of SEP not doing it's job, and I do not want to hear about how Malwarebytes is more aggressive, or false positives, bla, bla, bla. When you do an on demand scan, scanning all the files and your machine comes back clean, meanwhile you are infected with a KNOWN BUG! That is total BS. Most people are moving to Trend, one of my customers is running that now, we will see how it goes. We just cannot spend any more time cleaning up crapware.
@mass 2
You could use application device control to block the virus company wide. I'd give it a shot in a test enviroment and see how that works.
Mike
If somebody has written a threat with that intelligence then somebody has to get hit...Unlucky that it was a Symantec User but it can happen with any Antivirus.
If just Antivirus would have been answer for all security concerns then banking website would check if you had a antivirus rather than having high encryption and online keyboard and what not..
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
Would you like to reply?
Login or Register to post your comment.