Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Endpoint protected machine compromised CASE# 411-396-061

Created: 16 Feb 2010 • Updated: 27 Aug 2010 | 11 comments

We’ve identified a Trojan on a client machine XP SP3 that Endpoint 11.0.5002.333 did not detect. Following a report from a user who's personal online banking account was compromised with an unauthorized transaction, a full scan with Endpoint revealed no issue. Endpoint logs identified no threat. Using the free application Malwarebytes, a trojan was detected (details below). This is obviously a very serious security concern, as it would indicate that Endpoint is not providing the protection required.

A Google search indicates that this is a 'known trojan' with identified behaviour. Why does Endpoint not detect this threat?

Malwarebytes' Anti-Malware 1.44
Database version: 3741
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

15/02/2010 16:42:37
mbam-log-2010-02-15 (16-42-30).txt

Scan type: Quick Scan
Objects scanned: 162813
Time elapsed: 14 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.

Comments 11 CommentsJump to latest comment

sandeep_sali's picture

Case# 411-396-061

The concerned SEP department has been intimated regarding the issue and the case number. Someone would follow up with you as soon as possible.

Thanks & Regards

Sandeep C Sali

P_K_'s picture

What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect

http://service1.symantec.com/support/ent-security.nsf/docid/2001101708255048?Open&seg=ent

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

mass 2's picture

Thanks for the link. All of the suggested solution points are well understood, but none apply to this issue. This appears to be an instance of Trojan-Spy.Win32.Zbot that is undetected by Endpoint.

bjohn's picture

And you can find a million threads on this forum that says malwarebytes or some other scanner picked up something that SEP did not.
nothing new...

mass 2's picture

In this instance, the trojan was used by an attacker to steal the user's online banking login information, and her bank account was subsequently cleared of funds. SEP did not identify or log any risk or threat during this incident, The third-party application identified and removed the offending trojan. Our current position is that we are wide open to further security compromise with SEP until a resolution is identified.

Mobiustrip's picture

They will fill an entire thread with reasons why their product failed and an-out-of-the-box free AV-AS found and cleaned it.  They will tell you how effective it is with all the other kinds of threats.  Just not "scareware" or RogueAV-malware.  And bjohn is right - the forum is full of threads complaining of this same issue.  The upshot is you're gonna need a third party scanner like Malwarebytes or Hitman to rid you of Scareware and it's residual code.  I had high hopes for SEP - finally the AV community was going to address the browser-delivered malware epidemic.  I guess not...  This is what they are saying about not detecting what MBAM does:

  • A repair tool-type product that runs on a single machine and is not centrally monitored or managed may be far more aggressive - thus detecting some threats that SAV or even SEP may not - but often at the cost of a much higher false positive detection rate, sometimes as high as 40%

Has anyone ever had MBAM pull a false-positive?

Vikram Kumar-SAV to SEP's picture

Keeping SEP aside. Yes there a lot of False Positives from MBAM that I have personally found. Even look at their detections logs.
If they say there are 10 infection 8 would be some left behind registry entries.That it shouldn't have flagged at the first place but it does just to make the count more. But yes since it is a freeware it has to do that for people to buy it.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

mass 2's picture

I think I'd rather the odd false positive detection to funds being withdrawn from my bank account.

Ronald Rossi's picture

I too have had a customer who almost had funds stolen from their account if it were not for an alert bank employee. We are a Symantec reseller and personally I am tired of SEP not doing it's job, and I do not want to hear about how Malwarebytes is more aggressive, or false positives, bla, bla, bla. When you do an on demand scan, scanning all the files and your machine comes back clean, meanwhile you are infected with a KNOWN BUG! That is total BS. Most people are moving to Trend, one of my customers is running that now, we will see how it goes. We just cannot spend any more time cleaning up crapware.

postechgeek's picture

@mass 2

You could use application device control to block the virus company wide. I'd give it a shot in a test enviroment and see how that works.

Mike

Vikram Kumar-SAV to SEP's picture

 If somebody has written a threat with that intelligence then somebody has to get hit...Unlucky that it was a Symantec User but it can happen with any Antivirus.
If just Antivirus would have been answer for all security concerns then banking website would check if you had a antivirus rather than having high encryption and online keyboard and what not..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.