cloutz

backdoor Trusted by OA?

Recommended Posts

Hi,

I tried OA with a malware sample today on my VirtualBox (win7 64 bit installed).

1. When i execute it from E:\

OA treated it as "Trusted by OA support team".

backdoorwin32fynloskia.th.png

2. When i execute it from desktop C:\Users\VM\desktop

OA treated it as "not flagged as good or bad by OA team"

backdoorwin32fynloskia2.th.png

Is it normal?

Or is there a criteria that I miss so the files are labeled as trusted in some situations?

Cause this malware was allowed to connect to the internet (unless specified setting to AutoAllow trusted programs is DISABLED)

Regards

Share this post


Link to post
Share on other sites

That is indeed strange. This is why I have long since disabled the 'Automatically allow trusted programs to access the internet' option. IMO this should be off by default.

Although the fact that OA automatically trusted the sample means it could have installed on your system if it was a real piece of malware.

Share this post


Link to post
Share on other sites

Can you please try to reproduce the problem with logs enabled and send in the logs together with the actual file if it is possible? Instructions on how to enable and use debug mode can be found here:

http://support.emsisoft.com/topic/2999-debug-mode-logs-how-to-get-them/

Ok, but i haven't an email address to send the log, i will attach it here (otherwise give me an email address and i will forward it :) ).

Useful information:

18:26

- a program (crypter.exe) wants to run > OK

- C:\Users\vm\desktop\crypter.exe firewall orange alert: "crypter want to use internet"

- process terminated via Task Manager

18:29

- a program (crypter.exe) wants to run > OK

18:30

- E:\crypter.exe firewall green alert: "crypter want to use internet"

Share this post


Link to post
Share on other sites

Ok, but i haven't an email address to send the log, i will attach it here (otherwise give me an email address and i will forward it :) ).

Thanks for the logs. Unfortunately, they are not enough in this case. Could you provide information about OA version and Volume E ? Also, it would be great to know what is E:\101.exe and to have firewall log (Options->Firewall->Enable logging [ticked] and Options->Firewall->Additional debug info [ticked])

Share this post


Link to post
Share on other sites

Thanks for the logs. Unfortunately, they are not enough in this case. Could you provide information about OA version and Volume E ? Also, it would be great to know what is E:\101.exe and to have firewall log (Options->Firewall->Enable logging [ticked] and Options->Firewall->Additional debug info [ticked])

Test is made on VirtualBox

C:\ is the partition where Windows is installed

E:\ is the shared directory with the real system

When i execute crypter.exe from the shared directory, the file is trusted

When i copy crypter.exe to the Desktop and then execute it, it is not trusted

101.exe is another malware that was on the shared directory, it was here cause i did some tests

I do not know how to enable "Additional debug info", i can't find it:

immaginerl.th.png

Thanks!

Share this post


Link to post
Share on other sites

Test is made on VirtualBox

C:\ is the partition where Windows is installed

E:\ is the shared directory with the real system

When i execute crypter.exe from the shared directory, the file is trusted

When i copy crypter.exe to the Desktop and then execute it, it is not trusted

101.exe is another malware that was on the shared directory, it was here cause i did some tests

I do not know how to enable "Additional debug info", i can't find it:

immaginerl.th.png

Thanks!

To access additional debug info you need to switch to advanced mode.

BTW, is e:\crypted.exe really trusted in the "Programs" ? What hash does it show in the hint ? (when hovering over the record in the "Programs")

Share this post


Link to post
Share on other sites

To access additional debug info you need to switch to advanced mode.

BTW, is e:\crypted.exe really trusted in the "Programs" ? What hash does it show in the hint ? (when hovering over the record in the "Programs")

I'm using free version, that does not have Advanced Mode..

E:\ crypted is not a trusted program on OA.

You can find other informations on this screen:

immagine02.th.png

Onestly it's a strange behaviour.

If you want i can attach the zip with the malware, protected with password, so you can reproduce the same circumstances and try.

I'm fully available B)

Share this post


Link to post
Share on other sites

I'm using free version, that does not have Advanced Mode..

E:\ crypted is not a trusted program on OA.

You can find other informations on this screen:

immagine02.th.png

Onestly it's a strange behaviour.

If you want i can attach the zip with the malware, protected with password, so you can reproduce the same circumstances and try.

I'm fully available B)

Just in case, if you shutdown OA and remove oacached.dat file from OA home directory, will it be still the same ? If yes, don't you mind to try it with the latest beta ?(it appears to be pretty stable) If yes, just PM me and I'll provide you with the link to installer.

Share this post


Link to post
Share on other sites

Just in case, if you shutdown OA and remove oacached.dat file from OA home directory, will it be still the same ? If yes, don't you mind to try it with the latest beta ?(it appears to be pretty stable) If yes, just PM me and I'll provide you with the link to installer.

tried, bad result.

PM sent, available to try the new beta.

Honestly i'm not scared about this specific problem bacause i do not use Auto-Trusting features..

Anyway i'll try the newest version hoping it was a problem of mine :)

Regards

Share this post


Link to post
Share on other sites

tried, bad result.

PM sent, available to try the new beta.

Honestly i'm not scared about this specific problem bacause i do not use Auto-Trusting features..

Anyway i'll try the newest version hoping it was a problem of mine :)

Regards

No problem with the v5 :)

32288126.th.png

This alert appears even if the AutoAllow is activated.

Great job, i really like this version!

Thanks

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.