Author Topic: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)  (Read 2215 times)

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25152
Previous Thread

Comodo is constantly improving its whitelist. This makes CIS more user friendly but does, in some circumstances, have some downsides. Some malware may sometimes be trusted because it is signed by a trusted certificate or perhaps the vendor was trustworthy, but then changed their ways. This is rare, but it does happen.

Regardless of how it happens it's important to take action against this. If you find malware that is whitelisted, but seems suspicious, please report it here. The name of the trusted vendor, or any other information, is also useful.

Upload these files to one of the following services and post a link to the results:


DO NOT attach or link any malware or malicious links to your post.

When coming across a malware signed by Comodo please follow the steps as described in How to report fraudulent or malicious use of certificates issued by Comodo:
Quote
Code Signing Certificates

If you have come across malware signed with a Comodo issued Code Signing certificate please send as much detail as possible to:

signedmalwarealert[at]comodo.com

Helpful details include:
link to the signed malware
screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
a copy of the actual certificate if possible
This article also describes how to report fraudulent and phishing emails using Comodo SSL/TLS certificates (but this is not pertinent for this topic).


P.S. Comodo Instant Malware Analysis (CIMA) is no longer active and can no longer be used to submit files to Comodo.
« Last Edit: December 31, 2018, 02:24:13 PM by EricJH »

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #1 on: January 16, 2019, 11:37:52 PM »
PUA/Adware.Win32/SpeedChecker / MSIL.GT32SupportGeeks - Certificate issued by Comodo & countersigned by DigiCert

https://valkyrie.comodo.com/get_info?sha1=9e65615e505a473467e59be9cd4e5b519ab3b37d

https://www.virustotal.com/#/file/c941f654da99b05340e1a18f4adeb3b82b7d4f85a7e0681eb3f68f92a519615d/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: Inno Setup Installer , File has multiple binary anomalies ( File ignores Code Integrity, Entrypoint is outside of first section, CRC value set in PE header does not match actual value, Contains zero-size sections, The file-ratio of the overlay is "97.62%", The file has "2" executable sections, Contains unknown resources, Contains another files ( type: InnoSetup, location: overlay, file-offset: "0x00029A00" & "0x006E8A4C" ), Drops multiple executable files, Reads Antivirus engine related registry keys ("HKLM\SOFTWARE\AVG\ANTIVIRUS"), Contains references to WMI/WMIC, Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Scanning for window names, Queries kernel debugger information, Queries process information, Queries volume information of an entire harddrive, Allocates virtual memory in a remote process ( "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", Writes data to a remote process ( "C:\Windows\System32\taskkill.exe" ), Installs hooks/patches the running process ( "ISCRYPT.DLL", "SHFOLDER.DLL", "MSIMG32.DLL",  "NSI.DLL" ), Opens the Kernel Security Device Driver, Modifies proxy settings, Queries sensitive IE security settings, Generates some ICMP traffic, Communicates with host for which no DNS query was performed ("104.81.60.216" & "104.81.60.33")

Certificate Details:

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial:                        65547316699348809872486349231859438233
Serial (Hex):             314ff439614ea611359fa634ba041299

Valid from:                  Oct  5 00:00:00 2018 GMT
Valid until:                  Jun 12 23:59:59 2019 GMT

C (countryName):                 IN [494E]
CN (commonName):              PC CARE TOOLS [5043204341524520544F4F4C53]
L (localityName):                  JAIPUR [4A4149505552]
O (organizationName):         PC CARE TOOLS [5043204341524520544F4F4C53]
ST (stateOrProvinceName):  RAJASTHAN [52414A41535448414E]
postalCode (postalCode):    302017 [333032303137]
street (streetAddress):        3/213, MALVIYA NAGAR [332F3231332C204D414C56495941204E41474152]
« Last Edit: January 16, 2019, 11:49:18 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #2 on: January 26, 2019, 11:57:17 AM »
File is rated as fully trustworthy !!!

PUP.Adware.Variant.OpenCandy - Certificate issued by Thawte & countersigned by Symantec

https://verdict.valkyrie.comodo.com/file/result?s=1dc26bbeafbaf69a274cafe534156eace3a49a8d

https://www.virustotal.com/#/file/c5f8e0f7a0d27bec38c135960fe2af3d3ace8fe65cd7567fc0c7c646bb3f815d/details

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Borland Delphi 6.0 - 7.0, Packer: INNO, NSIS, appended, 7Z, File has multiple binary anomalies ( File ignores DEP, File ignores Code Integrity, Found Delphi 4 - Delphi 2006 artifact (using the buggy magic timestamp "0x2A425E19"), The file-ratio of the overlay is "99.77" %, The file has "3" shared sections, Contains multiple another files (type: Pkzip, Inno Setup, Flash, 7zsfx, Nullsoft), Contains zero-size sections, Contains unknown resources, CRC value set in PE header does not match actual value), Found more than one unique User-Agent (InnoDownloadPlugin 1.4 - Microsoft-CryptoAPI/6.1), References a MIME64 encoding string, References "4" Windows built-in privileges, Drops executable files, Tries to delay/evade the analysis, Reads the active computer name, Reads the cryptographic machine GUID, Reads the registry for installed applications, Reads Windows Trust Settings, Checks for a ADS, Queries kernel debugger information, "Wscript.exe" wrote an executable file to disk (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe), Opens the Kernel Security Device Driver, Opened the service control manager, Queries the internet cache settings, Writes Data to itself, Modifies Software Policy Settings, Modifies proxy settings, Queries sensitive IE security settings, Modifies System Certificates Settings, Creates windows services (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"), Sends traffic on typical HTTP outbound port, but without HTTP header, Resolves a suspicious TLD (smtp.mail.ru)

See the file related hex / strings in the Attachment !!!

Certifcate Details:

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2
Serial:                       150241173182772474830240502896664126402
Serial (Hex):            710765be0e0b40112c8a61f0d99623c2

Valid from:                  Mar 15 00:00:00 2013 GMT
Valid until:                  Mar 15 23:59:59 2015 GMT

C (countryName):                  DE
CN (commonName):               pdfforge GmbH
L (localityName):                    Hamburg
O (organizationName):          pdfforge GmbH
ST (stateOrProvinceName):    Hamburg
« Last Edit: January 28, 2019, 06:19:57 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3240
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #3 on: January 26, 2019, 01:20:56 PM »
Hi,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.


Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3240
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #5 on: January 27, 2019, 02:00:56 PM »
Hi,

Thank you for your submission.
We'll check it.

Kind Regards,
Erik M.


Offline abinaya

  • Comodo Staff
  • Newbie
  • *****
  • Posts: 24
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #7 on: January 30, 2019, 12:54:49 AM »
Hi syc070,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Abinaya R


Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #9 on: January 31, 2019, 04:28:03 AM »
Hi syc070,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #10 on: February 01, 2019, 11:55:54 PM »
File is rated as fully trustworthy !!!

PUA.Riskware.Downloader.Agent.FusionCore - Certificate issued by VeriSign & countersigned by Symantec

https://valkyrie.comodo.com/get_info?sha1=6391101381e1d8eab650a577a45ad8acd4985acd

https://www.virustotal.com/#/file/6c795f913a2c9cec8364eee57c60dfa8c76aaaa0bc3e70f8e70e1cbd37b0f31c/detection

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Microsoft Visiual C++ 10 - 7.0, Packer: NSIS, appended, Unicode, File has multiple binary anomalies ( File ignores Code Integrity, PE file has unusual entropy sections, Found Delphi 4 - Delphi 2006 artifact - "Fusion.dll" has a PE timestamp using the buggy magic timestamp "0x2A425E19", CRC value set in PE header does not match actual value, Contains zero-size sections, Contains another file (type: Nullsoft, location: overlay, file-offset: "0x00014208"), Runs a Keyloger, Expects Administrative permission, Checks for an ADS, Queries volume information of an entire harddrive, Modifies auto-execute functionality, Spawns a lot of processes, Reads the active computer name, Reads terminal service related keys, Reads the registry for installed applications, Creates guarded memory sections, Allocates virtual memory in a remote process ("HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing" - "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"- "%WINDIR%\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll" - "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE" - "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\Extensions"), Writes data to a another process ("C:\Windows\System32\regsvr32.exe"), Creates a suspicious process (cmdline > "regsvr32.exe" /s /u "C:\Program Files (x86)\PowerISO\PWRISOSH.DLL) Opened the service control manager, Stops windows services ("SCDEmu" (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCDEmu\Start), Opens the Kernel Security Device Driver, Modifies proxy settings, Queries sensitive IE security settings, Process launched with changed environment ("iexplorer.exe"), Generates some ICMP traffic, Communicates with host for which no DNS query was performed ("193.229.113.152" & "193.229.113.56")

Certificate Details:

Algorithm:                   rsaEncryption
Version:                      3
Issuer:                       /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial:                       25447212857388114618160785493989438414
Serial (Hex):            1324f475eba5951391c5126cf4eeb3ce

Valid from:                  Jan  5 00:00:00 2018 GMT
Valid until:                  Jan  5 23:59:59 2019 GMT
     
C (countryName):                  HK [484B]
CN (commonName):              Power Software Limited
L (localityName):                   NORTH POINT
O (organizationName):         Power Software Limited
ST (stateOrProvinceName):  HONG KONG

Does not seem to have been edited yet !!!

File is rated as fully trustworthy !!!

PUP.Adware.Variant.OpenCandy - Certificate issued by Thawte & countersigned by Symantec

https://verdict.valkyrie.comodo.com/file/result?s=1dc26bbeafbaf69a274cafe534156eace3a49a8d

https://www.virustotal.com/#/file/c5f8e0f7a0d27bec38c135960fe2af3d3ace8fe65cd7567fc0c7c646bb3f815d/details
« Last Edit: February 02, 2019, 12:17:13 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #11 on: February 02, 2019, 12:09:55 AM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 563
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #12 on: February 07, 2019, 11:46:15 PM »
File is rated as fully trustworthy !!!

PUP.Adware.Variant.InstallCore - Certificate issued by Thawte

https://valkyrie.comodo.com/get_info?sha1=097d7c635ea3951aa799c758ab3855c21cf433b5

https://www.virustotal.com/#/file/ae7d9e9565128c8d5b11d0a8c16912acba1526618e22165fb50e1c752199366f/detection

Some suspicious/malicious Indicators : Compiler/Packer Signature > Compiler: Borland Delphi 6.0 - 7.0, Packer: Inno Setup Installer 5.62, File has multiple binary anomalies (File ignores DEP, File ignores Code Integrity, Checksum mismatches the PE header value, Has "3" shared sections, Contains zero-size sections, Contains unknown resources, The file-ratio of the overlay is "97.75" %, Time Stamp is suspicious > "06/20/1992", Contains another file (type: InnoSetup, location: overlay, file-offset: "0x0000D400"), Reads data out of its own binary image, References a Windows built-in privilege, Get TickCount value, Input file contains API references not part of its Import Address Table ("SetDllDirectoryW", "SetSearchPathMode", "SetProcessDEPPolicy",  "GetUserDefaultUILanguage",  "Wow64DisableWow64FsRedirection", "Wow64RevertWow64FsRedirection", Creates guarded memory sections, Touches files in the Windows directory ("WINDIR%\SysWOW64\en-US\KernelBase.dll.mui" & "WINDIR%\SysWOW64\netmsg.dll"), Set special directory property (C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files, C:\Documents and Settings\Administrator\Local Settings\History, C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5, C:\Documents and Settings\Administrator\Cookies, C:\Documents and Settings\Administrator\Local Settings\History\History.IE5), Generates some ICMP traffic

Certificate Details:

Algorithm:                  rsaEncryption
Version:                     3
Issuer:                      /C=US/O=thawte, Inc./CN=thawte SHA256 Code Signing CA
Serial:                      4468084437249212705824920047946844446
Serial (Hex):            035c859223ee74265664f784b1dc491e

Valid from:                 Sep 26 00:00:00 2018 GMT
Valid until:                 Sep 26 23:59:59 2019 GMT
 
C (countryName):                      RO [524F]
CN (commonName):                  XLNT Web Services SRL
L (localityName):                       Bucuresti
O (organizationName):             XLNT Web Services SRL
OU (organizationalUnitName):  IT
« Last Edit: February 07, 2019, 11:56:14 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Ananthalakshmi

  • First Response Group
  • Newbie
  • *****
  • Posts: 23
Re: Report trusted and whitelisted malware here- 2019 (NO LIVE MALWARE!)
« Reply #13 on: February 07, 2019, 11:54:47 PM »
Hi pio,

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Ananthalakshmi M


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek