Author Topic: weakness of the gpCode  (Read 107023 times)

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
weakness of the gpCode
« on: December 05, 2010, 03:53:57 PM »
Hi

Before you start reading, you should view these links:

http://www.securelist.com/en/descriptions/old313444

http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back


Maybe you have heard about this virus?
It's very, very dangerous and 'annoying'(huh) virus.
It codes all your files(pics, music, docs and other) with very strong algorythm, so you can't get those files back forever.
There are 2 versions of this viruses:
1. Old one, detects by CIS (i've got this sample),
2. New one, which is probably also detects by CIS, but

so, what?
As you can see in the future it can be new versions of  GPCode.
When it's infected your system - all you important files lose.
Cis should(have to) be able to prevent this horrible proceder.
Because now it doesn't, i made a test few days ago.
With this configuration:


(paranoid mode, proactive security, sandbox set on untrusted) GPCode let in the system and destroy(coded) all files :( This simulation shows that you can lose all your files, when CIS AV doesn't detect this(for eg. new version of virus, or other virus which codes you files).


I test also Online armor - and it passed the test - GPCode couldn't get list of the files, so.. it couldn't code nothing. It's great, that OA can prevent destroy your data, and i hope that you are fix it. For example(like OA) Comodo should gives alert, when something want to get the list of the files, isn't it? Like OA does.
Or when you have a better solution - i hope you add it to CIS.










Uff... sorry for my chaotic language, mistakes and i hope that you will understand.

P.S To Comodo staff: When you will want to get a sample of this virus i've got the old one.
BTW i post about this problem on MRG board, and PM to umesh ;).

Offline kagun

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 1141
Re: weakness of the gpCode
« Reply #1 on: December 05, 2010, 04:04:19 PM »
Does latest Kaspersky prevent this?

Offline Valentin N

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2869
  • Usability Study Group
    • My homepage at the moment
Re: weakness of the gpCode
« Reply #2 on: December 05, 2010, 04:09:43 PM »
how can I protect myself against this then?
Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 6.3

Keep CTM alive by voting


Offline kazza5

  • Comodo's Hero
  • *****
  • Posts: 263
Re: weakness of the gpCode
« Reply #3 on: December 05, 2010, 04:19:59 PM »
that is really really bad i hope comodo can fix this.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #4 on: December 05, 2010, 04:20:55 PM »
Does latest Kaspersky prevent this?

Yes it does, and  i'm sure CIS also detects this virus, but.. Defense + can't stop this.

Take it easy ;)

Offline kagun

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 1141
Re: weakness of the gpCode
« Reply #5 on: December 05, 2010, 04:23:20 PM »
I know you tested with maximum settings, but did you test on default?
Also, were there any prompts and what did you answer them? :-TU

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: weakness of the gpCode
« Reply #6 on: December 05, 2010, 04:25:57 PM »
Quote
2. New one, which is probably also detects by CIS, but

Quote
Because now it doesn't, i made a test few days ago

Things can't be in the same time black and white: "is probably also detects" (sic) or "because now it doesn't"?

Quote
As you can see in the future it can be new versions of  GPCode.

Quote
For example(like OA) Comodo should gives alert,
As far as i am aware, no one can predict the future.
We can't talk of wind and suppositions: in order to infirm or confirm what you say, the only way seems either to link to online security tests stating how the said malware is treated by various security softwares, either to provide a POC so that everyone is able to know what you are speaking of.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #7 on: December 05, 2010, 04:27:29 PM »
I think, that on deafult settings it will be the same.
I also tested it with disabled sandbox - CIS fails.

There weren't any prompt, alerts etc :(
I looked at the event log - none.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #8 on: December 05, 2010, 04:30:41 PM »
brucine:

"Because now it doesn't, i made a test few days ago'
Sorry,i meant 'Because now defense+ doesn't, i made a test few days ago'

But Comodo AV which is up to date - does.

Offline kagun

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 1141
Re: weakness of the gpCode
« Reply #9 on: December 05, 2010, 04:33:54 PM »
At least it's detected....
But still I would like to wait from Mods/Languy and their opinion on this... :-TU

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #10 on: December 05, 2010, 04:49:55 PM »
Calm down people :)

I'll say it again
1.The old version of this virus(Trojan-Ransom.Win32.GpCode.ak) is detects - you are safe!
2.The newest version of this virus(Trojan-Ransom.Win32.GpCode.ax) - i'm pretty sure that is also detects - you are safe!

This big deal it's about that D+&sandbox can't prevent this ;).

[attachment deleted by admin]
« Last Edit: December 05, 2010, 04:53:17 PM by miloszcz »

Offline Valentin N

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2869
  • Usability Study Group
    • My homepage at the moment
Re: weakness of the gpCode
« Reply #11 on: December 05, 2010, 04:56:27 PM »
You saved my day ;D this is something that comodo has to work on. to make the HIPS 100 or dam near :)

Regards,
            Valentin
Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 6.3

Keep CTM alive by voting


Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: weakness of the gpCode
« Reply #12 on: December 05, 2010, 05:02:08 PM »
Which virtual machine did you use to test this?

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
Re: weakness of the gpCode
« Reply #13 on: December 05, 2010, 05:47:29 PM »
Yes, it must be fixed. Defence plus must block it just like OA.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #14 on: December 06, 2010, 12:27:53 AM »
Which virtual machine did you use to test this?
I didn't use virtual machine  >:-D
Just Shadow Defender + I took snapshot with CTM.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek