Does CAV detection work by HASH identification?

Hi,

Recently, I am facing a malware script with name “Rahul’s Virus Protection.vbe”, which when enters a system, automatically adds itself to the startup list with “wscript.exe”(which is a safe file).

I have sent a sample to CAV labs one month ago and it was added to definitions two days later (not cloud detection). It was detected as “unclassified malware”.

After a week, when I found that the same file was again running in my PC undetected, I took the sample and verified it in Virus total. It was detected as the same malware by every other company that previously identified it, except COMODO.

Original file:

Modified file (just one commented line was deleted):

I checked the hash of the files, and the hash was different.

To confirm this behaviour, I disabled CAV, opened the sample with wordpad, changed one “commented line” from above, saved it with another name. When I scanned the two samples again, the modified file was not identified.

Some one please confirm this. I can send you the samples if you want.

If this is the current CAV detection method, I do not think it is any effective against new threats. Just adding the hashes of all known samples is not a signature based detection in my opinion.

2 things comes in mind.

1. This reminds me of PCMAG test in which tester mentioned that when he modified the samples Comodo missed many malwares which it originally detected. So he contacted Comodo & they replied that Comodo AV is for usability in CIS so its not flexible.

At that time I had mentioned this here in the forum. I could not find the thread now.

2. At Wilders I once came accross a post by Kevin who was once associated with Comodo BoClean development. At that time he was not with Comodo. He had mentioned that they (Comodo) dont produce quality signatures (Comodo AV) but padded signatures i.e little padding here-there.

I dont remember the exact words now. I couldn’t find the thread now.

Someone had posted Kevins post here in the forum too. I dont remember but I think there were no reply from Melih or Devs.

Only Devs can give correct info on Comodo AV.

can some one comment on it with authority ?

confirmed again…two more signatures added just based on hash…

add one comment line in the script file, it gets bypassed.

Not sure if this can be called detection at all…

Nice observation Siva. I too would like to know about Comodo AV detection info. It would be good if Devs give us the info.

Hope Devs reply here…

If such is the case I think I would not run Comodo AV.

Siva, did you PM Devs requesting info about this or PM this thread link to reply here?

I did post this issue here in “Submit Malware thread” explaining the issue. Unfortunately no reply from any analyst or dev yet.
https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2012-no-live-malware-t80088.0.html;msg620592#msg620592

Lets wait for a while as they may be busy with CIS 6.

I am wondering if the detection way is changed & improved in CIS 6 as someone mentioned in CIS 6 Beta thread that due to changes in AV the bases.cav from version 5 cannot be used in CIS 6. I wonder if these changes also affects the things you have mentioned here.

NSG001 found Kevin’s post & messaged me. Thanxx NSG001 for your time & effort.

Here are Kevins’s words posted in Wilders

"Well … since the last thing that Melih can come after me for is now out of his reach, yes indeed. I handed him a wonderful method of protecting (and most importantly CLEANING existing malware) in BOClean, I can offer a guaranteed method to test their effectiveness on ANY malware since all they do on their AV side (“detection”) is grab an SHA1 hash of the sample they receive.

PAD the file with some extra stuff past the end so that the SHA1 is different. Voila, not detected.

Had they actually done what I gave them with the code instead of turning their design over to the Chinese, then any diddling would be caught BY NAME of the malware. A generic “suspicious” doesn’t count since they FP on pretty much anything that isn’t in their “whitelist” … test them for actual detection and see what happens. (grin)

Only reason why their “detection rate” is as high as it is is because they BUY samples from the testing joints and then SHA1 the samples into their “database.” Modify those “in the wild” samples and fail …"

Siva, the post is similar to your findings on AV detection.

Here is the link of Kevin’s post in Wilders

I still find it little uncomfortable, no MOD or DEV has at least commented on this at all…it’s already one week since I posted this.

This is a theory idk if its correct… but I am sure that Daisy needs a sample pool of a type of malware, before she can create a generic signature. How ever they can be generated by hand but those take some time.

Btw do you know what method that malware is using to enter system?

try to create this file in a different computer and then try to inject it to your machine protected by CIS and let us know what happens pls.

thanks
Melih

I did not try it manually, but it was what actually happened.

I found these samples from 3 of my friends systems, all infected by this malware while CIS is up and running.

They were all entering the system through Pendrives. An autorun entry in the name of the executable “wscript.exe” (which is a trusted file) is being created in HKLM.…\Winlogon\userinit.exe

May be because “wscript.exe” is Trusted, this script runs normally, i.e., out of sandbox.

The most important point that I observed in the systems that are infected by this malware, is that CIS does not identify any of these samples in this system, even if the detection (may be hash) is added to the bases after updating.

The same sample is detected by CIS in my system, but is not identified by the same updated base in any of the compromised systems.

Again, there are may samples of the same malware in these systems. When I open the script with notepad, what I observed is that all are the same with minor changes, which resulted in different hashes.

So, every time I send a sample to Comodo Labs from the forum, they are adding the hash, which is only detecting one particular file.

I had cleaned them with CCE, cleared the registry entry (already detected samples), but after one day, some one puts the same pendrive, so the infection reappeared. So, Presently I replaced CIS with ESET so that the systems keep working without infection (The systems are used for Digital Photo Album making, and I can not stop them for long)

You have the samples with you, you can verify it yourselves. I can also PM the samples if you need.

This is the reason, I have been stressing a lot on this issue.

Hope this helps.

Siva,

This thread also relates to the issue you mentioned…

https://forums.comodo.com/empty-t86616.0.html;topicseen

Few words from the post

"lol with Fake Digitale signature
that file need to use internet explorer to download more malwares
this kind (Zbot) yasterday i submit it and update for it
but i see the file created too in application data with another hash and md5
so please add this new version too
and after infect internet explorer lol the file go create C:/test/sample.exe after that injection to lssas.exe like what i test’

’ report it yarstday and the team add it in the signature but they add only the orginal file
without add the infection file in C:/test/sample.exe
and the file which i send it
all created by the orginal file which i sent it yasterday’

Hello Siva,

I guess this will answer your question:

You can search there files, safe or malware.
You can even search for them using SHA1.

I’m supposed this site its fed by all submissions to Comodo (once I submit and COMODO responses, it appears in this website in very short time).

I think you have not understood the issue correctly. The site you sent will only identify malware basing on it’s memory of known malware samples by hashes.

Comodo presently adds the hashes of what all malware we submit them to their detection. Therefore, it is very likely that if I check for any samples there, they will definitely be identified, since I have already submitted those samples to them.

But, if we slightly modify a file making a new hash, it gets bypassed from detection. That’s the point of this thread.

i get the same problem with Zbot malware

Yes, I know the point of this thread.

What I was trying to tell you with my post is to confirm you that currently CAV identifies if a file is malware or not, by its SHA1 signature (answering the original question of this thread: Does CAV detection work by HASH identification?).

CAV identifies Hashes of Malware, yes, we all know it and it’s good.

CAV creates definitions basing on hash of known samples, instead of analysis…that’s a debate.

Devs actually have not commented on it yet.

And, if it is true, that’s called a padded signature detection, which is certainly of a poor quality.

That’s the essence of the topic.

There are many ways to detect…hash is one of them. There are generic signatures, heuristic etc…not every malware can be detected by generic signatures.