Limbo 2 protection?

CybrGuy · July 19, 2008, 8:51pm

Does BOClean capture and neuter the Limbo 2 Trojan? I don’t see it in the list of covered malware, though it may have a different name. This looks like a nasty bitch.

http://www.pocket-lint.co.uk/news/news.phtml/16234/17258/Prevx-warns-of-super-virus.phtml

doktornotor · July 19, 2008, 9:03pm

Unless you are able to provide a sample of this “custom-made” virus, probably noone will tell you. The heuristics, behaviour analysis etc. might catch it, or not… Without the real code in hand nobody can tell.

Rednose · July 20, 2008, 1:26am

I have read about this nasty too. As far as I understand the maker only changes the trojans shell, so it should be something that BOClean can protect you against. If Comodo already has a sample I don’t know.

Greetz, Red.

CybrGuy · July 22, 2008, 5:27pm

I doubt Kevin would have difficulty getting his hands on the pest through his contacts with other researchers. My question is whether he has and has included protection for it in the current definitions. This is apparently gonna be important protection.

It is still not listed in current covered malware under the name limbo (2) as of a few minutes ago.

Kevin_McAleavey · July 22, 2008, 10:41pm

Heh. And hate to say it, “Limbo2” won’t be listed either. it’s called “Banker.D” and has been around since the winter of 2007. Although Prevx hasn’t made samples of it available (as far as any of us in the “industry” know) it has been found (and bought) elsewhere. I received a copy of it last Friday from one of my other contacts. As soon as I opened it up, an ancient expired copy of Symantec antivirus on my machine deleted everything as soon as I went to unpack the archive.

Had to remove the remains of Symantec before I was able to play with it - as soon as I fired it up, BAM! BOClean nailed it as “Banker.D” … so I played with the “admin tool” for it and found that all they’re doing is using an old trojan, editing it, and then packing it inside a rather sophisticated “shell” which obfuscates and encrypts the file, and then places a stub at the front of the file which is designed to trash unpackers and emulators with NOP instructions as well as illegal characters and a number of other tricks which will hose unpackers. There’s plenty of other nasties out there that do the same thing.

As soon as any of the “variants” start to run though, BOClean isn’t fooled. So the major attack in this new variation of the same old is at the file level. I s’pose that’s what’s got some of the other vendors in a panic, but BOClean doesn’t work that way. As always, any nasty has to shed its skin in order to actually run on a machine and that’s where BOClean lies in wait. But this one is not a “new” nasty at all … just “new and improved packaging.”

Picture of the package though below for the curious:

[attachment deleted by admin]

CybrGuy · July 22, 2008, 11:06pm

Thanks, Kevin. As usual: “You are the MAN!” :■■■■

Rednose · July 24, 2008, 2:22pm

Thnx Kev

Greetz, Red.