Riskware.ADinstaller - Certificate “issued” by Global Sign
Some suspicious/malicious Indicators : PE file has unusual entropy sections , Reads the active computer name , Reads configuration files , Reads the cryptographic machine GUID , Queries kernel debugger information , Tries to sleep for a long time (two minutes +) , Creates guarded memory regions , Contains ability to access the loader directly , Installs hooks/patches the running process , Touches files in the Windows directory , Opens the Kernel Security Device Driver
Trojan/Adware.Variant.Graftor - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (detected as "VC8) , Checks for the general presence of an Antivirus engine , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , Reads the active computer name , Reads the cryptographic machine GUID , Contains ability to lookup the windows account name , Touches files in the Windows directory , Runs shell commands , Installs hooks/patches the running process , Makes a code branch decision directly after an API that is environment aware ( API call GetSystemTime[at]KERNEL32.DLL - Target: m.exe > directly followed by “cmp eax, ecx” and “je 002BE44Ah” )
PUA.Variant.InstallCore - Certificate “issued” by Global Sign
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Borland Delphi 4.0 ), CRC value set in PE header does not match actual value , Reads the active computer name , Contains ability to lookup the windows account name , Reads the registry for installed applications , Contains ability to create named pipes for inter-process communication , Requested access to a system service ( Java.tmp called “OpenService” to access the “ServicesActive” service ) , Makes a code branch decision directly after an API that is environment aware ( Found API call GetVersion[at]KERNEL32.DLL Target: Java.tmp > directly followed by “cmp ax, 0005h” and “jc 0042E119h”) , Opens the Kernel Security Device Driver
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (Borland Delphi 4.0) , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Contains ability to retrieve keyboard strokes , Modifies proxy settings , Queries sensitive IE security settings , Accessed IE Quick Launch directory , Reads the registry for installed applications , Executes WMI queries known to be used for VM detection , References security related windows services , Spawns a lot of processes , Installs hooks/patches the running process , Tries to GET non-existent files from a webserver , Contacts 4 domains and 3 hosts , Multiple malicious artifacts seen in the context of different hosts
PUA.Variant.Installcore - Certificate “issued” by Thawte
Correctly detected from Valkyrie as PUA
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (Borland Delphi 4.0) , CRC value set in PE header does not match actual value , Scanning for window names , Contains ability to lookup the windows account name , Contains ability to create named pipes for inter-process communication , Queries process information , Reads the registry for installed applications , Drops executable files , Requested access to a system service ( Sumatra_2520PDF_25203.1.2.tmp called “OpenService” to access the “ServicesActive” service ) , Touches files in the Windows directory , Opens the Kernel Security Device Driver
PUA.Variant.Auslogics - Certificate “issued” by Symantec & VeriSign
Some suspicious/malicious Indicators : Matched Compiler/Packer signature (BobSoft Mini Delphi) , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , Possibly tries to implement anti-virtualization techniques , Reads the active computer name , Reads configuration files , Reads the registry for installed applications , Tries to obtain the highest possible privilege level without UAC dialog , Possibly tries to hide a process launching it with different user credentials , Modifies proxy settings , Opens the Kernel Security Device Driver , Contacts 2 domains and 1 host , POSTs files to a webserver , Sends UDP traffic (UDP connection to 138.201.135.108)
Generic.Trojan.Heuristic - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Entrypoint in PE header is within an uncommon section , PE file has unusual entropy sections , PE file is packed with UPX , Contains ability to create/switch the desktop , Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Tries to implement anti-virtualization techniques , Touches files in the Windows directory , Looks up many procedures within the same disassembly stream ( 11 calls to GetProcAddress[at]KERNEL32.DLL )
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , Entrypoint in PE header is within an uncommon section , Reads the active computer name , Accesses potentially sensitive information from local browsers , Opened the service control manager , Requested access to a system service , Touches files in the Windows directory , Opens the Kernel Security Device Driver , Found an IP/URL artifact that was identified as malicious by at least one reputation engine ( 3/64 reputation engines marked “138.197.228.160” as malicious ) , Contacts 1 host , Malicious artifacts seen in the context of a contacted host
Trojan.Variant.Kryptik - Certificate “issued” by Comodo
Some suspicious/malicious Indicators : Matched Compiler/Packer signature ( Microsoft visual C++ 5.0 ) , Entrypoint in PE header is within an uncommon section , Possibly tries to implement anti-virtualization techniques , Queries physical drive , Contains ability to lookup the windows account name , Contains ability to elevate privileges , Reads the active computer name ,
Modifies proxy settings , Queries sensitive IE security settings , Drops executable files , Touches files in the Windows directory , Opens the Kernel Security Device Driver , Contacts 2 domains and 2 hosts , Multiple malicious artifacts seen in the context of different hosts , HTTP request contains Base64 encoded artifacts
pio, you are posting in the wrong topic. title clearly says “trusted” which is not equivalent to “no detection”. staff is probably tired of pointing out this mistake. please post these in correct topic. using a digital signature is nothing impressive… it’s just another indicator that might or might not help them. again, this topic is meant for trusted malware… it’s not required to be digitlly signed. in fact, Valkyrie service makes things easier for users by stating which files are trusted. hope it helps. it is also worthy of mentioning that staff is rechecking for sake of users but not all vendors do it. !ot!
First in my defintion , a digital certificate “should” stands for trust !!!That means , signed “should” be equivalent to trusted !!!
And please tell me , what is the correct topic ?
[i]Youre right when you say , if malware uses a certificate from comodo then this is nothing special . But if i were the biggest provider of digital certificates, then I would not want that malicious files use a certificate issued especially “from my Company” !!! That has “something” to do with things like Trustworthiness and Reputation !!! For example , if a user checks for a malicious , undetected and comodo-signed file at VT, then a digital signature is ONE strong indicator for the user that the file is safe [u]b[/u] . I can`t understand how you can “say” that’s not important ?! ???
And what can happen if an malicious file is digitally signed and also the vendor is classified as trustworthy, that can you read in my last post in the valkyrie section . So in my Eyes , for me it’s the best way to find and post as many digitally signed malicious files as possible ![/b][/i]
[i][b]Thank you for this information ! 88) :o
I post the Valkyrie Links and my Indicators especially for “Fatih” and the Valkyrie team ! I was asked to continue doing this !!! So in this way , they can also see quikly that the file was not recognized from Valkyrie .[/b][/i]
[i][b]Youre right when you say , if malware uses a certificate from comodo then this is nothing special . But if i were the biggest provider of digital certificates, then I would not want that malicious files use a certificate issued [b][u]especially[/u][/b] "from my Company" !!! That has "something" to do with things like Trustworthiness and Reputation !!! For example , if a user checks for a malicious , undetected and comodo-signed file at VT, then a digital signature is ONE strong indicator for the user that the file is safe [u][b](trusted)[/b][/u] . I can`t understand how you can "say" that's not important ?! ???
They obviously do care. This is a general problem with AV industry. Comodo uses default-deny approach. Nowadays, you can create 0day without a digital signature.
And what can happen if an malicious file is digitally signed and also the vendor is classified as [u]trustworthy[/u], that can you read in my last post in the valkyrie section . So in my Eyes , for me it's the best way to [u]find and post[/u] as many digitally signed malicious files as possible ![/b][/i]
It says certificate is valid but name is not. It means it's not listed in their trusted vendors list.
Please do not misunderstand : you should keep reporting suspicious files. I also submit suspicions files via web interface.
That was my second post regard to this problem ! So … NO more Mails from me !!! :-X
"Comodo does not blindly trust it. It is checked rigorously before considering it as trusted".
I’ve never claimed anything else ! But Humans are just Humans and digital certificates can also be stolen . Visit the “Darknet” if you need some … ! But in general I wanted to say , for me , Signed Malware = Trusted Malware !!!
But in general I wanted to say , for me ,