Trojan passes by D+, Sandbox, Image Execution

Comodo Internet Security - CIS Beta Corner - CIS
#1

I had a trojan completely ■■■■ past my D+ today on my test PC, COMODO says it is safe and trusted, made by Kaspersky Labs. I wasn’t sure if I should post this here or not yet, but I thought of the possibility of it being a flaw/bug in the current release of v5. If not feel free to move :wink:

It was active and running in memory un-sandboxed:

User>Current>AppData>Roaming>Ahwoo>tauf.exe>122kb
5/41
MD5: 89aaa9d55631fe2f405b5f895fca7fe4

hxxp://www.virustotal.com/analisis/fa668fd4bbf627b005ab8eb39579162844ebefea597664fed7ad76b311b99a63-1280949885
#2

Please sumbit the file [at] Comodo Antivirus Database | Submit Files for Malware Analysis
Or make a new threat [at] Comodo Forum

Regards
BlackList

#3

All set, submitted. But is this type of behavior normal? I would hate to think that, as it it opens my system up to an attack leaving COMODO Firewall clueless.

#4

can you hook me up with a copy of it?

#5

It is signed by Kaspersky: “Kaspersky Lab; VeriSign Class 3 Code Signing 2004 CA”
As I already says, verdict only by digital signature in D+ is not good enough for file to be declared as a safe/trusted

#6

v5 from what I know should be doing it by sha1, and it is not signed, look at the VT report, unsigned at the bottom.

#7

Hey bro, sure can. I just found out that I still have a copy of it of sitting under blocked-files. I can .rar it up, password it and send it to you. Just let me know.

#8

thanks just send it to languy99@gmail.com

#9

http://info.prevx.com/aboutprogramtext.asp?PX5=E1E05A99E8D48207E7EC01869335B100B19B46F7

I bet it says “signature is not valid”, if it is does Comodo check if certificate is valid?
Did you got your sample?

#10

Languy, can you send it to me too please? Is it marked as safe or does it really have a valid signature from Kaspersky?

Egemen

#11

it really is signed and it is marked as safe also. I’ll e-mail it to you. Let me know what you find.

#12

e-mailed.

#13

Can you post a virustotal link and a cima link?

#14

http://www.virustotal.com/analisis/fa668fd4bbf627b005ab8eb39579162844ebefea597664fed7ad76b311b99a63-1281065331

http://camas.comodo.com/cgi-bin/submit?file=fa668fd4bbf627b005ab8eb39579162844ebefea597664fed7ad76b311b99a63

http://www.threatexpert.com/report.aspx?md5=89aaa9d55631fe2f405b5f895fca7fe4

http://anubis.iseclab.org/?action=result&task_id=140bd70ed3bbeb7b4f5ecb19746bef455&format=html

#15

signature is not valid

[attachment deleted by admin]

#16

How a non valid signature is valid for Comodo?
Can any developer give more details about this issue?

How comodo trust in certified files if it seems to be a very weak protection, is not the first time that we can read things about falsified signed files.

#17

Found a similar file, also signed by kaspersky and not valid.

hxxp://www.virustotal.com/analisis/a0ac05444dbcbc0721281e3bfa9bf0ca0cce228cd10565f382e1d0aef57c7b95-1281095872

Tested on CIS V5 (1066 build), and it passes right through even if i disable the trusted vendors list, it still shows up in active processlist as “trusted” :-\

#18

just tested this file on CIS 4.1 and it gets sandboxed, so thats a relief :-TU

#19

So maybe is a bug in the beta, anyway we still need to know what happened with the other file

#20

hi Guys,

Yes i have verified. This is a new bug in CIS 5 which does not verify the ceritifcate before chekcing the cloud for the vendor.

Good catch! Thanks for the feedback!

Egemen