TrojanDownloader:Win32/Upatre not detected by 22 of 57 Anti-Malware Programs after 2 days

20 June 2015

In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.

Cyber-attacks follow always the same pattern:

Development of a Cyber Attack

Development of a Cyber Attack

[1] Attract the reader’s attention.

[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.

[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.

[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.

[5] Send the users secrets to the C&C server.

In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.

I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.

On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.

I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!

On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.

Defender Report

Defender Report

Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.

I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.

By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.

And don’t trust Anti-Malware program evaluations in German computer magazines.

Have a good weekend!


Appendix: virustotal.com check results as of 19 June 2015

Antivirus Result Update
ALYac Trojan.GenericKD.2494514 20150619
AVG Generic_s.EUO 20150619
AVware Trojan-Downloader.Win32.Upatre.ic (v) 20150619
Ad-Aware Trojan.GenericKD.2494514 20150619
AhnLab-V3 Trojan/Win32.Upatre 20150619
Arcabit Trojan.Generic.D261032 20150619
Avira TR/Agent.68096.251 20150619
Baidu-International Trojan.Win32.Upatre.bkby 20150619
BitDefender Trojan.GenericKD.2494514 20150619
CAT-QuickHeal TrojanDownloader.Upatre.r3 20150619
Cyren W32/Upatre.AT.gen!Eldorado 20150619
DrWeb Trojan.Upatre.3504 20150619
ESET-NOD32 a variant of Win32/Kryptik.DMJN 20150619
Emsisoft Trojan.GenericKD.2494514 (B) 20150619
F-Prot W32/Upatre.AT.gen!Eldorado 20150619
F-Secure Trojan.GenericKD.2494514 20150619
Fortinet W32/Waski.A!tr 20150619
GData Trojan.GenericKD.2494514 20150619
Ikarus PUA.Bundler 20150619
K7GW Trojan ( 004c5fac1 ) 20150619
Kaspersky Trojan-Downloader.Win32.Upatre.bkby 20150619
Malwarebytes Trojan.Downloader.Upatre 20150619
McAfee Upatre-FACH!9B004AD1DBB5 20150619
McAfee-GW-Edition BehavesLike.Win32.Dropper.km 20150619
MicroWorld-eScan Trojan.GenericKD.2494514 20150619
Microsoft TrojanDownloader:Win32/Upatre 20150619
Panda Trj/Genetic.gen 20150619
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20150619
Rising PE:Trojan.Win32.Generic.18C77685!415725189 20150618
Sophos Troj/Dyreza-FP 20150619
Symantec Downloader.Upatre!gen5 20150619
Tencent Trojan.Win32.Qudamah.Gen.2 20150619
TrendMicro-HouseCall TROJ_GEN.F0D1H0ZFG15 20150619
VIPRE Trojan-Downloader.Win32.Upatre.ic (v) 20150619
nProtect Trojan.GenericKD.2494514 20150619
AegisLab 20150619
Agnitum 20150619
Alibaba 20150619
Antiy-AVL 20150619
Avast 20150619
Bkav 20150619
ByteHero 20150619
CMC 20150618
ClamAV 20150619
Comodo 20150619
Jiangmin 20150618
K7AntiVirus 20150619
Kingsoft 20150619
NANO-Antivirus 20150619
SUPERAntiSpyware 20150619
TheHacker 20150619
TotalDefense 20150619
TrendMicro 20150619
VBA32 20150619
ViRobot 20150619
Zillya 20150619
Zoner 20150619

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s