20 June 2015
In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.
Cyber-attacks follow always the same pattern:
Development of a Cyber Attack
[1] Attract the reader’s attention.
[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.
[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.
[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.
[5] Send the users secrets to the C&C server.
In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.
I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.
On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.
I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!
On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.
Defender Report
Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.
I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.
By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.
And don’t trust Anti-Malware program evaluations in German computer magazines.
Have a good weekend!
Appendix: virustotal.com check results as of 19 June 2015
| Antivirus | Result | Update |
| ALYac | Trojan.GenericKD.2494514 | 20150619 |
| AVG | Generic_s.EUO | 20150619 |
| AVware | Trojan-Downloader.Win32.Upatre.ic (v) | 20150619 |
| Ad-Aware | Trojan.GenericKD.2494514 | 20150619 |
| AhnLab-V3 | Trojan/Win32.Upatre | 20150619 |
| Arcabit | Trojan.Generic.D261032 | 20150619 |
| Avira | TR/Agent.68096.251 | 20150619 |
| Baidu-International | Trojan.Win32.Upatre.bkby | 20150619 |
| BitDefender | Trojan.GenericKD.2494514 | 20150619 |
| CAT-QuickHeal | TrojanDownloader.Upatre.r3 | 20150619 |
| Cyren | W32/Upatre.AT.gen!Eldorado | 20150619 |
| DrWeb | Trojan.Upatre.3504 | 20150619 |
| ESET-NOD32 | a variant of Win32/Kryptik.DMJN | 20150619 |
| Emsisoft | Trojan.GenericKD.2494514 (B) | 20150619 |
| F-Prot | W32/Upatre.AT.gen!Eldorado | 20150619 |
| F-Secure | Trojan.GenericKD.2494514 | 20150619 |
| Fortinet | W32/Waski.A!tr | 20150619 |
| GData | Trojan.GenericKD.2494514 | 20150619 |
| Ikarus | PUA.Bundler | 20150619 |
| K7GW | Trojan ( 004c5fac1 ) | 20150619 |
| Kaspersky | Trojan-Downloader.Win32.Upatre.bkby | 20150619 |
| Malwarebytes | Trojan.Downloader.Upatre | 20150619 |
| McAfee | Upatre-FACH!9B004AD1DBB5 | 20150619 |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.km | 20150619 |
| MicroWorld-eScan | Trojan.GenericKD.2494514 | 20150619 |
| Microsoft | TrojanDownloader:Win32/Upatre | 20150619 |
| Panda | Trj/Genetic.gen | 20150619 |
| Qihoo-360 | HEUR/QVM20.1.Malware.Gen | 20150619 |
| Rising | PE:Trojan.Win32.Generic.18C77685!415725189 | 20150618 |
| Sophos | Troj/Dyreza-FP | 20150619 |
| Symantec | Downloader.Upatre!gen5 | 20150619 |
| Tencent | Trojan.Win32.Qudamah.Gen.2 | 20150619 |
| TrendMicro-HouseCall | TROJ_GEN.F0D1H0ZFG15 | 20150619 |
| VIPRE | Trojan-Downloader.Win32.Upatre.ic (v) | 20150619 |
| nProtect | Trojan.GenericKD.2494514 | 20150619 |
| AegisLab | 20150619 | |
| Agnitum | 20150619 | |
| Alibaba | 20150619 | |
| Antiy-AVL | 20150619 | |
| Avast | 20150619 | |
| Bkav | 20150619 | |
| ByteHero | 20150619 | |
| CMC | 20150618 | |
| ClamAV | 20150619 | |
| Comodo | 20150619 | |
| Jiangmin | 20150618 | |
| K7AntiVirus | 20150619 | |
| Kingsoft | 20150619 | |
| NANO-Antivirus | 20150619 | |
| SUPERAntiSpyware | 20150619 | |
| TheHacker | 20150619 | |
| TotalDefense | 20150619 | |
| TrendMicro | 20150619 | |
| VBA32 | 20150619 | |
| ViRobot | 20150619 | |
| Zillya | 20150619 | |
| Zoner | 20150619 |
IT Security Matters 