F-secure doesn't detect Win32/Ramnit.A, didn't protect my machine

gcc
gcc Posts: 10

We have a 3 user license for F-Secure and it was installed and up to date. The system logs show it downloading an Aquarius update just before the system became infected with Ramnit:

 

2013-04-10 14:43:33.343 [0718.076c] I: Connecting to guts.sp.f-secure.com (no BW proxy, no HTTP proxy)...
2013-04-10 14:43:38.765 [0718.172c] I: Downloaded 'F-Secure Aquarius Update 2013-04-10_06' - 'aquawin32' version '1365595929' from guts.sp.f
-secure.com, 291302043 bytes (download size 348101 bytes)
2013-04-10 14:43:38.875 [0718.076c] I: Update check completed successfully.
2013-04-10 14:44:47.640 [0718.063c] I: Installation of 'F-Secure Aquarius Update 2013-04-10_06' : Success
2013-04-10 15:43:33.343 [0718.076c] I: Connecting to guts.sp.f-secure.com (no BW proxy, no HTTP proxy)...
2013-04-10 15:43:36.390 [0718.076c] I: Update check completed successfully. No updates are available.
2013-04-10 16:43:33.343 [0718.076c] I: Connecting to guts.sp.f-secure.com (no BW proxy, no HTTP proxy)...
2013-04-10 16:43:34.453 [0718.076c] I: Update check failed. There was an error connecting guts.sp.f-secure.com (Connection refused)
2013-04-10 16:44:34.500 [0718.076c] I: Connecting to guts.sp.f-secure.com (no BW proxy, no HTTP proxy)...
2013-04-10 16:44:35.593 [0718.076c] I: Update check failed. There was an error connecting guts.sp.f-secure.com (Connection refused)

 

Ramnit messed around with the DNS resolved and broke ability to connect to guts.sp.f-secure.com and other antivirus websites, meaning that updating was no longer possible.

 

F-secure did not detect or prevent this infection. I had to install MS Security Essentials to remove it.

 

Some infected files were still on the system and I found copies of them in System Restore. I submitted a sample to F-Secure's online service, and it is detected as a virus:

 

Trojan.GenericKDV.935179 Aquarius F-Secure

However, the online check gives the system a clean bill of health. MS Security Essentials still detects and blocks the virus in the copy I made in c:\. I reinstalled F-Secure and it still DOES NOT detect the virus or protect the system:

 

Scanning Report

28 April 2013 19:29:09 - 19:29:11

Computer name: VALERIA 
Scanning type: Scan target 
Target: C:\A0098457.exe

Result

No malware found
Statistics

Scanned:
Files: 1
Not scanned: 0
Result:
Viruses: 0
Spyware: 0
Suspicious items: 0
Riskware: 0
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Quarantined: 0
Failed: 0
Boot Sectors:
Scanned: 0
Infected: 0
Suspicious items: 0
Disinfected: 0
Options

Definitions version:
Viruses: 2013-04-26_04
Spyware: 2013-04-26_04
Scanning Engines:
F-Secure Hydra: 5.10.8626, 2013-04-26
F-Secure Online: 13.22.19120, 0-00-00
F-Secure Gemini: 3.02.161, 2013-04-17
Scanning options:
Scan defined files: ANI ASP AX BAT BIN BOO CHM CMD COM CPL DLL DOC DOT DRV EML EXE HLP HTA HTM HTML HTT INF INI JOB JS JSE LNK LSP MDB MHT MPP MPT MSG MSO OCX PDF PHP PIF POT PPT RTF SCR SHS SWF SYS TD0 TMP VBE VBS VXD WBK WMA WMV WMF WSC WSF WSH WRI XLS XLT XML CLASS ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Scan inside archives
Actions:
Viruses: Ask after scan
Spyware: Ask after scan
Copyright © 1998-2012 Product support | Send virus sample to F-Secure

 

 

Also it does not even seem to use the Aquarius engine. Is that why it's not detected?

 

Anyway I cannot trust f-secure to protect this computer. It still does not detect the virus.

 

 

 

 

 

 

 

Comments

  • etomcat
    etomcat Posts: 147 Superuser

    Hello,

     

    It is really difficult to say anything, since you did not include an MD5 or SHA-1 checksum for the suspect file. (Not having the actual file sample, the checksum a.k.a. hash is the only method to check it against Virustotal.com or Jotti.org and see what is really going on.)

     

    By the way, Aquarius is the main virus scanner engine of F-Secure products and is licenced from another antivirus company. It is usually responsible for detecting all the legacy viruses from the past 20 years of cybercrime. Newly emerging malware are usually detected by the F-Secure in-house developed Hydra, Gemini or DeepGuard technologies.

     

    Best Regards:

    Tamas Feher from Hungary.

  • gcc
    gcc Posts: 10

    Hi Tamas,

     

    MD5: 70f8499f814c41457e4e58c0ab1f835b

    SHA1: b2c0fdc46a78a512c3e74a2e043be36f832cf9f6

     

    I don't understand why Aquarius is not even running on this file, do you? Especially if it is "the main virus scanner engine of F-Secure products" and the only one that detects this virus in this file.

     

    Cheers, Chris.

  • etomcat
    etomcat Posts: 147 Superuser

    Hello,

     

    Thanks for the checksums!

     

    According to Virustotal.com, at least since 2013-Apr-10 afternoon, F-Secure protection detects this malicious file as "Deepguard: Suspicious-Win32-Malware-by-Gemini"

     

    This means, even if the Aquarius scanning engine was not running within your F-Secure copy, the DeepGuard system control + Gemini heuristic tech should have blocked the malware's actions as soon as it tried to run and modify anything in your computer. (F-Secure is a multiple scan engine based anti-virus product.)

     

    As far as I understand the internal workings of DeepGuard tech, it does not terminate the virus code that has started to run. It simply keeps blocking any modification attempts the malware tries to do on the system (*). When the signature update arrives for the traditional Aquarius and / or Hydra virus scanning engines, those are responsible for eventually removing the malicious files. (* This method sounds silly, but it has the least chance of hurting the stability of the running Windows OS.)

     

    Either your computer had a seriously malfunctioning F-Secure installation or the malware acted in ways not yet covered by DeepGuard protection. (However, the DeepGuard 4 coverage in F-Secure 2013 products is very comprehensive.)

     

    Maybe a company expert will chime in with some more info?

     

    Sincerely: Tamas Feher from Hungary.

  • gcc
    gcc Posts: 10

    Hi Tamas,

     

    Unfortunately the machine was infected on the afternoon of 10th April. So presumably DeepGuard was not updated in time to protect it.

     

    I don't understand why F-Secure has an engine that is perfectly good at detecting this virus, and they do not use that engine in their desktop product, and do not provide an alternative that works either.

     

    The malware was able to block DNS to certain sites and prevent F-Secure from updating itself at that time, so it was clearly able to damage the system in a way that prevented the other engines from working.

     

    I can see that F-Secure downloaded an Aquarius update, but it does not appear to be using Aquarius and I don't know why.

     

    Cheers, Chris.

  • Hi Chris,

     

    As mentioned by Tamas, there should be two layers of protection to detect and stop this virus based on the MD5 and SHA-1 value provided. The detections for this virus are from both of the F-Secure Aquarius engine and Deepguard engine.

     

    Based on the automatic update log the Aquarius engine should have downloaded and installed into the F-Secure software, however the scanning report seems to be missing with the Aquarius engine detection which is unusual.

     

    Our malware analyst will be contacting you directly in this case, at the moment please try to run the F-Secure Online Scanner in order to clean the virus.

     

    Best regards,

    Gary

     

     

     

  • gcc
    gcc Posts: 10

    Hi Gary,

     

    As previously noted, the Online Scanner did not detect the virus either. I have cleaned the machine using MS Security Essentials which did. Therefore I do not need to clean the machine now, it is no longer infected thanks to MSE.

     

    I would also be very interested to know why Aquarius is not running, and neither did DeepGuard prevent this machine from being inbfected.

     

    Cheers, Chris.

  • Hi Chris,

     

    We are certain now that the F-secure Online Scanner is capable to detect and remove this particular virus. Since the virus has been removed, let's move on to investigate on the F-Secure desktop application that has no Aquarius engine running.

     

    We need to have the FSDIAG log from your machine in order for us to check further. Please click HERE to view the steps on how to generate the FSDIAG log, and create a support ticket with us from HERE. Please provide us the SRID of the ticket in here so that we can follow up the case with you.

     

    Best regards,

    Gary

     

     

  • gcc
    gcc Posts: 10

    Hi Gary,

     

    Thanks for your help. I have submitted the FSDIAG file as [SR ID:1-563734566].

     

    When you say "We are certain now that the F-secure Online Scanner is capable to detect and remove this particular virus," do you mean using DeepGuard? As the last response I received from the SAS team was:

     

    "From the detected file behavior, the execution of the file will be automatically blocked by the DeepGuard Engine."

     

    I think that's less than ideal, because it requires the virus to already be active in the system. Since the virus blocks access to websites including f-secure, this is already too late. (it's impossible to use the online scanner when the virus is running on the system). But if it detected the executable as malicious, that would help to prevent reinfection after cleaning the system.

     

    After disinfection I placed a copy of the virus file (the same one I uploaded in SAS:55988/FS-T956628) in c:\ and neither the online scanner nor the installed f-secure detected it. The system was not infected by the virus at that time.

     

    Cheers, Chris.

This discussion has been closed.
Feedback on New Design