Tuesday, February 07, 2006

A Virus Thriller

I posted about this on saturday but it got deleted as blogger had some problems during that time (see post on technical problems.) It was about a possible new virus which proves to be quite controversial.

On friday night, I received the information about a virus that does not get detected by any known antivirus software. I naturally became very curious about this file and had it sent to me. This virus is supposed to infect the computer with a great number of spyware and malware but it also infects the BIOS. My information-source almost had his complete pc ruined because his bios was infected and could start the pc. Finally he managed to find a way to write an operating system before the BIOS. I didnt quite get it how he did it, but he is also a pc genious.

I uploaded the file in www.virustotal.com and no antivirus found it (and it still doesnt). Only Panda and Fortinet report that this is a suspicious file. An upload to http://virusscan.jotti.org/de/ produced the same result. Specifically:

"Status: EVENTUELL INFIZIERT/MALWARE (Es ist verdächtig, dass die Sandbox-Emulation lange dauerte und/oder die Datei gepackt war. Normalerweise sind Programme nicht gepackt und zwingen die Sandbox nicht zu einer langwierigen Emulation. Beachten Sie, dass kein Scanner eine Warnung gegeben hat, d.h. die Datei kann sehr wohl harmlos sein. Wir raten allerdings zur Vorsicht.) Entdeckte Packprogramme: UPX"

Which means that this COULD be but NOT necessarily IS a virus because it is a file packed with the program UPX and strains the system to open it.

I sent the file to Antivir.de for a check and of course they dont work during the weekend :P... I knew this and because I couldnt wait any longer I sent it to the Kaspersky analysts as well. The Kaspersky analyst replied within an hour saying that the file is clean! How is this possible? Unless of course the file interacts only with the program it is supposed to patch (crack). But isnt that very unlikely? I was almost sure that it was not a virus but did not execute it risking my reputation as a brave antivir-girl (hello carlus :D ).

Soooooo, antivir replied today!

"Dear Sir or Madam,

Thank you for your recent inquiry.

In the attachment you have sent us we found an virus.
The current version of AntiVir already detects this virus.

We thank you for your assistance."

Now is it a virus or not? The updated antivir still does NOT detect it, regardless what the analysts said.

The essential point of this whole situation is that IF this file REALLY is a virus, there has been an unknown malware on the internet for more than 6 days, without any antivirus software detecting it! And if there has been one, who can guarantee us that there have not been 2, 3, 4 or 5 or more of them?!

This means that our data are not safe and that noone can guarantee security no matter what.

I think our operating systems need still a lot of work to become secure, and I personally would not trust important information and files to electronic systems.

Which reminds me.. In the past week, a new technological scandal was revealed in Greece. But this topic deserves a separate posting.

There was a person in antivir forum who suggested a very interesting way of scanning the computer so that rootkits could also be detected by antivirus software. He suggested that it should not scan separate files but bytes on the hard disk! This technique was apparently used in the Amiga Technology.

It is scary but I believe we are still in the prehistoric era of computers, something proved also by the fact that technology advances extremely quickly. The internet is a fairly new invention and we should expect totally new and innovating operating system in the future that can promise a better security.

4 comments:

admin said...

Whats wrong with being a bit fascinated? You hackers are all so cynical.

Indeterminacy said...

That's scary about the strange virus. I downloaded a safe program from the official source the other day, qq, which is used in China and South Africa. The SA version is in English and the China version Chinese. Unfortunately you can't communicate across servers (SA-> China). I tried the program a few times, with no incident. Then I clicked the icon again and the antivirus program said it was a virus. But I scanned everything and it was all clean. I deinstalled it and everything still works. I hope.

Indeterminacy said...

P.S. I forgot to mention, this was also antivir.de.

admin said...

qq? Can you read chinese?

Did it say which virus it was? You can use an online scanner like from trendmicro or f-secure to make sure all is clean. Unfortunately no virus finds them all.