Examples of Blink Reacting to Protect You

Last post 01-28-2010 6:54 PM by Blue1978. 14 replies.

Page 1 of 1 (15 items)
	Sort Posts: Previous Next

03-17-2009 7:20 PM

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

I just thought I would post some alerts that I got while hunting for Malware with Blink installed in a Windows XP Home Edition SP2 (without any patches installed using only IE7) in VMware running with full Administrative privilages. Both the Firewall and AV components in Blink were disabled for these tests.

Hostile Site: biglendlive(dot)nfo/hitstat/index(dot)php

1. Upon visiting this site, Blink's Application Protection displayed the following alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Reason: KERNEL32.DLL!LoadLibraryA
Action: Restart process
Program: C:\Program Files\Internet Explorer\iexplore.exe
Alert: Yes

Note: Blink detected an abnormal behavior in one of the monitored applications. It is very likely that you are witnessing an attempt to exploit a known or unknown buffer overflow vulnerability in this application. The best course of action is to update this application to the latest version available from its vendor. Also, please report this issue to eEye to be investigated further. If you are sure that this is not an attack, you can disable the Application Protection layer for this application by editing the apiex.ini file in the Config folder under the Blink installation directory.
To add an exclusion for this application, open the file in notepad or your favorite text editor and add a line in this format: PROCESS_NAME;;Kevlar;0
Replace the PROCESS_NAME entry above with the .exe name reported above in this event. For example, to exclude notepad.exe create an entry like this: notepad.exe;;Kevlar;0

Hostile Site: 89.248.172.156/660/index(dot)php

1. Upon visiting this site, Blink's Application Protection displayed the following alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Reason: KERNEL32.DLL!LoadLibraryA
Action: Terminate Process
Program: C:\Program Files\Internet Explorer\iexplore.exe
Alert: Yes

Hostile Site: hunters-of-darkness(dot)de/cgi-stat/index(dot)php

1. Upon visiting this site, Blink's Intrusion Prevention System displayed the following alert:

Event ID: BLINK-IPS-110257
Severity: Low
Description: This website shows indications of 'Heap spraying' - a Technique that could allow remote arbitrary code to execute if exploitation is successful
Attacker: http://hunters-of-darkness.de/cgi-stat/index.php
Request: <Script Language="JavaScript"> rJFMOZwTmu1 = ("x4343x4343x0febx335bx66c9x80b9x8001xef33xe243xebfaxe
Log File: C:\Program Files\eEye Digital Security\Blink\Captures\Mar_17_2009\capture_Mar_17_2009_21_04_11_093_01.cap
Process Path: C:\Program Files\Internet Explorer\iexplore.exe
Action: Terminated
Alert: Yes
Protocol: TCP

Filed under: Blink's Protection

03-27-2009 7:08 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

Here is an example of Blink's ActiveX engine alerting after I ran an ActiveX control that was malicous.

Hostile Site: http://stat(dot)zima07(dot)ru/

1. Upon visiting this site, Blink's ActiveX Proocol Analyzer Module (in the Intrusion Prevention System) layer displayed the following alert:

Event ID: BLINK-BAM-28024
Severity: High
Description: A integer overflow IWebViewFolderIcon setSlice method can lead to remote code execution
Alert: Yes
Action: Terminated
Protocol: TCP
Attacker: Web page
Process Path: C:\Program Files\Internet Explorer\iexplore.exe

03-31-2009 8:57 PM In reply to

lnicula
Joined on 06-05-2007
Irvine
Posts 680

Re: Examples of Blink Reacting to Protect You

Reply Contact

Perfect example Blue1978!

While most antivirus products are trying to stop the virus while it is installed on the system, Blink is preventing it to get there in the first place.

Regards
Laurentiu Nicula

04-01-2009 7:55 AM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

Just for the heck of it, I installed the latest Outpost Security Suite (http://www.agnitum.com/products/security-suite/index.php) in Vmware and then went to the site and tried it. Outpost's malware module only caught one part of the initial infection vector. The malicious ActiveX shell function executed and at that point, the only thing Outpost alerted me to was the outbound connection request made by the new process (which came from the shell payload that executed and ran itself) as a result.

Granted if I had Blink's AV or Firewall component turned on, I am sure I would have seen more activity than I did relying solely on Blink's IPS and Application Protection only to detect anything. Keep in mind this was tested on a fresh install of Windows XP SP2, in VMware, with no updates at all installed running with the Administrator account.

Filed under: Outpost Firewall

04-01-2009 6:12 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

Hostile site: basesrv3(dot)net/bin/in(dot)php

1. Upon visiting this site, Blink's Application Protection displayed the following alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Program: C:\Program Files\Internet Explorer\iexplore.exe
Reason: KERNEL32.DLL!VirtualProtect
Action: Restart process

- Internet Explorer restarted itself and everything was fine.

Hostile site: pnfzetnax(dot)net/est/

- This is a unique site in which it shows how the different layers in Blink can help.

All modules in Blink were enabled (except the Firewall).

1. Upon visiting this site, Blink's Application Protection displayed the following alert:

I turned off Blink's System protection and then revisted the site.

2. Upon revisiting this site, Blink's Malware Protection Engine displayed the following alert:

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: Vundo.FBW
Item found: C:\WINDOWS\system32\akowepuv.tmp
Category: Trojan
Action: Delete
Second Action: Log Only
Virus found: Vundo.FBW

Hostile site: f(dot)98tdw(dot)cn/d1/07/index(dot)htm

1. Upon visiting this site, Blink's Malware Protection Engine displayed the following alert:

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Suspicious_U.gen
Item found: C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.I...\g1[1].exe
Category: Trojan
Action: Delete
Second Action: Log Only
Virus found: W32/Suspicious_U.gen

- If you disable Blink's AV component and then revisit the website, IE will advise you with its warning bar that it stopped an ActiveX control from installing. I went ahead and installed the ActiveX component, but nothing seemed to happen after that (as far as ProcessExplorer could tell). I am not sure if this ActiveX component invoked anything else or not.

04-10-2009 10:00 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

Here are more alerts from running Blink Personal Edition in a Windows XP Home Edition SP2 (without any patches installed IE7) in VMware running with full Administrative privilages. All modules in Blink were enabled for these tests.

Hostile Site: http://m(dot)winxyz(dot)com/

1. Upon visiting this site, Blink's Malware Protection Engine displayed the following alert:

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: HTML/Iframe.L
Item found: C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content....\zhin[1].js
Category: Trojan
Action: Quarantine
Second Action: Delete
Virus found: HTML/Iframe.L

AND then ...

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Suspicious_U.gen
Item found: C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.I...\e1[1].exe
Category: Trojan
Action: Quarantine
Second Action: Delete
Virus found: W32/Suspicious_U.gen

At this point you see the "gold bar" in IE prompting you to allow an ActiveX control to run. However,
before you are able to click on it, IE is terminated by Blink and you receive the following alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Program: C:\Program Files\Internet Explorer\iexplore.exe
Reason: KERNEL32.DLL!VirtualProtect
Action: Restart process

- Internet Explorer restarted itself at this point and all was normal.

04-10-2009 11:08 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

Hostile Site: clarafin(dot)info/traff/index(dot)php

1. Upon visiting the site Blink promptly alerts you with the following:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Program: C:\Program Files\Internet Explorer\iexplore.exe
Reason: KERNEL32.DLL!LoadLibraryA
Action: Restart process

Internet Explorer restarted and all is normal again. No apparent abnormal processes, I checked using ProcessExplorer.

- Since the application protection engine in Blink initially stopped this, I wanted to see if other layers in Blink would also stop anything if I revisited the site.

2. Upon revisiting the site, Blink's Application Firewall prompted me to allow the following two connections (I allowed these requests):

Allow C:\WINDOWS\system32\~.exe outbound TCP connection to Remote Port 80?

In Blink's Application Firewall section the rule showed up under the category "Cookie Converter".

3. Next Blink's Malware engine alerted with the following:

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: BAT/Smalltroj.MLJ
Item found: C:\DOCUME~1\ANONYM~1\LOCALS~1\Temp\abcdefg.bat
Category: Trojan
Action: Quarantine
Second Action: Delete
Virus found: BAT/Smalltroj.MLJ

AND then ...

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Rootkit.BBV
Item found: C:\WINDOWS ew_drv.sys
Category: Trojan
Action: Quarantine
Second Action: Delete
Virus found: W32/Rootkit.BBV

4. Blink's Firewall then prompted me to allow the following two requests (keep in mind I allowed these both too).

C:\WINDOWS\9129837.exe requesting to accept connections on local TCP port 13211.

Next ...

C:\WINDOWS\9129837.exe requested an outbound connection to the internet via HTTP (Port 80).

In Blink's Application Firewall section these rules both showed up under the category "Client Server Runtime Process".

5. At this point 9129837.exe (doing whatever it wanted to do since it was allowed to) looks like it was trying to terminate Internet Explorer and Blink. Blink protected Internet Explorer and itself from being terminated and then the following API protection alerts were shown:

Event ID: BLINK-API-42
Severity: High
Description: Blink stopped an unprivileged WriteProcessMemory call. If you believe this application is not malicious, you can add it to a list of approved applications in the Config\apiex.ini file using this format 'FilePath;[Optional MD5];WriteProcessMemory;0'
Alert: Yes
Caller PID: 2800
Caller process: C:\WINDOWS\9129837.exe
BaseAddress: 03570000
Buffer: 00403D54
BufferLength: 0000460B
ReturnLength: 0012FE58
Target Process: (2452)iexplore.exe

Event ID: BLINK-API-42
Severity: High
Description: Blink stopped an unprivileged WriteProcessMemory call. If you believe this application is not malicious, you can add it to a list of approved applications in the Config\apiex.ini file using this format 'FilePath;[Optional MD5];WriteProcessMemory;0'
Alert: Yes
Caller PID: 2800
Caller process: C:\WINDOWS\9129837.exe
BaseAddress: 009B0000
Buffer: 00403D54
BufferLength: 0000460B
ReturnLength: 0012FE58
Target Process: (1196)blinksvc.exe

It looks like some of Blink's services were targeted by the executable.

6. Finally the last log entry that Blink displayed was:

Event ID: BLINK-ENG-202
Severity: Medium
Description: Blink has disinfected the system after malware was detected
Alert: No
Quarantine Location: 01C9BA64-1E3AB670-0-W32/Rootkit.BBV
Name: W32/Rootkit.BBV
Action: Quarantined
Item Found: C:\WINDOWS ew_drv.sys

eEye, what exactly may be going on here, event wise? Is this an example of Blink protecting itself from termination?

04-11-2009 1:54 AM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

=================================================================================================================

Here are some examples of Norman's Sandbox detecting a piece of Malware (without a signature). When Blink manually scans a file it observes its behavior while running it in the Sandbox:

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Malware
Item found: C:\Documents and Settings\Anonymous\Desktop\New Malware\G1.exe
Category: Malware
Action: Delete
Second Action: Log Only
Virus found: W32/Malware
Detected by: Sandbox
Behavior: * File length: 15136 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\mmsfc1.dll. * Disables protection on files protected with SFC.

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Downloader
Item found: C:\Documents and Settings\Anonymous\Desktop\New Malware\wr.exe
Category: Malware
Action: Delete
Second Action: Log Only
Virus found: W32/Downloader
Detected by: Sandbox
Behavior: * File length: 36944 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\TEMP\mas6748.tmp. * Creates file C:\WINDOWS\TEMP\v8674.tmp. [ Changes to registry ] * Accesses Registry key "HKLM\HARDWARE\DESCRIPTION\System\CentralP

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Packed_Nspack.A.dropper
Item found: C:\Documents and Settings\Anonymous\Desktop\New Malware\a8.exe
Category: Malware
Action: Delete
Second Action: Log Only
Virus found: W32/Packed_Nspack.A.dropper
Detected by: Sandbox
Behavior: * File might be compressed. * Accesses executable file from resource section. * Creating several executable files on hard-drive. * File length: 207872 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS pptools.dll. *

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Downloader
Item found: C:\Documents and Settings\Anonymous\Desktop\New Malware\2.exe
Category: Malware
Action: Delete
Second Action: Log Only
Virus found: W32/Downloader
Detected by: Sandbox
Behavior: * Display message box (212121) : 01111. * Display message box (0) : 0. * Creating several executable files on hard-drive. * File length: 20992 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\Fonts\wuauclt.exe. * C

This is a unique one ...

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Downloader
Item found: C:\Documents and Settings\Anonymous\Desktop\New Malware\46.dll
Category: Malware
Action: Delete
Second Action: Log Only
Virus found: W32/Downloader
Detected by: Sandbox
Behavior: * File length: 7680 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\quwhcji.exe. * Creates file C:\WINDOWS\SYSTEM32\ldjvbpq.bat. * Creates file C:\WINDOWS\SYSTEM32\kgwbow.bat. * Deletes file "c:\sample.exe".

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/BlackEnergyBot.A.dropper
Item found: J:\\D.exe
Category: Malware
Action: Quarantine
Second Action: Log Only
Virus found: W32/BlackEnergyBot.A.dropper
Detected by: Sandbox
Behavior: * File length: 35328 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\syssrv.sys. [ Changes to registry ] * Creates key "HKLM\System\CurrentControlSet\Services\syssrv". * Sets value "ImagePath"="C:\WINDOWS\SYSTE

================================================================================================================

Filed under: on-demand scanning, Norman Sandbox, Norman AV, Norman's Sandbox

04-16-2009 4:10 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

Hostile Site: bizoplata(dot)ru/pay(dot)html?

1. Upon visiting the site, Blink's Application Protection kills the initial attempt to execute code by displaying the following alert:

- I disabled Blink's Application Protection layer and revisited the site.

2. This time Blink's Application Firewall prompted me to allow the following two outbound connections (I allowed these requests):

Allow C:\WINDOWS\system32\~.exe Outbound TCP connection to Remote Port 80?

and then

Allow C:\WINDOWS\system32\~.exe Outbound TCP connection to Remote Port 25?

- In Blink's Application Firewall section these rules showed up under the category "Cookie Converter".

3. About a minute after allowing the two outbond connections shown above, Blink's SMTP Protocol Analyzer Module (in the Intrusion Prevention System) layer alerts with the following:

Event ID: BLINK-BAM-4020
Severity: High
Description: Server sent too many error reply codes in this session
Alert: Yes
Action: Terminated
Attacker: 192.168.1.3
Attacker Port: 1189
Victim IP: 209.85.221.86
Victim Port: 25
Protocol: TCP
Argument: 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 26si2154588qyk.127
Process Path: C:\WINDOWS\system32\~.exe

Event ID: BLINK-BAM-4020
Severity: High
Description: Server sent too many error reply codes in this session
Alert: Yes
Action: Terminated
Attacker: 192.168.1.3
Attacker Port: 1195
Victim IP: 209.85.221.86
Victim Port: 25
Protocol: TCP
Argument: 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 26si2154881qyk.127
Process Path: C:\WINDOWS\system32\~.exe

At this point I check for any established connections and once again Blink was successful at stopping any further execution from happening.

At this point I am going to disable everything but the AV component in Blink and revist the site one last time. Before doing so, I revert my VMware image back to a known good state, run Regshot and take a complete snapshot of my system before continuing.

4. Upon revisiting the site, the executable ran itself, made its connections to the mail servers listed above and continued with out any further prompt or notice of malicious action by Blink. I opened TCP View and noted many active (and changing) connections to multiple internet mail servers which were passing data. This went silently in the background...even after I killed Internet Explorer's process and everything. At this point I took my final snapshot, with Regshot, of my system and compared the two. Nothing changed (other than Temporary Internet Files) on my system; no new noted files had been pulled to my system.

Regardless of this, it is noted that Blink stopped pretty much every possible avenue of this malicious action not allowing it to happen in the first place, this is the important factor to note here.

04-29-2009 12:31 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

=================================================================================================================

Here is another example of Norman's Sandbox detecting a piece of Malware (without a signature). When Blink manually scans a file it observes its behavior while running it in the Sandbox:

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Malware
Item found: I:\Malware Warning!\94Files\update2009-03-16.exe
Category: Malware
Action: Delete
Second Action: Log Only
Virus found: W32/Malware
Detected by: Sandbox
Behavior: * File length: 87552 bytes. [ Process/window information ] * Creates a mutex IRRD. * Creates section "\BaseNamedObjects\fjktVt" with full access to everyone. * Enumerates running processes. * Modifies memory in process "services

================================================================================================================

04-30-2009 8:42 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Examples of Blink Reacting to Protect You

Reply Contact

After taking my normal stroll over to http://sunbeltblog.blogspot.com/ to look for some new fake AV programs to gather a sample of, I tried going to one of the links listed:

Malicious Site: www(dot)Files scanner-antispy-av-files(dot)com

1. Upon visiting this site, Blink's Intrusion Prevention System displayed the following alert:

Event ID: BLINK-BAM-18009
Severity: Medium
Description: Suspicious attack
Alert: Yes
Action: Dropped
Attacker: 192.168.75.1
Attacker Port: 51781
Victim IP: 208.67.220.220
Victim Port: 53
Protocol: UDP
Argument: www.files%20scanner-antispy-av-files.com
Process Path: C:\Program Files\Internet Explorer\iexplore.exe

The nice end result of this is, your system never makes it to the malicious site. :)

08-25-2009 10:29 AM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Re: Examples of Blink Reacting to Protect You

ActiveX.jpg

Reply Contact

Recently I did some new tests with Blink Personal Edition. I conducted these tests on my live system (not in VMware) runnning Windows Vista Ultimate 64bit Edition SP1. I did not perform any system updates past SP1. The only thing extra that I installed was IE8 (no updates added to it), Adobe Acrobat Reader (version 8.1.1), Sun's JRE (version 1_5_0_18), and Adobe Flash Player (version 10.0.12.36). I tried to install the oldest most vulnerable versions of everything that I could on purpose. I was running to the following sites using my Administrator account in Vista.

=============================================================================================================

1. Malicious Website: hXXp://fhijafif.cn/fex/hereEvenMore.pdf

This was a site delivering a PDF exploit. As soon as the PDF downloaded, Acrobat attempted to open it and then Blink promptly stopped it displaying the following Application Protection alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Application: C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AcroRd32.exe
Reason: Non-executable exception handler
Action: Terminate Process
Application Arguments: "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AcroRd32.exe" -Embedding

2. Malicious Website: hXXp://nvujinaw.cn/s/in.cgi?3

This site happened to deliver an ActiveX exploit targeted to streaming media users.

When I visited the site, IE asked me permission to run the ActiveX control (see attached screenshot "ActiveX.jpg" below for what you might see in this situation). After allowing it to run, Blink alerted me with the following BAM (Blink Analyzer Module) alert:

Event ID: BLINK-BAM-28147
Severity: High
Description: Microsoft Video Control has a Stack overflow vulnerability that can lead to remote code execution.
Alert: Yes
Action: Terminated
Protocol: TCP
ActiveX ClassID: {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
Attacker: Web page
Process Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

08-25-2009 10:42 AM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Re: Examples of Blink Reacting to Protect You

PDF.jpg

Reply Contact

3. Malicious Website: hXXp://neimeetsmysla.cn/pdf.php?eid=3

This was a site delivering a PDF exploit. As soon as the PDF downloaded, Acrobat attempted to open it and then Blink promptly stopped it displaying the following Application Protection alert:

4. Malicious Website: hXXp://updateservisetf.ru/alt/evilMoreIs.pdf

This was a site delivering a PDF exploit. As soon as the PDF downloaded, Acrobat attempted to open it and then Blink promptly stopped it displaying the following Application Protection alert:

With this exploit, I was lucky enough to get a screenshot of the PDF that attempted to load and open right as Blink was terminating it. See the "PDF.jpg" screenshot below to see what it looked like.

01-25-2010 3:39 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Re: Examples of Blink Reacting to Protect You

Reply Contact

This is Malware (that does not have a signature for it) that was found by Norman's sandbox and heuristics engine, after I manually told Blink to scan a group of malicious files.

1. Website: hxxp://juanmm.cn:82/cpa/222.exe

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: Slogad.A.dropper
Found Item: C:\Users\imo\Downloads\222.exe
MD5 Checksum: 3AC13B616FBF764840E40F8B6D22C338
Category: Malware
Detected by: Sandbox
Behavior: * File might be compressed. * **Locates window "NULL [class Progman]" on desktop. * **Locates window "NULL [class SHELLDLL_DefView]" on desktop. * **Locates window "NULL [class SysListView32]" on desktop. * File length: 63792 byte
Quarantine File: 01CA9E15-8DB53A14-0-Slogad.A.dropper.QRN
Action: Quarantined

2. Website: hxxp://juanmm.cn:82/cpa/444.exe

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: Bho.WOK.dropper
Found Item: C:\Users\imo\Downloads\444.exe
MD5 Checksum: F8737DA375C84A4E066C1137E606E5BB
Category: Malware
Detected by: Sandbox
Behavior: * Accesses executable file from resource section. * File length: 80896 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\PPlayer.2.1.58130.251.(508).dll. * Creates file C:\Program Files\Internet Explorer\mstcs.exe. [ Proc
Quarantine File: 01CA9E15-86C25B74-0-Bho.WOK.dropper.QRN
Action: Quarantined

3. Website: hxxp://pcssecure.com/splga47tt4f3anc6u4fd5gk8.html?p=bbd161816aaf2fa1be5486a972aa391c&***

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Action: Log Only
Name: Fake Microsoft Application
Found Item: C:\Users\imo\Downloads\setup.exe
MD5 Checksum: 64C9DF26E528F8663570B10E6280F391
Category: Suspicious
Name: Fake Microsoft Application
Category: Suspicious
Malware Description: This application claims to be made by Microsoft, but it is packed/encrypted. Hackers pack/encrypt their viruses to avoid detection.
Detected by: Heuristics Engine

Filed under: Norman Sandbox, Norman AV, Norman's Sandbox, Heuristics Engine

01-28-2010 6:54 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,132

Re: Examples of Blink Reacting to Protect You

Reply Contact

This is Malware (that does not have a signature for it) that was found by Norman's sandbox after I manually told Blink to scan a group of malicious files.

1. Website: hxxp://pcqook.com/mssec/1000/mssec.exe

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Downloader
Found Item: E:\mssec.exe
MD5 Checksum: 1C0F35E8C7227DEE9246CE7829559629
Category: Malware
Detected by: Sandbox
Behavior: * File length: 258560 bytes. [ Changes to filesystem ] * Deletes file . * Creates file C:\mssec.exe. * Creates directory C:. * Creates directory C:\WINDOWS\$NtUninstallKB954155_WM9$. * Creates directory C:\WINDOWS\$NtUninstal
Quarantine File: 01CAA08D-24FEE570-0-W32/Downloader.QRN
Action: Quarantined

2. Website: hxxp://pcqook.com/mssec/1000/mslight.exe

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Name: W32/Downloader
Found Item: E:\mslight.exe
MD5 Checksum: 04A089B1941196ECF25651EE0D6A79B0
Category: Malware
Detected by: Sandbox
Behavior: * Drops files in %WINSYS% folder. * File length: 205312 bytes. [ Changes to filesystem ] * Creates directory C:. * Creates directory C:\WINDOWS\$NtUninstallKB954155_WM9$. * Creates directory C:\WINDOWS\$NtUninstallKB954155_WM9$\s
Quarantine File: 01CAA08D-23A81F70-0-W32/Downloader.QRN
Action: Quarantined

Here is another example of Blink's application protection (aka "Kevlar") stopping an exploit targeting a vulnerability in an older version of Adobe Acrobat.

1. Website: hxxp://mainefr4u.com/e/tmp/geticon.pdf

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Application: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
Reason: Non-executable exception handler
Action: Terminate Process
Application Arguments: "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe" "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GH92RHXP\geticon[1].pdf"

Page 1 of 1 (15 items)