2

A question that arises after an updated and licensed version of Norton Internet Security has detected a trojan installed in my new laptop (Windows 7 installed on 26 Aug'15 and fully updated).

Trojan location: specifically at C:\Program Files (x86)\OLBPre . With one shortcut at my desktop named "MyPC Backup" (an utility that, although I erased from the Start Menu/startup folder, has been opening inviting me to register and do a backup of my files; evidently I never accepted, since I did not installed such a program. Unfortunately I do not remember the first time this window popped up).

Here is the icon of the shortcut destined to the trojan OLBPre.exe (sanitized by Norton; the shortcut remained as a curiosity of my own... now deleted)

Shortcut of MyPC Backup

Date of Detection: 1 Sep'15 at 6:27 pm.

More Dates Data: I installed Norton on 29 Aug'15 at 12:40 pm. The mentioned folder with the trojan has files created on 29 Aug'15 at 12:55 pm. The other programs I had installed before the trojan's date where: Ares on 29 Aug at 11:12 pm, a licensed Nero Burning ROM on 28 Aug (previous day) at 2:58 pm, Oracle VirtualBox on 28 Aug at 12:43 pm. Programs installed just after that time: licensed PowerISO on 29 Aug at 4:57 pm, Daemon Tools Lite on 29 Aug at 5:31 pm, WinRAR on 30 Aug 1:22 am, and qBittorrent on 30 Aug at 12:11 pm.

Summary of Norton History: on 30 Aug'15 from 2:47 to 2:51 am, Norton blocked 72 times the program C:\Windows\System32\svchost.exe when it tried to access DataDefinitions at Norton's install folder. It seems a very clear activity of a trojan, doesn't it?

NOTE: svchost.exe, according Windows page is a special Win process supposedly hosting Windows services, such as Windows Defender.

Main question: Do antiviruses have any chance to agree with Microsoft Corporation a system to detect abnormal activity?

For example, let's say that is not normal that some processes are navigating through user's folders, listing all the directories, opening text files seeking for information, etc... Or let's say that some programs would need to download an update, but not to upload files greater than some few hundreds of KB, or copy/upload user's files placed at My Documents.

Other Question 1: How is it possible that this program with the trojan, MyPC Backup, was installed in my computer just after Norton Installation and that it has been, precisely Norton what finally detected it as a trojan? Am I missing something? Is there anyone that knows if "MyPC Backup" is offered through an installation wizard of another program?

Other Question 2: If there was abnormal activity of a process trying to access Norton's definitions (svchost.exe), and Norton detected it, why Norton did not warn me or feed this information back to Norton's Central for further analysis?

Other Question 3: If this program, MyPC Backup, has been starting on my user's logon, and therefore being executed, why Norton did not detect this executable as a trojan before? It might be a Norton's background scanning what has detected it. It means that Norton does not scan folder files by priority, doesn't? for example, scanning the source folder of an executable already running and closer folders to it. I do not understand why Norton did not do this check... Should it?

Other Question 4: Let's suppose I have installed it by some error, and that I did it specifically at the date shown at 'MyPC Backup installation folder' (let's suppose the date is right, not faked by the trojan). If Norton has the FileInsight function, and it does not allow you to execute any file without showing you the "Norton Community" insight of that file, why I was not warned by Norton of any danger on 29 and 30 of August?

If anyone found out any solution to be really free of malware, please, share...

NOTE: To discard options, I also have installed a licensed antilogger (since the beginning).

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
rellampec
  • 135
  • 6

1 Answers1

1

More Dates Data ... svchost.exe when it tried to access DataDefinitions at Norton's install folder. It seems a very clear activity of a trojan, doesn't it?

svchost is a process which is used for lots of different things. So it might be an infection or it might be not. And it is not even clear that the infection happened only after Norton got installed. The system might have been infected before. Once you have an infection on the system you cannot be sure how it behaves any more, that is even an antivirus installed after the infection might be fooled by the malware.

Do antiviruses have any chance to agree with Microsoft Corporation a system to detect abnormal activity?

To detect abnormal activity you first have to define what normal activity is for each of the applications you have and each one you download. Then of course you would have to read this description for each of the applications you install and you fully have to understand what it means. And only after you accepted what the application can do it should be installed.

Because this can probably not expected from the common users systems like Android have some kind of manifest which shows the kind of information an application likes to access. Even though that is much simpler than what would be needed to classify abnormal behavior it still is too complex for lots of users so they simply grant all rights to some random application.

Apart from that you would probably grant access to all files to a Backup application since that is what such kind of application needs - otherwise no backup and restore would be possible.

How is it possible that this program with the trojan, MyPC Backup, was installed in my computer just after Norton Installation and that it has been, precisely Norton what finally detected it as a trojan?

Malware is changing fast and antivirus solutions only play catch-up. Thus it might miss one thing today and find it tomorrow after the malware was seen in the wild and antivirus signatures got updated after that. You can be lucky that it got detected at all, even after infection.

If there was abnormal activity of a process trying to access Norton's definitions (svchost.exe), ...

Again, it is hard to know what abnormal means for some random application the user decided to download.

Also all the other question you have repeat the same thing: you expect some antivirus to be aware of any current and future dangers and you expect it to know what a normal behavior of any random application is. These expectations can not be fulfilled since malware gets tested against the antivirus solutions by the authors of the malware and they tune the malware long enough so that they bypass these protections. The antivirus vendors then tune their solutions again for better protection, but only after they've detected the new malware - which usually means that lots of users already got infected.

If you install any kind of software you should not believe the advertised behavior. This is true for some free software downloads which often gets bundled with adware or even malware. But this is also true for antivirus where the vendor claims full protection. This is a promise which can not be fulfilled.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • It's difficult to know when exactly it was infected, indeed. But, being a new computer, the only way they could infect it is with a man in the middle and giving me an infected version of the correct installer. It means either the official website is hacked or the compilers are hackers as well. – rellampec Sep 01 '15 at 11:22
  • I meant... when I downloaded new versions of programs that I always use. May be the newest program I installed is PowerISO, and it was after Norton Installation... With a deep scan, now Norton wants to delete the PowerISO.exe. It's a licensed version, you know? The webpage is marked as 'Caution', with low risk by Norton Firefox AddOn – rellampec Sep 01 '15 at 11:25
  • Thank you anyway... I often checked the md5 and sha1 after download. With Norton I lost this good custom... because the FileInsight function. May I should go back to the previous system. Even with good practices, navigation can infect your computer, can't it? So an antivirus is almost compulsory anyway. Don't you think? – rellampec Sep 01 '15 at 11:27
  • @rellampec: First, it is not even clear if this is really an infection or a false positive by Norton (this happens from time to time). Than infection could be done also by simply surfing, i.e. Drive-By-Downloads, Malvertising... And it could also happen that the site you downloaded the software from was infected, also not that uncommon today. – Steffen Ullrich Sep 01 '15 at 11:31
  • @rellampec that isn't the only way. You might have bought a Lenovo. In which case the infection is in the hardware under the UEFI. – Aron Sep 01 '15 at 11:50
  • @SteffenUllrich: I contacted Norton support and they confirmed me that MyPC Backup installs itself without permission and often show popup messages at desktop. I don't know how a program can install itself without permission. It looks like a Firefox weakness, doesn't it? – rellampec Sep 01 '15 at 22:18
  • @Aron: I bought a HP... I didn't know that there are hacked hardware brands. Do you have any reference? Thanks! – rellampec Sep 01 '15 at 22:20
  • @SteffenUllrich: Do you think that Sandboxie can be a good solution to drive-by downloads attack? – rellampec Sep 01 '15 at 22:41
  • @rellampec https://www.google.com.hk/url?sa=t&source=web&rct=j&url=http://www.zdnet.com/article/lenovo-rootkit-ensured-its-software-could-not-be-deleted/&ved=0CCYQFjACahUKEwiWpJSm_tbHAhVKHpQKHYrjDsc&usg=AFQjCNFDPVK205sZqwjKCxxx_GVU3kWOSQ&sig2=Cvyw4EGJsXGbNzPacyqKwg also search superfish. – Aron Sep 01 '15 at 23:28
  • @rellampec: There are lots of information about this program online, mostly about [how to remove it](http://malwaretips.com/blogs/mypc-backup-virus-removal/). Looks like it gets bundled with some downloads. And yes, you don't need to have special rights to run code or install applications, you only need these rights if you want to make system-wide changes which are often not required to install an application for a single user. – Steffen Ullrich Sep 02 '15 at 04:19