Undetected bot activity

We’re seeing a pretty dramatic uptick in bot activity today. With all the attention that botnet activity has been getting lately, I thought that this stuff was going the way of Ruben Studdard. Anyways, unfortunately, we are also seeing a very low detection rate for the major AV players, with most of the detections in the scanners supported by Virustotal coming from somewhat unreliable heuristic based detections:

File V received on 11.16.2007 21:22:05 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 2007.11.16 HEUR/Crypted
Authentium 4.93.8 2007.11.16 -
Avast 4.7.1074.0 2007.11.15 Win32:IRCBot-CFX
AVG 2007.11.16 Obfustat.VTU
BitDefender 7.2 2007.11.16 Packer.Krunchy.B
CAT-QuickHeal 9.00 2007.11.16 (Suspicious) -
DNAScanClamAV 0.91.2 2007.11.16 -DrWeb 2007.11.16 BackDoor.IRC.Sdbot.2056
eSafe 2007.11.14 -
eTrust-Vet 31.2.5300 2007.11.16 -
Ewido 4.0 2007.11.16 -
FileAdvisor 1 2007.11.16 -
Fortinet 2007.10.19 -
F-Prot 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.16 -
Ikarus T3.1.1.12 2007.11.16 Virus.Win32.IRCBot.CFX
Kaspersky 2007.11.16 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.16 Backdoor:Win32/Poebot.V
NOD32v2 2664 2007.11.16 -
Norman 5.80.02 2007.11.16 -
Panda 2007.11.16 Suspicious file
Prevx1 V2 2007.11.16 -
Rising 2007.11.16 Trojan.Win32.Agent.vyl
Sophos 4.23.0 2007.11.16 Mal/EncPk-BP
Sunbelt 2.2.907.0 2007.11.16 -
Symantec 10 2007.11.16 -
TheHacker 2007.11.16 -
VBA32 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.16 Packed/FRBR
Webwasher-Gateway 6.0.1 2007.11.16 Heuristic.Crypted

This low detection antivirus scanner rate may be due to the use of the kkrunch packer.
Threatfire has been identifying it as “Trojan.CnomBot”.
The bots are all reporting back to a server in China. We’ll keep you updated.

This entry was posted in Online Fraud. Bookmark the permalink.

2 Responses to Undetected bot activity

  1. Fiona says:

    Threatfire detected about 40 hidden files but when I try to quarantine them the program stops responding and I can’t quanrantine anything…why?

  2. ThreatFire Blogger says:


    Thanks so much for reading our blog and for your interest in Threatfire.

    Regrding your comment, the blog content is more about malware research and our findings than support for the product. It seems that this comment is a support issue.

    We have a Threatfire community forum where issues like this one get discussed and get pretty quick responses from our qa and support teams at http://www.pctools.com/forum/, and pctools provides support for all products at http://www.pctools.com/contact/support/.

    Thanks again for your interest, hope that you like the blog!

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>