subject:"\[clamav\-users\] Fwd\: \[clamav\-virusdb\] Signatures Published daily \- 24065"

Re: [clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

2017-11-24 Thread Alain Zidouemba

They were replaced with:

Osx.Malware.Proton-6377366-1

- Alain


On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell  wrote:

> > Begin forwarded message:
> >
> > From: nore...@sourcefire.com
> > Subject: [clamav-virusdb] Signatures Published daily - 24065
> > Date: November 22, 2017 at 5:10:11 PM PST
> > To: clamav-viru...@lists.clamav.net
> >
> > Dropped Detection Signatures:
> >
> >   * Osx.Trojan.Proton-6352640-0
> >
> >   * Osx.Trojan.Proton-6352641-0
> >
> >   * Osx.Trojan.Proton-6352642-0
> >
> >   * Osx.Trojan.Proton-6352643-0
>
> I'm quite confused and concerned about why these are being dropped. All
> added in daily - 23973, 20 Oct.
>
> > $ sigtool -fOsx.Trojan.Proton-6352640-0
> > [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-
> 6352640-0:73
> > $ sigtool -fOsx.Trojan.Proton-6352641-0
> > [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-
> 6352641-0:73
> > $ sigtool -fOsx.Trojan.Proton-6352642-0
> > [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-
> 6352642-0:73
> > $ sigtool -fOsx.Trojan.Proton-6352643-0
> > [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-
> 6352643-0:73
>
> Two of these are a perfect match for samples I personally have of the
> hijacked Elmedia Player that installed OSX.Proton.C as described in this
> Intego blog:
>  malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes
> blog:
>  malware-osx-proton-strikes-again/>, among others.
>
> They are all broadly detected on VirusTotal by 30 or more scanners.
>
> VirusTotal
> >  5354888f63c60a3205ade6d467cc620dc5/analysis/>
> >  d34b1fb1b260a27f40b34718be3b71a3a7/analysis/>
> >  7d39e304651bdd1281c7a7ff15b8f43cad/analysis/>
> >  b44905e0308bd3662a496a0701f2ec942d/analysis/>
>
> Can somebody explain why they are being dropped at this time?
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

2017-11-24 Thread Al Varnell

> Begin forwarded message:
> 
> From: nore...@sourcefire.com
> Subject: [clamav-virusdb] Signatures Published daily - 24065
> Date: November 22, 2017 at 5:10:11 PM PST
> To: clamav-viru...@lists.clamav.net
> 
> Dropped Detection Signatures:
> 
>   * Osx.Trojan.Proton-6352640-0
> 
>   * Osx.Trojan.Proton-6352641-0
> 
>   * Osx.Trojan.Proton-6352642-0
> 
>   * Osx.Trojan.Proton-6352643-0

I'm quite confused and concerned about why these are being dropped. All added 
in daily - 23973, 20 Oct.

> $ sigtool -fOsx.Trojan.Proton-6352640-0
> [daily.hsb] 
> cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-6352640-0:73
> $ sigtool -fOsx.Trojan.Proton-6352641-0
> [daily.hsb] 
> 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-6352641-0:73
> $ sigtool -fOsx.Trojan.Proton-6352642-0
> [daily.hsb] 
> 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-6352642-0:73
> $ sigtool -fOsx.Trojan.Proton-6352643-0
> [daily.hsb] 
> ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-6352643-0:73

Two of these are a perfect match for samples I personally have of the hijacked 
Elmedia Player that installed OSX.Proton.C as described in this Intego blog: 

 and this Malwarebytes blog: 
,
 among others.

They are all broadly detected on VirusTotal by 30 or more scanners.

VirusTotal
> 
> 
> 
> 

Can somebody explain why they are being dropped at this time?

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

2 matches

Site Navigation

Mail list logo

Footer information