Malware flying under the radar

[PeterBJ]

I was looking for a service manual for Canon MP810. I found a download of a file named Canon_mp810_service_manual.iso. I have seen malware named Canon service manual .......exe, but not Canon service manual......-iso. Neither AVG Internet Security nor Malwarebyte Antimalware found any threats in the downloaded file. But the downloaded file contained an exe file, seen by using an iso viewer, "Overførsler" = Downloads,:
'

I wouldn't run the exe file on my main computer or on my laptop. Instead I opened the file on my W10 P4 experimental computer by double clicking it and double clicking it again. I gave permission to run the file and it was an adware installer, for something named SpringFiles. I cancelled the install before any harm was done.

I wonder why two excellent antimalware programs didn't detect the Potentially Unwanted Program? Will they also fail to detect something in a zip or rar archive?

Don't download anything with file extensions exe or iso which is claiming to be a service manual. Canon service manuals are normally pdf but for instance from electrotanya zip and rar archives are also found.

 

[The Hat]

@PeterBJ, interesting find, I use Norton security, so could you Email me that same infected file, just as a test to see if at least Norton can detect it, I promise I won’t try to run it...

 

[The Hat]

@PeterBJ, a very interesting find, I use Norton security, so could you Email me that same infected file, just as a test to see if at least Norton can detect it, I promise I won’t try to run it...

 

[ThrillaMozilla]

You should submit it to the anti-malware companies.

 

[stratman]

@PeterBJ -- No need to email the file around. Test the file with the free internet scanner virustotal. It uses several dozen different scanning software to scan the file. Then you can post the results.

 

[PeterBJ]

I had deleted the file, but I found it again and submitted it to Virustotal for scanning. 13 of 55 security scanners found something wrong, but AVG, Malwarebytes Antimalware and Symantec gave it a clean bill of health. Here is the link to the Virustotal test.

AFAIK knowingly distributing malware is an offense, so I wouldn't like to send this to somebody per Email. Do you really still want it @The Hat ?

I wonder if sending the malware in an iso file is the latest way of stealth for malware?

I will try to unpack the file and send the exe file for test at Virustotal to see if this gives more detections. But that will be done with the experimental P4 computer. I will not unpack the file on my main computer or my laptop.

 

[The Hat]

AFAIK knowingly distributing malware is an offense, so I wouldn't like to send this to somebody per Email. Do you really still want it @The Hat ?

Yes please..

 

[stratman]

Thanks PeterBJ.

Interesting that one of the big boys ESET-NOD32 also did not detect. This leads me to think that this is not a true infection but adware included with the manual in the ISO.

I have run across this bundling before inside an ISO. Eternal vigilance for these hidden things is your best friend.

 

[PeterBJ]

@The Hat I have sent the file as requested. Please report if Norton detects anything wrong.

 

[PeterBJ]

@stratman The suspect iso file is around 5.5 MB, the real Canon MP810 service manual is around 13.5 MB pdf. So I think opening and running the installer in the iso file will give me adware, but sadly no manual.

Eternal vigilance for these hidden things is your best friend.

Yes it is said the most important malware filter is between your ears!