8/3/2008Investigating the Keylogger Detection in Wall-E PC Demo Game - 10MB Limits (updated)

In my last post I showed that my Norton 360 antivirus software detected the Wall-E PC Demo Game (UK) is being detected as one that contains a keylogger.

I captured all the necessary information to show that it did indeed come from those hosts and is not a DNS poisoning attack causing it to be downloaded from somewhere else. One thing I forgot to check was my hosts file, but I've checked it now and it's as it comes by default:

127.0.0.1       localhost
::1             localhost

Next thing I need to do is report it to Symantec. According to their submission process I can upload it if it's less than 10MB. It's 177MB for the UK version of the demo, so that's not going to happen. I checked out the submission form in case I'm able to just specify where they can download it from, but the upload field is a required field. The web page says I could also submit a file using Scan and Deliver, but that page says I won't be able to submit compressed files. I check the quarantine again, hoping there's some kind of "submit to Symantec" button, but there isn't.

At this point, Symantec's Scan and deliver advice on the web site is for me to restore the file from quarantine and unzip it. I'm just not thrilled at this idea. It's not clear to me if restoring the file will indicate to my installation of Norton 360 that I no longer care about this keylogger (I'm thinking future downloads). I'm trying to find the simplest way to get this file to Symantec, right now.

So far, I've learnt from this incident that if you're evil and are going to write malware, make it a huge file so nobody can upload samples and will need to send samples by CD (big delay, most likely only one or two people would even go this far).

Let's try another tack. Getting the file up to VirusTotal for a comparison with other antivirus vendors. This is something a fellow security researcher was trying to do on my behalf whilst I was asleep last night but the upload failed.

I decided at this point to work on a virtual machine, a Linux box. Visiting the web site (http://wall-e.playthq.com) didn't load the Flash because it was not installed and I was presented with a nearly-blank page with no links. So I wiresharked the URL on another computer and used wget on a remote host (different ISP) to get the file and at the same downloaded it on my workstation (which resulted in the detection again, but it pays to keep checking):

wget http://thqinc.cachefly.net/walle/demos/international/demo1/WALL-E_Demo_UK.exe

md5sum: 857ba76a8cc4452094a33bdcc6a19540  WALL-E_Demo_UK.exe
sha1sum: cdcd79aa721647f5204f5d3cf60d5c366b856197  WALL-E_Demo_UK.exe

Uploading to virustotal.com using lynx:

vtotal1

Noting virustotal.com's e-mail uploader page, there's that magic 10MB limit again:

vtotal2

Currently I've left lynx uploading the file to virustotal.com, I'll post an update or another post when that's done.

Update: Upload to Virustotal.com errored with "Bigger than max permited size / Mayor del tamaño máximo permitido".

 

Currently rated 5.0 by 3 people

  • Currently 5/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Posted by: Timeless Prototype
Posted on: 8/3/2008 at 8:55 AM
Tags: , , , ,
Categories: security | spyware
Actions: E-mail | Kick it! | DZone it! | del.icio.us
Post Information: Permalink | Comments (8) | Post RSSRSS comment feed

Related posts

Comments

Timeless Prototype gb

Sunday, August 03, 2008 1:03 PM

Timeless Prototype

Followed up with www.timelessprototype.com/.../...---Splitting.aspx

Ken us

Sunday, August 03, 2008 1:54 PM

Ken

The FIRST thing you should do is get in touch with pixar and ask them about it. This is almost certainly a false positive. False positives are getting to be more common than actual malware. Pixar is not a fly-by-night corporation. I would trust their answer. (I believe this is something you should have done before you even posted your findings.)

Timeless Prototype gb

Sunday, August 03, 2008 2:29 PM

Timeless Prototype

I hear you Ken, but others have independently picked up that AVAST is also seeing it, games.internode.on.net/.../viewtopic.php?p=1844560

I believe their conversation started before I picked it up independently, why not censor them too?

Wayne Porter us

Sunday, August 03, 2008 3:10 PM

Wayne Porter

I think disclaimers were made that it could be a F/P because it did not make good business sense...the fastest response was to contact the company serving the files (as if Pixar would know- let alone moving through that organization)

When AVAST and Symantec are flagging something I err on side of caution and get the word out...especially when kids are involved.

best,
Wayne

Paperghost gb

Sunday, August 03, 2008 4:29 PM

Paperghost

Aside from the companies flagging the file, the best people to go to would be THQ, but that's not going to happen as they don't have anyone around on a Sunday. As a result, nobody is even likely to look at this until perhaps Monday or even Tuesday. In absence of being able to do anything else, I would certainly have gone live with the info if I'd found it myself, because if there *is* anything untoward in there, that's a Hell of a long time to let people continue to download something they might not actually want.

Ken us

Sunday, August 03, 2008 7:07 PM

Ken

I'm sorry, I did not mean you should not post it. I just meant to have both sides of the story.

Timeless Prototype gb

Sunday, August 03, 2008 7:11 PM

Timeless Prototype

Thanks Ken. I'm awaiting a response from Pixar and the company hosting the file has already submitted a ticket to THQ. I'll update when I know more.

Domain Name Forum us

Wednesday, April 22, 2009 3:05 PM

Domain Name Forum

I have never had much luck with Norton, I prefer to use AVG personally.

Add comment


(Will show your Gravatar icon)  

  Country flag

[b][/b] - [i][/i] - [u][/u]- [quote][/quote]



Live preview

Saturday, July 04, 2009 2:26 AM