#12 Post by TigheW » 2018-01-06 00:28

The facts are that when performing a process behavior analysis on the software hosted on your site, it behaves exactly like malware and flags multiple advanced threat activity watchlists specifically designed to identify malicious behavior. This software bundle unpacks unsigned processes that beacon unknown web servers with no official registrants, it downloads additional unknown, unsigned files in small .dat batches and appends them together before executing and quickly deleting them. I won't even get into what this is doing to the registry, but suffice it to say there's no legitimate need for this bundle software to make 100+ modifications to the registry. Show me one piece of reputable software that has these characteristics.... What i'm telling you has literally nothing to do with AV vendor hits on your software bundle. I don't know why you keep bringing that up.



Please learn the difference between the capabilities of near-obsolete signature based antivirus and cutting edge security tools and how IOC's are identified in today's world. We're far past relying on PUP warnings from malwarebytes to identify and combat malware like this. These items I've mentioned aren't AV flags on behalf of AV vendors (whatever that means). These are behaviors being analyzed in real time as they unfold. Nothing more, nothing less. There's no ulterior motive here other than protecting PC users from predatory and malicious actors. I'm not here to antagonize you or to entertain tin foil hat ideas about the shadowy underbelly of AV vendors. I was hoping I might learn something interesting about these processes directly from the one hosting this bundle. Perhaps learn a novel new trick that legitimate software is using that might further my understanding. Instead i get this bizarrely antagonistic and overly defensive back and forth.



My final parting question for you: Would you run this bundled installer on your personal computer with all bundled options intact? Would you feel that your machine was safe and secure enough to hold your personal information after seeing this behavior unfold on your own machine? Can you honestly say that you're fine with unique, unsigned executables being pieced together from random IP's, running, deleting itself, calling another 36 cmd.exe prompts to continue downloading additional fragmented payloads. You trust unsigned code executing on your machine and modifying your registry and creating persistent run keys?



Of course you wouldn't. No user would ever choose to have this kind of malware installed on their machine if they understood what it was and what the capabilities of tools like this are once on a system. Hint: Phase 2 downloads are where the fun really begins.



Anyways, I believe I have the answer I came here for and this is quite far from the fruitful discussion I was hoping to have with you. Have a good day.