Slashdot Mirror
Old Malware Tricks Still Defeat Most AV Scanners
SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."
Fir0x00st!
My first program:
Hell Segmentation fault
So padding it with nothing makes it undetectable? I never thought of that!
At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant.
Don't give the guys in marketing any ideas. "New and Improved! FoobarAV now detects an infinite number of viruses! Compare that with Norton's piddly 30,000."
This guy's the limit!
Considering the arguments I got in between the word 'Signatures' and 'Heuristics' when it came to anti-virus I'm not surprised.
They think heuristics are BLAH.*BLAH instead of BLAH...BLAH.
And even then, they don't get it right.
Of course they still fool AV scanners. If they didn't how would they be able to sell you a malware scanner on top of your AV scanner?
...and this pretty much says it all. Even for Windows.
We are in serious trouble, and have been for a while now. And nowhere to migrate to.
deleting the extra space after periods so i can stay relevant, yeah.
It seems like this is exactly the sort of place where AI could be useful...disassemble some binary data, figure out what it does, and use *that* as a sort of signature. The behavior of the program is the thing that causes a problem, anyhow.
It is pitch black. You are likely to be eaten by a grue.
You know how you charge something, sign for it and no one looks at or cares about the signiture. There's a reason for that. Credit Card companies have figured out that verifying identity is impossible. Instead they try to verify by transaction by looking at the recent pattern of purchases for signs of theft.
Instead of trying to identify incoming virusses, they should be focusing on removal tools and monitoring. Watch the processes for unnusual behavior and flag the user if something is detected, then actually get rid of the virus if the user agrees with the analysis. Granted, unusual behavior is a pretty vaguely defined concept, but that seems a lot more adaptable to new threats than the current methods.
This is the dirty secret of desktop / on-access antivirus scanners; they don't work.
F.D., I work in the industry, and the sole exception from this rule is my own employer's product, xxxxxxxxxxxx, of course.
If your scanner doesn't say program X is malware, does that mean you should run program X?
Of course not. Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.
"Believe me!" -- Donald Trump
..a bit OT, but sometimes I wonder when will be the year of malaware on Linux or OS X.
"La presi e te la pagai (480.000 Lire)"
This scanning aspect grows even more germane as we ascend into the commonality of terabyte drives.
We need better approaches to checking files for infections or payloads -- like checking them thoroughly once and then checking any newly created or altered ones at the time of alteration. But even there you take a performance hit, and I know most AV systems already does this to some extent (but will rescan all the drives periodically).
Ah, gotta love Windows. I much prefer to have a clean system and avoid any operations that might introduce a payload -- like running IE, for example.
Google's attempts to flag questionable sites is half-baked, and depends on GoogleBots catching the vulnerabilities before your browser does. And for the poor site owner that's been compromised, Google fails to provide enough details for the site owner to eliminate the potential problems.
Well, I don't use Windows as my primary platform for a number of reasons, virus vulnerabilities being one of them. Not to say Linux doesn't have its share, but they are far less common and if you keep up with the latest upgrades, you'll do OK for the most part.
I think we need to go in a direction of relying on hypervisor-wrapped OSes that can do selective rollbacks to the points before infection. This way, you eliminate the need for scanning everything all the time and better yet, you might put some of the malware protection in the hypervisor itself, at a level the guest OS or the malware could never detect nor evade.
Just a thought for free for some enterprising individual to go make $$$$ from!
Ruby Neural Evolution of Augmenting Topologies
...will be to invest money in marketing to find some way in which this study is not "fair"; in other words, how it doesn't align with limited and unrealistic testing methodology that only focuses on very specific ways their tools succeed in detecting malware.
They've done (Skoudis) it before (Secunia).
akad0nric0
This sentence no verb.
Absofriggenlutely.
Adblock, noscript, firefox.
I ran Spybot S&D yesterday (first time in several months) and it came up completely empty.
Any site that requires javascript for navigation is broken.
A few years back, Consumer Reports took some malware and made some trivial changes and almost all the AV vendors failed that simple test.
If you recall the AV vendors criticized Consumer Reports because they claimed it was the equivalent of producing new malware and that it was irresponsible.
Bottom line... this pretty much proves that AV has little or no value. You use it because everybody tells you that you have to use it, not because it provides any sort of comprehensive security (it doesn't even come close).
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Working in a repair shop, the most common infection I've seen in the past couple months has been the rogue antivirus/antispyware products. They usually pose as "Antivirus 2009" or "XP Antivirus 2009". They use extremely generic names. Its funny because every customer that has one of these infections, is usually running Norton, Mcafee, Trend Micro, AVG, or any of them. Not ONE of them from 2008 has been able to rid the rogue product. It's funny too because all you have to do is remove a couple lines in HiJackThis and remove the Program Files folder. Although it has made our repair shop a good amount of money, it is annoying having to tell customers why their AV software can't remove such a silly thing. I've been a strong supporter of Panda Antivirus for many years, and I've always thought all the others are extremely bloated. ESPECIALLY NORTON.. HOWEVER, Norton 2009 has literally done a 180 with its performance. It removed XP Antivirus in no time. It barely uses 1% of your CPU when it is idle, and it updates literally every few minutes. I've been extremely impressed with their latest release and would recommend the noobs out there to try a 15 day free trial. But of course, ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez. but fyi, if you would of asked me a month ago about Norton, I would of told you it is ridiculous and extremely bloated crap software, just like the rest.
*plays the Apogee theme song music*
I run spybot around twice a week and mine hsn't found anything for months, except my 'Registryfix' which it thinks is malware...strange.
Smivs on the intertubes!
I'm almost at one of those "No, I won't fix your computer" moments.
If asked (or arm-twisted), which AV vendor would you recommend?
At some point in time, each seems to move to the "front of the line" in terms of quality and performance...then some update comes along and...boom...either or both go into the crapper.
Suggestions?
Then read this!
From the Kaspersky Forums, Kaspersky does not find obfuscated trojans.
-hunag
"Our anti-virus kit moves over files so quickly, the virus shrinks to zero length and has infinite mass!"
"The new herustic bends space-time, causing malware to fall off the edge!"
"AVSoft's new scanner sends you backwards in time, so you were never infected in the first place!"
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
These0x00are0x00not0x00the0x00softwares0x00you0x00are0x00scanning0x00for.
.. paranoid crackpot leftover from the days of Amiga.
Windows makes a bad media player. Linux is way better for handling multimedia files (if your country doesn't make it illegal, of course).
Rethinking email
"I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders. - by mrops (927562) on Friday November 07, @01:40PM (#25678439)
Install RECOVERY CONSOLE as a bootup option
(Its installer alters boot.ini for this as it installs & it adds a bootup menu choice/option for using it once you reboot after installation of it)
To install it, that is done from your OS installation media's I386 Folder, via the commandline ->
winnt32.exe /cmdcons
Once it is in place?
You can issue the LISTSVC command there, & it will show this trojan/virus' name once you scan the list of drivers &/or services it presents (look carefully, & odds are, you will see it there).
Then, you would use the DISABLE command on it (that stops both services, AND, DRIVERS too) - ENABLE is the opposite command, just so you know (&, in case you make a mistake here).
APK
P.S.=> The Windows Networking you mention? I am going to assume File & Print sharing via LanManager networking... & IF you don't use a home LAN (or, connect into a work LAN/WAN, remotely from this infected system)? You can actually REMOVE it a couple ways (easiest ones are stopping the SERVER service via services.msc & setting its startup type to DISABLED (server provides file & print sharing is why) OR, just go to your LOCAL AREA CONNECTION, & uncheck (if not totally remove) "File and Print Sharing" and "Client for Microsoft Networks" there (because all you REALLY NEED to be online, is Tcp/IP)... this will not only help secure you, & stall this machination on your system, BUT, it will also give you back CPU cycles, memory, & other forms of I/O too, because you will be cutting off things you may have running that you do NOT really need to be... IF you are not part of a LAN/WAN, that is... apk
How's 1995 treating you? Animated GIF's still everywhere?
I have no problem with a sitemap, something more compatible with screen readers, but seriously... JavaScript exists, and is quite good at making websites and web apps interactive. That's what it's for. Denying reality is pointless, and even though you claim that any site that requires Javascript as broken, that doesn't make it so. Google Maps, gmail, many other sites that are very useful all require JavaScript, for a very good reason.
My blog. Good stuff (when I remember to update it). Read it.
In the interest of _not_ getting modded off-topic, this probably should be submitted as a poll.
Crap. What did the new CSS do with the "Post anonymously" option??
In addition to what I posted originally here (thanks for the "modded up" status too, whoever did so):
http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261
?
To access & stop the "backup" of this trojan's driver, since it apparently is using a form of "phalanx-like" backup of itself & its constituent part? Well, go here, using REGEDIT.EXE, once you reboot (after using RECOVERY CONSOLE's LISTSVC, + DISABLE comamnds to stall the driver itself) because this 'backup' portion you're seeing @ WinLogon MAY undo what you did, in deactivating the trojan's driver portion:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
And, in the right-hand side pane of REGEDIT.EXE? Look for the SHELL line (should ONLY have Explorer.exe in it) - odds are, that's the part that's controlling this 2nd part you noted, that notifies the trojan's driver portion!
Good luck!
APK
P.S.=> IF this thing's 2nd 'backup' portion isn't there, in the WINLOGON section you mentioned?
Then, examining ALL other startup areas (prior to the explorer.exe shell logon by you), to find its other part...
MSCONFIG.EXE is decent for this!
Autoruns (sysinternals/MS) is also...
OR
Startup CPL (Mike Lin)
Are ALL/EACH good candidates for the job...
(If not digging for those sections via REGEDIT.EXE (You'll need a list of startup areas Window has though, & it's MUCH MORE MANUAL than the other tools I noted/listed, a downside of doing it manually really vs. using automators such as the progs I just listed))... apk
Do you understand what Noscript actually does? It allows you to very easily whitelist which sites you trust to run javascript/flash. After about a week of enabling sites you frequent (e.g. banking, google maps etc), there is very little upkeep involved, while preventing sundry sites you google from executing code. The effort compared to a full reinstall every 6 months is minuscule, which is why Noscript is so popular.
As the practice of disabling javascript by default becomes more popular, companies should ask themselves whether they really need javascript or flash for what they do. If they are in the position of an 800lbs gorilla (e.g. bank, ebay, amazon, google etc), then they can use javascript for whatever they want. But a lot of smaller companies probably lose some sales because they use javascript where it is not necessary, e.g. in conveying basic product information and price.
If I have seen further it is by stealing the Intellectual Property of giants.
I am a web developer, quite proficient in javascript, and agree with the GP. No site should *require* js for navigation. There are established ways to mark up your menus, no matter how complex they may be, so that they may be navigated with js turned off while perhaps having enhanced usability or attractiveness for those who allow it to run. This is absolutely essential in the modern web: your most important visitor, the googlebot, doesn't run javascript - and obviously you want it to be able to follow links on your site.
That's like saying bug repellent is no good against tigers. News at 11!
The good thing about open source operating systems is that you can pad the OS with extra zero bytes too so that the viruses cannot recognise the OS and don't know how to infect it.
I am anarch of all I survey.
She does look like a man
We use SAV10 and SEP11 as well on the desktop. Luckily we use different AV vendors on for various perimeter protection systems.
In one incident, Symantec did not detect an already infected PC reliably after the appropriate signature had been added. Symantec then told us that it would only reliably detect the threat during the infection, not if a signature had been applied after the infection occured!
In another incident, one other AV vendor (Kaspersky) used for perimeter protection detected a threat by itself shortly (2-3 hours) after we received an infected email. Symantec did not detect that same threat even after a week. After that week I supplied three AV vendors that did not detect it with a sample:
Sophos and ClamAV added signatures within two to three hours, without us beeing customers.
Symantec however - where we hava a platinum support contract - did not detect it 24 hours after I supplied them a sample and after that we had to escalate the case so that it only took another 48 hours for a signature to be added!
Also does SEP11 not detect the trojan that comes within a ZIP file if that ZIP file is opened with the Explorer - this was a feature that we demanded after the same had been true for a malware case with SAV10. We were told this was added with SEP11 and indeed for that malware it was detected within the ZIP by SEP11 when it was opened. But as the same does not hold true for the "new" malware, I wonder if they just added a signature for the "old" malware when it was compressed in a ZIP file.
Of course I have to post as AC so nobody can determine where I work and thus can not enumerate our AV infrastructe.