Old Malware Tricks Still Defeat Most AV Scanners

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

Re:Applied AI

http://en.wikipedia.org/wiki/Halting_problem

Re:uh oh

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Just had a virus hit at work.
Symantec 'detected' it but didnt stop it at all, within minutes we had ~60 computers infected.

Thank god the other 1200 computers we have where running linux.

Re:Padding with 0x00 bytes?

[Tony+Hoyle]

If it's the one I saw the driver even gets loaded in safe mode.

You have to boot onto a rescue DVD and find the driver file, delete that and it'll stop the driver loading. Then boot into safe mode (if you boot into normal mode the user mode code will reinstall the driver) and find every copy of the executable and nuke it.

If you miss one it's back to square one.

Personally I'd just reinstall...

Re:Padding with 0x00 bytes?

[Mister+Whirly]

"I don't run a anti-virus at home, don't like them.

I am not overly fond of most AV software either, but I like an infected machine even less.

RECOVERY CONSOLE COMMAND DISABLE STOP DRIVER

"I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders. - by mrops (927562) on Friday November 07, @01:40PM (#25678439)

Install RECOVERY CONSOLE as a bootup option

(Its installer alters boot.ini for this as it installs & it adds a bootup menu choice/option for using it once you reboot after installation of it)

To install it, that is done from your OS installation media's I386 Folder, via the commandline ->

winnt32.exe /cmdcons

Once it is in place?

You can issue the LISTSVC command there, & it will show this trojan/virus' name once you scan the list of drivers &/or services it presents (look carefully, & odds are, you will see it there).

Then, you would use the DISABLE command on it (that stops both services, AND, DRIVERS too) - ENABLE is the opposite command, just so you know (&, in case you make a mistake here).

APK

P.S.=> The Windows Networking you mention? I am going to assume File & Print sharing via LanManager networking... & IF you don't use a home LAN (or, connect into a work LAN/WAN, remotely from this infected system)? You can actually REMOVE it a couple ways (easiest ones are stopping the SERVER service via services.msc & setting its startup type to DISABLED (server provides file & print sharing is why) OR, just go to your LOCAL AREA CONNECTION, & uncheck (if not totally remove) "File and Print Sharing" and "Client for Microsoft Networks" there (because all you REALLY NEED to be online, is Tcp/IP)... this will not only help secure you, & stall this machination on your system, BUT, it will also give you back CPU cycles, memory, & other forms of I/O too, because you will be cutting off things you may have running that you do NOT really need to be... IF you are not part of a LAN/WAN, that is... apk