Old Malware Tricks Still Defeat Most AV Scanners

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

Fir0x00st!

[fph+il+quozientatore]

Fir0x00st!

Re:Fir0x00st!

[Zencyde]

Strangely, the 0x00 exploit even works on Slashdot... you've somehow gotten a "first post" to +5 Funny. If that's not hacker-worthy, I don't know what is.

Padding with 0x00 bytes?

[glindsey]

So padding it with nothing makes it undetectable? I never thought of that!

Re:Padding with 0x00 bytes?

[corsec67]

Since this is viruses evading detection, wouldn't this be "Insecurity through obscurity"?

Re:Padding with 0x00 bytes?

[rebootconrad]

You know, posting it to virus total just runs it through a static file scanner. Most IE exploits are caught when they attempt to install - you can obfuscate the static code, but you can't obfuscate the call to the system API. VirusTotal is a useful resource, but it doesn't really show anything when it comes to live threats.

Re:Padding with 0x00 bytes?

[mrops]

Man, Let me tell you, Viruses have evolved. Really evolved. I don't run a anti-virus at home, don't like them.

In a moment of weekness I started watching a downloaded version of stargate, missed it on friday :( the WMV movie asked for a "codec" to be installed, guess what... (I know I should have know better)

Its been 4 weeks and I am still struggling with this virus. Most virus scanners detect this beast, however in my last 4 weeks, none can properly clean it. This has become somewhat of a challenge.

I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders.

Yesterday, I discovered, the crappy thing downloads and installs stuff off the internet.

Fortunately I have all data backed up.

I can re-install my XP anytime, but this has become too challanging to let go.

Here is a kicker, I tried infecting a qemu emulated XP VM, guess what, there is a newer version of the virus, somewhat different than 4 weeks ago. The new codec that downloaded wasn't the same that got downloaded to my machine.

So it seems these virus/trojan developers are well funded and doing this as a day job. Hoping this trojan shares some mp3s so RIAA can go after them, they seem to be more effective than FBI in tracking this kind of a thing.

Here to some good news, my dad's Vista PC is immune to this virus, so Microsoft may have done something right, or maybe the virus/trojan developers are not targeting Vista.

Re:Padding with 0x00 bytes?

[Schadrach]

Virtumundo?

Re:Padding with 0x00 bytes?

[floorpirate]

If someone ever figures out how to translate 0x00 bytes into something that can affect human senses, they'll have developed the Somebody Else's Problem field!

Re:Padding with 0x00 bytes?

[Tony+Hoyle]

If it's the one I saw the driver even gets loaded in safe mode.

You have to boot onto a rescue DVD and find the driver file, delete that and it'll stop the driver loading. Then boot into safe mode (if you boot into normal mode the user mode code will reinstall the driver) and find every copy of the executable and nuke it.

If you miss one it's back to square one.

Personally I'd just reinstall...

Re:Padding with 0x00 bytes?

[ion.simon.c]

K. Start using Mplayer [1] and VLC [2] NOW. They ignore the executable parts of MSFT's multimedia formats.

[1] Grab the "Windows GUI" and the "Windows X86 codec package" from here: http://www.mplayerhq.hu/design7/dload.html
[2] http://www.videolan.org/vlc/

Re:Padding with 0x00 bytes?

[Mister+Whirly]

"I don't run a anti-virus at home, don't like them.

I am not overly fond of most AV software either, but I like an infected machine even less.

Re:Padding with 0x00 bytes?

[Zencyde]

Wow.. that analogy made sense. I propose Slashdot move from car analogies to Superman analogies. All in favor?

Re:Padding with 0x00 bytes?

[PitaBred]

Might be time to start running your machine as a non-admin user. I'd be willing to bet that's what the difference between your Dad's Vista PC and yours is.

Re:Padding with 0x00 bytes?

[JCSoRocks]

I've tried VLC recently but I couldn't even get it to play the audio track on a .MOV file... I dropped it shortly after that. Is MPlayer any better? I remember using it long ago but I stopped bothering to install it every time I rebuilt.

uh oh

[gEvil+(beta)]

At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant.

Don't give the guys in marketing any ideas. "New and Improved! FoobarAV now detects an infinite number of viruses! Compare that with Norton's piddly 30,000."

Re:uh oh

[noundi]

Your post gave me a thought. How come no AV markets their software using relativity? I mean what use does the average user have for a software that detects a decade old piece of malicous code, that most likely doesn't even work anymore? Perhaps it's time that they market their software with fixes for current problems, not brag about their huge bank of outdated viruses. That creates nothing but a bloated AV, which in the end will most likely hog your system more than it should.

Re:uh oh

[mewshi_nya]

and both foobar and norton will suck. It's not the numbers it *can* detect, it's about how *well* it detects them and how little resources it takes.

Re:uh oh

[sexconker]

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Re:uh oh

[zappepcs]

Pardon me young man. You do work here, don't you?

Well, yes, you can help me. I was just wondering if you can explain the differences between the Value-add Anti-Rootkit Pro module and the Value-add Anti-Rootkit Amateur module.

You see, my wife doesn't think I should be messing with anything for professionals, so I need to know the differences.

Re:uh oh

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Just had a virus hit at work.
Symantec 'detected' it but didnt stop it at all, within minutes we had ~60 computers infected.

Thank god the other 1200 computers we have where running linux.

Re:uh oh

[jgtg32a]

Not so much anymore most virus's these days just want to leach your bandwidth and DOS someone else, there is less of a performance loss when compared to most AV software

What they lied about using heuristics? NEVER!

[topham]

Considering the arguments I got in between the word 'Signatures' and 'Heuristics' when it came to anti-virus I'm not surprised.
They think heuristics are BLAH.*BLAH instead of BLAH...BLAH.

And even then, they don't get it right.

Re:What they lied about using heuristics? NEVER!

[ultranova]

So guess how hard it will be to get them to run a perl script as root - either via sudo or other means.

Why would it need to run as root ? Running as a regular user, it can:

1. Start as soon as the machine starts by simply adding itself to the user's crontab.
2. Access the network, both TCP/IP and UDP/IP, and use all protocols that run on top of these.
3. Read the user's address book.
4. Listen to user's keystrokes and mouse movements, as well as take screenshots (but probably not if written in perl).
5. Attach itself as a debugger to any process owned by the user (such as the web browser), and read and control their internal state (but probably not if written in perl).

Add the fact that Gnome starts a shitload of processes with weird names to help mask the virus process, and I can see no reason whatsoever why a Linux virus would need or even want root privileges. About the only thing it can't do is send raw ICMP packets. That would be useless anyway, since exploiting holes in kernel networking stack would make said holes get fixed very fast indeed.

Applied AI

[khellendros1984]

It seems like this is exactly the sort of place where AI could be useful...disassemble some binary data, figure out what it does, and use *that* as a sort of signature. The behavior of the program is the thing that causes a problem, anyhow.

Re:Applied AI

http://en.wikipedia.org/wiki/Halting_problem

Credit Card Companies

[MozeeToby]

You know how you charge something, sign for it and no one looks at or cares about the signiture. There's a reason for that. Credit Card companies have figured out that verifying identity is impossible. Instead they try to verify by transaction by looking at the recent pattern of purchases for signs of theft.

Instead of trying to identify incoming virusses, they should be focusing on removal tools and monitoring. Watch the processes for unnusual behavior and flag the user if something is detected, then actually get rid of the virus if the user agrees with the analysis. Granted, unusual behavior is a pretty vaguely defined concept, but that seems a lot more adaptable to new threats than the current methods.

Re:Credit Card Companies

[compro01]

Problem being, with lots of machines, they become infected on such a regular basis that your "unusual behaviour" is common enough that it becomes usual behaviour!

Re:Credit Card Companies

[peragrin]

while you are correct, the problem lies with the OS that needs the most AV support. Windows itself acts like a virus to change memory locations when certian apps are run. Thisis to ensure compatibility. With Vista msft has been trying to change such behaviour, but it took 6years for msft to notice the problem and at least until win7 until things start working better. Linux and OSX don't suffer from such things as badly as they depracrate old buggy features ona regular basis.

Re:Credit Card Companies

[geckipede]

Unfortunately all that monitoring software can do is make a guess and then ask the user whether something should be allowed. The click-happy average user is even easier to fool than software. There's no way around it, if you want complete confidence in the security of your system, you have to understand what everything running on it should or should not be doing. A security product based on whitelists of known software would be interesting and probably quite effective, but I suspect not very popular.

Re:Credit Card Companies

[nabsltd]

The thing about anti-virus software is that is stupidly tries not to be intrusive. AV software could be pretty much 100% effective with a few tiny changes, but those changes will make it more visible and annoying.

1. At install, the AV software adds a "run at reboot" entry that runs in the PE boot time, before most (but not all) other processes get a chance to run and does a full system scan at that point. You don't get to continue the install until you agree to this reboot.
2. After the scan, the AV software (still in the PE environment) picks a few select directories (like "C:\Windows" and "C:\Program Files") and creates checksums of all files in those directories (or subdirectories).
3. When the re-boot finishes and the install completes, the user is given the option to add other directories to the "safe" list, and file checksums in those directories are computed.
4. After this, the AV software will not allow a file on disk to be run as an executable unless it is in one of the "safe" directories and the checksum exists and has not changed.
5. Any other attempt to execute a file results in a full scan of the file using the virus signatures, and the user is then given a warning about running non-trusted executable and analysis of the scan.
6. The AV software will provide a way to manually update the "safe" directories, so that after you install software you can run it, but there should be no way to automate it.
7. As an option, the AV software blocks write access to every executable file in the "safe" directories.

This won't protect against scripting language malware and exploits of ActiveX (or other in-process DLL code), but it will tend to stop what they can do in the long run. Exploit code can create an executable in some directory, but it won't be able to be run without a warning, even if that code contains no known virus.

IDW

This is the dirty secret of desktop / on-access antivirus scanners; they don't work.

F.D., I work in the industry, and the sole exception from this rule is my own employer's product, xxxxxxxxxxxx, of course.

so what?

[Cajun+Hell]

If your scanner doesn't say program X is malware, does that mean you should run program X?

Of course not. Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.

Re:so what?

Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.

So your advising that everyone disable javascript, flash, etc in their browsers?

(Stupid) Useful Malaware Tricks?

[kyashan]

..a bit OT, but sometimes I wonder when will be the year of malaware on Linux or OS X.

Ugh! Scanners!

[flajann]

One thing I absolutely despise with the AV scanners is just that -- the scanning, that eats up performance both disk-wise and cpu-wise, and always seem to run at the wrong times -- when I am using the machine!

This scanning aspect grows even more germane as we ascend into the commonality of terabyte drives.

We need better approaches to checking files for infections or payloads -- like checking them thoroughly once and then checking any newly created or altered ones at the time of alteration. But even there you take a performance hit, and I know most AV systems already does this to some extent (but will rescan all the drives periodically).

Ah, gotta love Windows. I much prefer to have a clean system and avoid any operations that might introduce a payload -- like running IE, for example.

Google's attempts to flag questionable sites is half-baked, and depends on GoogleBots catching the vulnerabilities before your browser does. And for the poor site owner that's been compromised, Google fails to provide enough details for the site owner to eliminate the potential problems.

Well, I don't use Windows as my primary platform for a number of reasons, virus vulnerabilities being one of them. Not to say Linux doesn't have its share, but they are far less common and if you keep up with the latest upgrades, you'll do OK for the most part.

I think we need to go in a direction of relying on hypervisor-wrapped OSes that can do selective rollbacks to the points before infection. This way, you eliminate the need for scanning everything all the time and better yet, you might put some of the malware protection in the hypervisor itself, at a level the guest OS or the malware could never detect nor evade.

Just a thought for free for some enterprising individual to go make $$$$ from!

Re:Ugh! Scanners!

[jez9999]

What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.

A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?

Re:Ugh! Scanners!

[flajann]

What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.

A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?

One reason: Kids.

One kid uses Linux as much as he uses Windows, and understands how to avoid malware. Alas, he has a lot of friends over that have not learned these important lessons.

Not to mention my other -- younger -- kid, who insists of downloading malware from Disney and other sites that *insists* on using IE to run at all.

Didn't Consumer Reports say this years ago?

[tkrotchko]

A few years back, Consumer Reports took some malware and made some trivial changes and almost all the AV vendors failed that simple test.

If you recall the AV vendors criticized Consumer Reports because they claimed it was the equivalent of producing new malware and that it was irresponsible.

Bottom line... this pretty much proves that AV has little or no value. You use it because everybody tells you that you have to use it, not because it provides any sort of comprehensive security (it doesn't even come close).

Antivirus/Antispyware 2009

[Danzigism]

Working in a repair shop, the most common infection I've seen in the past couple months has been the rogue antivirus/antispyware products. They usually pose as "Antivirus 2009" or "XP Antivirus 2009". They use extremely generic names. Its funny because every customer that has one of these infections, is usually running Norton, Mcafee, Trend Micro, AVG, or any of them. Not ONE of them from 2008 has been able to rid the rogue product. It's funny too because all you have to do is remove a couple lines in HiJackThis and remove the Program Files folder. Although it has made our repair shop a good amount of money, it is annoying having to tell customers why their AV software can't remove such a silly thing. I've been a strong supporter of Panda Antivirus for many years, and I've always thought all the others are extremely bloated. ESPECIALLY NORTON.. HOWEVER, Norton 2009 has literally done a 180 with its performance. It removed XP Antivirus in no time. It barely uses 1% of your CPU when it is idle, and it updates literally every few minutes. I've been extremely impressed with their latest release and would recommend the noobs out there to try a 15 day free trial. But of course, ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez. but fyi, if you would of asked me a month ago about Norton, I would of told you it is ridiculous and extremely bloated crap software, just like the rest.

Re:Antivirus/Antispyware 2009

[kv9]

ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez

I've been downloading goat pr0n and warez for years, and I'm OK. well, my computers are.

Old Jedi Malware Tricks

[whitehatlurker]

These0x00are0x00not0x00the0x00softwares0x00you0x00are0x00scanning0x00for.

RECOVERY CONSOLE COMMAND DISABLE STOP DRIVER

"I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders. - by mrops (927562) on Friday November 07, @01:40PM (#25678439)

Install RECOVERY CONSOLE as a bootup option

(Its installer alters boot.ini for this as it installs & it adds a bootup menu choice/option for using it once you reboot after installation of it)

To install it, that is done from your OS installation media's I386 Folder, via the commandline ->

winnt32.exe /cmdcons

Once it is in place?

You can issue the LISTSVC command there, & it will show this trojan/virus' name once you scan the list of drivers &/or services it presents (look carefully, & odds are, you will see it there).

Then, you would use the DISABLE command on it (that stops both services, AND, DRIVERS too) - ENABLE is the opposite command, just so you know (&, in case you make a mistake here).

APK

P.S.=> The Windows Networking you mention? I am going to assume File & Print sharing via LanManager networking... & IF you don't use a home LAN (or, connect into a work LAN/WAN, remotely from this infected system)? You can actually REMOVE it a couple ways (easiest ones are stopping the SERVER service via services.msc & setting its startup type to DISABLED (server provides file & print sharing is why) OR, just go to your LOCAL AREA CONNECTION, & uncheck (if not totally remove) "File and Print Sharing" and "Client for Microsoft Networks" there (because all you REALLY NEED to be online, is Tcp/IP)... this will not only help secure you, & stall this machination on your system, BUT, it will also give you back CPU cycles, memory, & other forms of I/O too, because you will be cutting off things you may have running that you do NOT really need to be... IF you are not part of a LAN/WAN, that is... apk

The WinLogon section: Stop the 'phalanx' driver!

In addition to what I posted originally here (thanks for the "modded up" status too, whoever did so):

http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261

?

To access & stop the "backup" of this trojan's driver, since it apparently is using a form of "phalanx-like" backup of itself & its constituent part? Well, go here, using REGEDIT.EXE, once you reboot (after using RECOVERY CONSOLE's LISTSVC, + DISABLE comamnds to stall the driver itself) because this 'backup' portion you're seeing @ WinLogon MAY undo what you did, in deactivating the trojan's driver portion:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

And, in the right-hand side pane of REGEDIT.EXE? Look for the SHELL line (should ONLY have Explorer.exe in it) - odds are, that's the part that's controlling this 2nd part you noted, that notifies the trojan's driver portion!

Good luck!

APK

P.S.=> IF this thing's 2nd 'backup' portion isn't there, in the WINLOGON section you mentioned?

Then, examining ALL other startup areas (prior to the explorer.exe shell logon by you), to find its other part...

MSCONFIG.EXE is decent for this!

Autoruns (sysinternals/MS) is also...

OR

Startup CPL (Mike Lin)

Are ALL/EACH good candidates for the job...

(If not digging for those sections via REGEDIT.EXE (You'll need a list of startup areas Window has though, & it's MUCH MORE MANUAL than the other tools I noted/listed, a downside of doing it manually really vs. using automators such as the progs I just listed))... apk

Re: of course

[Keeper+Of+Keys]

I am a web developer, quite proficient in javascript, and agree with the GP. No site should *require* js for navigation. There are established ways to mark up your menus, no matter how complex they may be, so that they may be navigated with js turned off while perhaps having enhanced usability or attractiveness for those who allow it to run. This is absolutely essential in the modern web: your most important visitor, the googlebot, doesn't run javascript - and obviously you want it to be able to follow links on your site.

Virus scanners don't stop malware? really...

[crossmr]

That's like saying bug repellent is no good against tigers. News at 11!