Hi board

I have tested many antimalware scanners : AV, AT, AS etc. against very well known and easily detectable malware but encrypted with Themida runtime packer, all of them have failed except Avira AntVir in all encrypted malwares and Pest Patrol in some of the encrypted malwares.

Specifically I have tested these AV's : KAV, NOD32, BitDefender, Pc-Cillin, Norton, AVG, Avast.

And these AT's and AS's : AVG (Ewido), T Hunter, T Remover, SpySweeper, SpywareDoctor, SAS, Ad-Aware Pro, SpyBot, A2, TMAS.

Note : I tested every scanner with a Themida encrypted malware wich is easily detectable by the same scanner when it was not encrypted !!

No one succeeded except Antivir all the time, and Pest Patrol some times, all other failed every time .

It is a very annoying test result which means that any trivial but Themida encrypted malware can easily infect a machine protected by any first class AV or AT or AS but AntiVir !

Now I cann't feel safe any more without AntVir.

Did you try any other scanner against Themida encrypted malware?
If not please do and share your results with us.

I would agree there isnt any better.:)

Did you use free version of AntiVir or paid version and thanks.

Gary

@ huntnyc

Free Version

-{ Quote: "I would agree there isnt any better.:)" }-

Well duh! Considering your avatar, take this with a biased grain of salt.


-{ Quote: "I have tested many antimalware scanners : AV, AT, AS etc. against very well known and easily detectable malware but encrypted with Themida runtime packer, all of them have failed except Avira AntVir in all encrypted malwares and Pest Patrol in some of the encrypted malwares." }-

So, you use a very specific testbed that only includes one sample, or one type? And from that you conclude that AntiVir must be the best? I'm sorry you'll need to do a little testing in order for your conclusions to have any weight to them.

-{ Quote: "Now I cann't feel safe any more without AntVir." }-

Don't get too comfortable. Take into account a pproducts track record. It is entire possible to AntiVir to not do well on the next official test. It is a very good product but it is not the best there is. Nor is any for that matter.

Would any HIPS or behavior type programs have detected this? Like ProSecurity Free, or Cyberhawk?

When you execute it (they work on behaviour, ie when the malware acts). Same goes for the av's, maybe they would detect them upon extraction, i don't know.

-{ Quote: "

So, you use a very specific testbed that only includes one sample, or one type? And from that you conclude that AntiVir must be the best? I'm sorry you'll need to do a little testing in order for your conclusions to have any weight to them.
" }-

You got me wrong I didn't test all scanners with the same malware, I tested every one with a 2 or 3 very well known malwares to it specifically.

I didn't say that AntiVir is the best, but simply I said it is the only one who was able to detect the malware before encryption and after encrypted by Themida.

-{ Quote: "

Specifically I have tested these AV's : KAV, NOD32, BitDefender, Pc-Cillin, Norton, AVG, Avast.

" }-

I'm curious, did you test these products with their default settings? NOD32, for instance, has an option to scan runtime packers. If memory serves, it is not enabled by default, but someone please clarify this if I'm wrong. I'm really not familiar with the other products you tested, but they certainly must include options not enabled by default that would increase the detection rate if enabled.

-{ Quote: "Would any HIPS or behavior type programs have detected this? Like ProSecurity Free, or Cyberhawk?" }-

HIPS should be able to detect the bad effect on the system, because HIPS detect the influence of the malware on the system not the malware it self. and there is no difference if the malware it self was encrypted or not because HIPS don't depend on sigs.

-{ Quote: "When you execute it (they work on behaviour, ie when the malware acts). Same goes for the av's, maybe they would detect them upon extraction, i don't know." }-

No for our bad luck
For example : NOD32 and KAV accept Themida encrypted Biforse trojan running in the memory very happily.

Other scanner show similar silent action even when malware was in working phase !!!

Just use Avira then, and don't worry if that is what it takes.

Jerry

-{ Quote: "I'm curious, did you test these products with their default settings? NOD32, for instance, has an option to scan runtime packers. If memory serves, it is not enabled by default, but someone please clarify this if I'm wrong. I'm really not familiar with the other products you tested, but they certainly must include options not enabled by default that would increase the detection rate if enabled." }-

NOD32 2.7.16 was tested with maximum security level enabled, including runtime packers, Advanced Hueristics, Anti Stealth and every thing else.
Try it your self with a very old malware but encrypted by Themida!

All others were tested with the highest level of security available.

Metting,
I read your posts about this in a thread about Pest Patrol recently.
This is good for AntiVir.
A question though.....
Would malware need to be decrypted before it could actually do anything?
The reason that I ask is because you stated that these samples were detected by multiple programs before they were encrypted.

-{ Quote: "NOD32 2.7.16 was tested with maximum security level enabled, including runtime packers, Advanced Hueristics, Anti Stealth and every thing else.
Try it your self with a very old malware but encrypted by Themida!

All others were tested with the highest level of security available." }-

Okay, thanks Metting. I'll take your word for it. I suppose to minimize the risk of infection from one of these encrypted malwares is to download executables from well-known, trusted sites, as I always do. I don't use shareware or torrent programs of any kind. BTW, is it possible to recognize these thermida-encrypted files by their file extensions?

Thank you, thank you, thank you!! When I saw this thread I was surprised more then I have ever been and amazed at the same time. I immediately called Eugene and said, "We messed up big time! Over at Wilders this guy discovered a hole that had never occurred to any of us before. We'd better jump on this right now or our scanner is done for!"

Ever thought of pursuing a job in our labs?

-{ Quote: "Thank you, thank you, thank you!! When I saw this thread I was surprised more then I have ever been and amazed at the same time. I immediately called Eugene and said, "We messed up big time! Over at Wilders this guy discovered a hole that had never occurred to any of us before. We'd better jump on this right now or our scanner is done for!"

Ever thought of pursuing a job in our labs?" }-


;D you really talked with Eugene? :o

Did a quick Google on Themida and malware. Found that F-Secure detects Themida encoded malware also.

SourMilk out

How about Dr. Web antivirus? Did you test it?

Be careful what you read into those results. At the moment, it means that AntiVir is capable of detecting malware encrypted with that particular packer. With a different packer or encryption method, the results could well be different. AVs can react to new packing or encryption methods but it's impossible for them to anticipate all the methods could be used. The tools are freely available that can make malware undetectable by any AV.
I uploaded a copy of graypigeon, a known malware to 2 different online sites that use multiple scanners. The results are shown in the links below.
Scanned by Jotti. (http://i138.photobucket.com/albums/q277/herbalist-rick/malware%20tests/normalscan.gif)
Scanned by Virustotal. (http://i138.photobucket.com/albums/q277/herbalist-rick/malware%20tests/Virustotal.gif)
I'm suprised by the ones who didn't recognize this unencrypted malware, starting with PrevX1, NOD32, and Microsoft!
I then encrypted graypigeon by a method not normally used, renaming it testpest..exe and uploaded it to both sites. Here's the results.
Jotti scan of encrypted malware. (http://i138.photobucket.com/albums/q277/herbalist-rick/malware%20tests/encryptedscan.gif)
Virustotal scan of encrypted malware. (http://i138.photobucket.com/albums/q277/herbalist-rick/malware%20tests/virustotal_encrypted.gif)
I'm not going to identify the method I used to encrypt this file for obvious reasons. This was strictly to demonstrate that signature based detections have no chance against encrypted malware, unless the vendor has already seen malware encrypted by that particular method.
Rick

None of them got it o_0... So if someone got that on a computer... and executed it so... w.e damage could be done... would an anti-virus like kaspersky stop it... or not until the next version with heuristics?

There is something I dont understand, there should be some point at executing an encrypted exe that the AV will detect it or not? Try executing your encrypted trojan Herbalist and see if your AV detects it. ???

-{ Quote: "Metting,
I read your posts about this in a thread about Pest Patrol recently.
This is good for AntiVir.
A question though.....
Would malware need to be decrypted before it could actually do anything?
The reason that I ask is because you stated that these samples were detected by multiple programs before they were encrypted." }-

No,

malware encrypted by themida can do it's work while encrypted.

Themida simply protects the area in memory in which the malware or any other themida encrypted file works, so it is impossible for any program to read this memory area except if the program has a special way to pass through this protection, and this penteration of themida protection is what AntVir handled with success.

-{ Quote: "Did a quick Google on Themida and malware. Found that F-Secure detects Themida encoded malware also.

SourMilk out" }-

Thanks SourMilk

any one ready to test F-secure ?

-{ Quote: "How about Dr. Web antivirus? Did you test it?" }-

No I didn't, I hope some one will do

-{ Quote: "With a different packer or encryption method, the results could well be different. AVs can react to new packing or encryption methods but it's impossible for them to anticipate all the methods could be used. The tools are freely available that can make malware undetectable by any AV.
" }-

Yes you are right, and I agree on that, but the problem with Themida is because it is a commercial packer and very easy to use, so any bad kid can use it to make hundreds of undetectable malwares from even commercial key loggers and remote admin progs.

Other tools are not for any one. aslo you need to use at least two or more packers to make a hard detectable malware, even in this case you have to test your new malware with each scanner to be sure it is undetectable and the result may force you to change the way, the type, and the number of packers you used ..... then try again ... etc. i.e it is a very difficult method while on the other hand you have to use only Themida with afew mouse clicks to creat undetectable malware by the majority of scanners.

-{ Quote: " We'd better jump on this right now or our scanner is done for!"" }-

good for you, but hurry up


-{ Quote: " Ever thought of pursuing a job in our labs?" }-

I don't work for unknowns ,if you give a name I may rethink :isay:

-{ Quote: "None of them got it o_0... So if someone got that on a computer... and executed it so... w.e damage could be done... would an anti-virus like kaspersky stop it... or not until the next version with heuristics?" }-

I think not until the next version if they worked hard.

-{ Quote: "There is something I dont understand, there should be some point at executing an encrypted exe that the AV will detect it or not? Try executing your encrypted trojan Herbalist and see if your AV detects it. ???" }-

Themida simply protects the area in memory in which the malware or any other themida encrypted file works, so it is impossible for any program to read this memory area except if the program has a special way to pass through this protection, and this penteration of themida protection is what AntVir handled with success.

For example : NOD32 and KAV accept Themida encrypted Biforse trojan running in the memory very happily.

-{ Quote: "Other tools are not for any one. aslo you need to use at least two or more packers to make a hard detectable malware, even in this case you have to test your new malware with each scanner to be sure it is undetectable and the result may force you to change the way, the type, and the number of packers you used ..... then try again ... etc. i.e it is a very difficult method while on the other hand you have to use only Themida with afew mouse clicks to creat undetectable malware by the majority of scanners." }-
Quite true. Between new methods of packing/encrypting (or unorthodox uses of older methods), keeping up is almost an excercise in futility. I gave up on signature based detections. Too many ways to avoid detection with new ones coming out, such as Themida. Now that there's one such packer/encrypter, there'll soon be more of them, and even more for the AVs to deal with.

dah145
I wan't trying to make something that was undetectable. That was just a quick run with an existing malware. Yes, there's a good chance that an AV would detect it when launched, assuming its first task isn't killing the AV. My point was a much simpler one. That was just to show how easy it is to get malware onto a system undetected. That's half the battle, leaving one chance for the AV to catch it, during it's launch. None of the AVs catch everything when it isn't encrypted. Encryption just makes odds worse.
Rick

-{ Quote: "No,

malware encrypted by themida can do it's work while encrypted.

Themida simply protects the area in memory in which the malware or any other themida encrypted file works, so it is impossible for any program to read this memory area except if the program has a special way to pass through this protection, and this penteration of themida protection is what AntVir handled with success." }-

Metting,
Thanks for answering my question.

Yes this is disturbing, the only thing you can hope is that a HIPS might be able to save your ass, but of course a HIPS relies on user input, so you need to know a bit about what´s normal behaviour and not. Sandboxing would be another solution, but often some apps won´t run if sandboxed. But signature based solutions are just not good enough nowadays, that´s a fact. ::)

I'm concerned about this from another angle

i legitimately protect my software with themida. if AV products work out how to bypass themida encryption to check for viruses then the protection for my software is also breached. my code is then wide open to piracy