Anti-virus can't keep up with threat onslaught

[Ranget]

yeah try that when you are Studying IT

but Offline Machines are the Best Peace of Mind at the Moment

[Firecat]

Just discovered a brand new facebook malware dropper. At the time, only "A" had a signature out (). Now, a few others also detect it.

I guess the real problem is that malware authors have a lot more time on their hands than people working on anti-malware products (on average). Thus, new variants are released faster than signature updates can be rolled out.

[Stefan Kurtzhals]

There are alot of malware writers, or rather, people providing crypters/droppers aka "FUD service" (= fully undetected). These droppers drop the original trojan in memory, not to hard disk - your on-access scanner sees nothing. So if your malware wrapped in such a crypter gets detected (either by detecting the crypter or managing to decrypt the protection layer), just get the next crypter from another FUD service while the author of the first crypter adapts to the detection. Alas, it seems they make enough money to afford this.

In theory, these dropping method should be easy food for behaviour blockers, so I guess they adapt against that type of detection aswell because they still manage to bypass various behaviour blockers out there.

Just google for "tejon crypter", this is just one example of such a "tool". Check out it's "feature" list... :-(

[Baserk]

Quote:

Originally Posted by Stefan Kurtzhals

...
Just google for "tejon crypter", this is just one example of such a "tool". Check out it's "feature" list... :-(

v1.7 New Engine! 2012

+Very Stable
+Very Powerful
+Obfuscator PE
+Bypass Kaspersky Internet Security 2012 (Included) (Proactive Defense)
+Bypass OutPost Firewall
+Bypass Zemana Keylogger (HIPS)
+Bypass Comodo Internet Security (HIPS)
+Bypass AntiHook (HIPS)
+Bypass SpyShelter (HIPS)
+Bypass Avast Antivirus (Proactive)
+Bypass Norton Internet Security (Proactive)
+Bypass Avast Antivirus
+Bypass Eset Nod32
+Bypass GData Internet Security
+Bypass TrustPort Antivirus
+Bypass Panda Internet Security
+Bypass Dr Web Antivirus
+Bypass Avira Internet Security
+Bypass Avg Internet Security
+Bypass AV360
+Bypass BitDefender & 2012+Anti AV Database Update
+Remove AV From Disk
+Major Icon Quality
+Clone File Properties
+Best Binder
+Speed Increase 300%
+Add Vista Resource Manifest
+Anti Avira Heuristic Detection
+Anti Nod32 Heuristic Detection
+Fix Pe Checksum
+Fake Error Generator
+Compatible (Windows 2000 / Xp / Vista / Windows 7 / Windows 8 [32/64Bits] )
+Script Support!

+Process Suspended
+Process Killer
+Run Only in Admin Mode
+Cannot Run in safe Mode
+Anti-Tracing (Anti Craking)
+Set File Atributes
+Anti Kaspersky (Kaspersky Bypass Proactive Defense)
+Binder
+Activex Registration
+Anti Heuristic Detection
+Anti-Firewall (ByPass)
+Vista UAC (ByPass)
+NEW Engine
+Very Stable

+File Bundle (DLL Bundle + Register ActiveX/OLE/COM control)
+Anti-Heuristic Detection
+Obfuscation of your executable helps protect it against tampering and cracking.
*Process Killer (Multiple Process Killer)
*Cannot Run in Safe Mode
*Run Only in Admin Mode
*Set File Attributes

*Anti-Shadow User Pro
*Anti-Clean Slate
*Anti Sandbox (Fortres)
*Run as Fake Process
*Delete Me (Execute & Delete RDG Loader)
*Anti JoeBox (Enhanced)
*Anti-Anubis (Enhanced)
*Anti-CWSandbox (Enhanced)
*Sleep Sec. Run program after x Seconds. 0 to 999 (Enhanced)
*Process Ghost
*Change Process Name

*Anti-Debugger
*Anti-Sandboxie
*Anti-virtualpc
*Realig Sections
*Anti-IDA Debugger
*Anti-CWSandbox
*Anti-Norman Sandbox
*Anti-Anubis
*OEP Stolen Bytes (Enhanced)
*Checksum CRC
*Anti-OllyDbg
*Anti-ThreatExpert
*Anti-JoeBox
*Anti-VMWARE
*Anti-VirtualBOX
*Anti-Debugger2
*Overlay support (EOF Data)
*Sleep Sec. Run program after x Seconds.
*Exceptions (0 to 1000)
*Get All Privileges
*Change Icon (Enhanced)

*OEP Stolen Bytes (Enhanced)
*Anti Virtual Machine (Max) = Heuristic
*Anti-SunBelt Sandbox
*Anti Deep-Freeze
*Anti-Returnil Vistual System
*Anti-Malware Defender
*Anti-Wine(Linux)
*Anti-Xen Virtual Machine
*Password Protect
*Execute With Command Line (parameters)
*UnHook All API
*Anti-Attach Loader (Protect RDG Loder)
*Execute as NT AUTHORITY\SYSTEM
*Restore API

Bugger. Indeed (if true oc)

[blasev]

if all above claim are true, its very frightening fact
I hope they are only exaggerating

they even have anti-sandboxie -> what's the meaning of this?
are they bypassing sandboxie?

[3x0gR13N]

Quote:

Originally Posted by blasev

they even have anti-sandboxie -> what's the meaning of this?
are they bypassing sandboxie?

No, it means the executable will detect it's running in the sandbox and will not deliver its real/malicious payload, thus evading analysis.

[blasev]

Quote:

Originally Posted by 3x0gR13N

No, it means the executable will detect it's running in the sandbox and will not deliver its real/malicious payload, thus evading analysis.

thanks for the answer
it's really re-assuring

[Cutting_Edgetech]

I would think Appguard would block it

[Arcanez]

Quote:

Originally Posted by Stefan Kurtzhals

- Chrome + AdBlock(Plus) plugin (or FireFox with NoScript+AdBlock)

I see a lot recommendations for these browsers lately, can anyone explain whats so good about google chrome? I use Opera for quiet a while now without any addons and I am very pleased with it. In the settings turned off javascript and only allow it for my favorite websites so I don't need an addon for that. I also have an e-mail client integrated and mouse gestures which are very comfortable.

[Stefan Kurtzhals]

Google is very fast in updating Chrome when there is a new exploit. It also does silent auto-update. I have seen many users blocking/ignoring the Firefox updates for example. Plus it does contain it's own version of Flash, not depending on Adobe updates. Sometimes Google even updated their version of Flash before Adobe.

[Arcanez]

thanks for the info, didn't know all that. The flash thing and the updates are a good argument. Only thing is I don't like tracking of google through their browser and I find opera to be more comfortable with mouse gestures, e-mail etc. AppGuard would also block all those chrome updates when they launch from user space. I would have to drop protection pretty often I guess which might be annoying. Also my opera runs sandboxed and emet protected all the time

[Brandonn2010]

Scary stuff. I'd like to see if it can bypass the almighty DefenseWall, since I see it wasn't listed on there.

[kdcdq]

I was pleased to see the "bypass" and "anti" lists that Baserk listed did NOT include Webroot SecureAnywhere and/or Prevx.....

[TonyW]

Tejon Crypter was also discussed in this old thread.

[Stefan Kurtzhals]

Quote:

I was pleased to see the the "bypass" and "anti" lists that Baserk listed did NOT include Webroot SecureAnywhere and/or Prevx.....

Uhm, they bypass the regular detection of every AV scanner anyway, they don't even mention that "feature" anymore.

[blasev]

Now I'm confused, it can bypass Avira Internet Security, but it also has anti-Avira Heuristic Detection. So it means that if one person use avira standard setting which use heuristic detection , the malware wont run

[Ilya Rabinovich]

Quote:

Originally Posted by Brandonn2010

Scary stuff. I'd like to see if it can bypass the almighty DefenseWall, since I see it wasn't listed on there.

Yep, I'm really interested in it too. May I have a sample of it?

[Dark Shadow]

Got the pocorn and cola ready. I am also Interested to see how Defensewall handles it and Appguard if any one tested it.

[Stefan Kurtzhals]

Actually I am looking for samples too. I am not going to buy that crypter just to test it.

[3x0gR13N]

I'm fairly certain that good* HIPSes, sandboxes and policy restriction sandboxes are immune to these kind of crypters. For example, malware x uses SeDebugPrivileges to elevate itself, HIPS like applications will notice the action because they monitor the API. When malware x is crypted via said crypter it won't change the fact that malware x uses SeDebugPrivileges, it's not changing the code itself, just cloaking it.

It's a bit of a different story with behavior blockers because of the way some are implementing protection. Some BBs are made so that if a certain set of actions are performed by malware x then a detection is triggered, opposed to a specific API in case of HIPS etc. Depending on how the detection ruleset is created it may give leeway to some evasion techniques employed by crypters.

I could be wrong though.

(by good I mean having system hooks that are not easily unhooked from usermode)

[Stefan Kurtzhals]

You would be surprised how many normal programs show "ugly" behaviour, causing false positives for behaviour blockers. So it is getting more difficult to find the balance between catching typical malware behaviour and false positives.

The malware writers are attacking behaviour blockers like normal scan engine detection, it just takes more work. But it also more difficult to update and QA new behaviour blocker rules.

And 64 bit did not make things easier for the AV programs. Actually, we lost of hooking abilities. You could say, 64 bit worked in favour of the malware writers. They still can do the things they want.

[EASTER]

And the trend is toward even more rapid migration over to 64 bit units for them to become the norm i guess.
I didn't see ThreatFire or Mamutu on the list of the anti's but then thats a very exhaustive list indeed. Anti-Deepfreeze, Returnil types apps are sure to be a good plug for some attention.

Noticed on their website in the lite version they mention the likes of Clam, ad-aware? etc. I surely would like to have a crack at a sample of it. We'll see who fishes this one up first. LoL

I never did fully understand why more attention wasn't given to pursuing more developments of (rule-based)? Behavioral Blockers then it was. They always had a particularly useful place IMO as an in-between for AS & AV's against the unknowns not yet detectable by the usual conventional security apps.

[Escalader]

I think now after 40 years in the business I'll divide my own PC's into 2.

One with the best layered security I can muster that does 2 things only banking and private email. All connects to https only. ONLY MY WHITE LIST OF SITES VISITED.

The second machine (an iPAD?) does the risky stuff surfing, forum posts amazon book buying, movie watching, games etc etc


That's it using the old KISS concept.

[Noob]

Well, it's been fine for me and i hope it continues like that

[Escalader]

Quote:

Originally Posted by Stefan Kurtzhals

Google is very fast in updating Chrome when there is a new exploit. It also does silent auto-update. I have seen many users blocking/ignoring the Firefox updates for example. Plus it does contain it's own version of Flash, not depending on Adobe updates. Sometimes Google even updated their version of Flash before Adobe.

Ever since Google went over the top on their new privacy policy I have avoided them and their products like the plague. Found I really don't need them.