Looking for heuristics?

[winx5]

http://img483.imageshack.us/img483/5184/heur5rk.th.png

http://img483.imageshack.us/img483/9861/heur22mm.th.png

[Stefan Kurtzhals]

I fear the old AntiVir heuristics rather have a "false positive" here, most likely detecting some exe packer as Win32.Virus.

Just took a look at the sample, seems someone opened an executable with a text editor and saved the result.
The text editor replaced all zero bytes with spaces (0x20), making the executable invalid and non-working.
I wonder if thats the same sample though, got a different MD5 and test5.exe instead of test5.txt.

[winx5]

Hi Stefan,

I can confirm that it is a malware, a trojan downloader.
NOD32 blocked it from being downloaded.
By looking in the Threat Log, i found it's URL and downloaded the file Test5.txt with WGET to keep the PE intact.
I also decompressed it with UPX, debbugged it and found out that it contacts a server to download more trojans.

I can PM you the URL if you are interested.

[Marcos]

For those interested in another example (I ceased taking screenshots after I'd got about 70 images with unique variants):

[Stefan Kurtzhals]

winx5, can you send the URL or sample to heuristik@antivir.de?

The test5.exe that was sent to us from VirusTotal was not the same sample you uploaded it seems (different MD5)

[Firefighter]

Quote:

Originally Posted by Marcos

For those interested in another example (I ceased taking screenshots after I'd got about 70 images with unique variants):

Is it so that you just managed to get the top 3 heuristics scanning engines in to the same picture?

Best regards,
Firefighter!

[winx5]

Stefan,

It's now sent.

Firefighter,

Count Antivir as the fourth...

[Firefighter]

Quote:

Originally Posted by winx5

Stefan,

It's now sent.

Firefighter,

Count Antivir as the fourth...

Maybe? But none has said anything about the heuristics in Kaspersky 6.0.15.222a (preBeta1 - step 7)!

Best regards,
Firefighter!

[Stefan Kurtzhals]

Firefighter, does that version of KAV6 beta has anything new regarding heuristic detection?

[RejZoR]

There is Proactive Defense module, that works pretty much the same as TruPrevent. Except it's still very very beta and doesn't exactly function as it should (for now).

[Stefan Kurtzhals]

I noticed the behaviour blocker, but it's too much work to test an entire collection against it by launching every file. So it's hard to say how good actually its "detection" ratio is.

I thought that KAV6 has a slightly better file heuristic, even though KAV 4.5 and 5 should use the same AVC files, hm.

[Firefighter]

Quote:

Originally Posted by Stefan Kurtzhals

Firefighter, does that version of KAV6 beta has anything new regarding heuristic detection?

I have not tested that new Kaspersky Pre-Beta yet. About heuristics, I don't even know how I can test that against large sample collections, because Kaspersky detects almost everything. But there is a simple method with DrWeb 4.33.

If you want to check how good DrWeb's heuristics is, Please, remove all your defs except those today riskware ones, check first by without heuristics, if no detections occured, enable heuristics and scan your all samples collection.

Best regards,
Firefighter!

[Firefighter]

Can anyone tell which are those av:s that are able to scan with heuristics only except NOD? Also those tricks as DrWeb has are welcome.

Best regards,
Firefighter!

[Firecat]

Quote:

Originally Posted by Stefan Kurtzhals

I thought that KAV6 has a slightly better file heuristic

I remember that on the Kaspersky forum, a developer had stated that KL was considering improving the heuristics engine of KAV 6.x.

BTW, I dont think the AVC files contain the heuristic engine, what they do contain is the generic detection engine.

[Don Pelotas]

Quote:

Originally Posted by Firecat

BTW, I dont think the AVC files contain the heuristic engine, what they do contain is the generic detection engine.

There is both gen.avc & ca.avc=code analyzer.

[Marcos]

For those interested, here is how NOD32 provided zero time protection to the latest mass mailing threats without needing to update (the total number of occurences was taken from www.virusradar.com):

Number of a variant of Win32/Bagle worm in 2005-11-01:
2005-11-01 22 : 4137
2005-11-01 21 : 1959
2005-11-01 20 : 3434
2005-11-01 19 : 2354
2005-11-01 18 : 1438
2005-11-01 17 : 407
2005-11-01 16 : 0

Number of a variant of Win32/Mytob worm in 2005-11-01:
2005-11-01 22 : 50
2005-11-01 21 : 23
2005-11-01 20 : 7
2005-11-01 19 : 2
2005-11-01 18 : 0