The Ultimate MemScanner Challenge (BOClean, TDS-3, TH and others)

[ano1]

The file "archive3.jpg" is a password protected .rar archive (i.e., it must be renamed before it can be opened /w WinRAR). The archive contains two relatively new trojan servers (Theef 2 beta 5). Both servers are visible and entirely harmless zoo trojans. The first sample is not compressed at all. The other sample is protected with Armadillo's Copy-Mem II technology which encrypts pages of memory.

Usually, Memory Scanners do not need to decrypt trojan servers at all. (AT software producers have created MemScanners because attackers started to protect their trojans /w compressors, crypters or the like. MemScanners rely upon the fact that a compressed trojan server is usually unpacked when it is loaded in the computer's memory.)

The above rule does not apply anymore. I am curious whether there is any MemScanner on the market which is able to detect Copy-Mem II protected malware.

Please send me a PM if you are interested in the exact download location and the password for the archive. I will not post a direct link because this would not be in line with the TOS (according to Paul).

If you believe that your AV or AT scanner can detect the Armadillo-protected Theef server while it is running please let me know. I will be happy to verify such claim. It will be interesting to know who comes first ... but please note that cheating (like creating special sigs for the Armadillo-protected zoo sample or scanning for window names) will not be tolerated ;-) Moreover, I won't take into account any generic filescanning techniques (e.g., scanning the resource section of the files).

Good luck

EDITED1: In the meantime, Andreas Haak has (almost) convinced me that it is quite easy to detect Copy-Mem II protected malware by taking signatures from those parts of the file which are executed first and, therefore, are likely to be a part of the first (unencrypted) memory page. Unfortunately, this is still a theory since the a2 mem scanner does not work yet.

EDITED2: If you are interested in the samples and do not receive a reply from me you may also ask Paul Wilders who knows the PW and who is responsible for this PM procedure ;-)

Taken from the developer's website:

"The majority of "backdoor compromises" involve FAMILIAR trojans which have been "encrypted," "repacked," "patched," "hex edited" or otherwise modified to obscure them from "pattern matches." ...

Many antiviruses do well and detect about 90% of trojans in the wild. It's the other 10% which are modified that is the major concern, and known trojans can be easily configured to elude file scans even when they're "known." BOClean doesn't bother. Once they're unpacked or decrypted and go to run, they must shed their "cloaking" and this is where BOClean comes to the rescue. Instantly."

I am curious whether BOClean can handle the Copy-Mem II protected sample. Unfortunately, there is no BOClean trial.

[controler]

Have you sent the file to any of the fine AV-AT makers
yet? Has any of the members asked if you would send it to them? Your writing looks familiar


con

"Have you sent the file to any of the fine AV-AT makers
yet?"

No. But in the meantime, they should have created a signature for Theef 2 beta 5 anyway. In addition, they can dl it from the official Theef website, my website or ask Paul who has the PW & the samples. Also note that TH users were never at risk since TH's generic scan can detect every Theef server. (Unfortunately, this does not apply to other trojans).

In addition, I would like to mention one more time that my samples are harmless zoo trojans. Their single purpose is to determine whether a mem scanner can handle CPMII-protected malware, i.e., we are talking about a potential threat and not a real threat. At least so far.

"Has any of the members asked if you would send it to them? "

Yes.

"Your writing looks familiar"

Thanks. That's deliberate.

[Gavin - DiamondCS]

TDS has standard detection for Theef. More may be added, including special detection We add extra detection for common families and Theef is one which is used a little. But nothing like the use Assassin, Optix, MoSucker, CIA and a few others get.

[ano1]

Theef suffers from various design flaws. You can easily take signatures from the resource section (e.g., RCData -- PACKAGEINFO or TFORM1) in order to detect it.

However, there are better trojans out there which do not facilitate a detection via a scan of the resource section. In such case it is more important to find a way to overcome CPM-II protection.

[Kevin McAleavey]

Sorry I missed this one ... we'd gotten a link to the file(s) in question a few days ago where someone had asked us to check it and BOClean had no problem detecting either. Do feel free to verify against BOClean if you'd like ...

[ano1]

Hi Kevin,

Thanks for contributing to this topic.

1.
Do you know why BOClean detected both samples?

2.
Do you believe that detecting CPM-II compressed malware is no problem at all (even if a trojan does not have a .resc section like theef)? Other mem scanners do have problems ...

3.
I consider to upload a CPM-II protected server which does not have a .resc section. However, such server would not be a harmless zoo trojan (since there are apparently no visible servers w/o a .resc section). Therefore, I would not be able to reveal the password to persons who are not AV/AT software producers etc.

[Gavin - DiamondCS]

No problem detecting it with TDS either, even on old databases

So the memory protection is not doing anything to stop the memory scanner. All memory scanners SHOULD be able to detect this, depending on having signatures of course.

But I added a bit more detection anyway, and will update the advanced sigs to detect various packed samples as soon as possible

[ano1]

@Gavin

I have tried to detect it with signatures dated Dec 28, 2003. Process Mem Scan detects nothing. Same applies to Object Mem Scan. File scanner stays silent.

Then I have used sigs dated Jan 7, 2004. File scanner detects nothing. Obj Mem scan says nothing. Process Mem scan detects ... nothing.

Are you sure that you scanned the Theef2b5Armadillo.exe sample? Is my TDS defect/misconfigured?

(The unpacked file Theef2b5.exe is detected of course. By the file scanner and by the mem scanner due to generic detection -- icq notify.)

[Gavin - DiamondCS]

Hmm I'll have to look into that, I ran the Armadillo version and scanned with a month old database, detected it fine

As for Trogan Hunter - sure theef seems no prob. but.. the TH module mem scanner seem to fail fairly all dll injections . Seems to make this guard virtual useles. Correct me if I'm wrong here - please!.

worried

[Magnus Mischel]

worried,

TrojanHunter hasn't failed any test with process-injecting trojans here... what trojan are you using? If you have one it isn't detecting, could you send it to submit@trojanhunter.com ?