Win32/Packed.Themida

[rahucha]

Hello,

I'm a developer in Oreans Technologies and we have developed Themida to protect applications against cracking. We are receiving many complain from our clients saying that NOD32 reports their applications as potential thread (Win32/Packed.Themida)

Yesterday, we contacted ESET about this issue and today we just got an email saying the following:

--

If you feel that NOD32 is giving a false positive on a particular file please do the following:

Email the specific file to scan@virustotal.com to verify if the infected file is indeed a threat. This service is free and is used to scan any sample using a dozen AV scanners without the need to install on your PC.

1. Create a new email message to scan@virustotal.com.

2. Type 'SCAN' in the Subject field.

3. Attach the file to be scanned (maximum 10 MB in size).

4. You will then receive an email with a report of the file analysis.

5. Once verified, forward the email to samples@eset.com so our Virus Lab can analyze the results.

NOTE: Due to the high volume of submissions we receive daily, we are unable to provide feedback on submissions at this time.

--

Which seems that nobody is really replying and a template is just given after 24 hours.

We know that there are lots of malware protected with Themida (unfortunately), but there is no reason to suppose that all software protected with Themida is malware. An ellegant solution would be to really inspect the file on memory and detect if the file is malware or not, and not just detecting as malware when packed with Themida.

We hope that Eset can give a fast solution to this as it's affecting our clients (and potential clients).

We are happy to assist you on anything that you need.

Thanks,
Rafael

[Marcos]

Hello,

please submit the file to samples[at]eset.com with this thread's url in the subject. If it's actually a legit application, we will remove detection.

[Don johnson]

I agree with you.Themida is a business packer,many normal softwares usually
use it,the virus maker can use it to bypass most AV.If should detect it is worth discussing.

[rahucha]

Quote:

Originally Posted by Marcos

Hello,

please submit the file to samples[at]eset.com with this thread's url in the subject. If it's actually a legit application, we will remove detection.

Hi Marcos,

We don't want that our customers have to send their applications protected with Themida to ESET everytime that they protect. Of course, customers will complain about this.

Themida tries to make a good job to protect applications against cracking. It's not our fault that hackers use it to protect malware.

Please, notice that if an important antivirus detects ALL protected applications (with Themida or any other commercial protector) as virus, could put in danger the business for those software protectors companies.

We really hope that ESET takes some action on this.

Thanks,
Rafael

[Marcos]

Themida packed applications are detected as unwanted just because they can cover also legit applications. The user gives explicit consent to detect this kind of applications. It is not a problem for us to promptly remove detection for legit programs.

[stevehal]

The problem here is that our company has been recommending NOD32 for the last year, and we also rely a lot on Themida.

Is Themida detection just recently added to NOD32?

We will monitor our user areas and see if we get reports in.

I do understand users have to specifically check certain options, and I was able to get NOD32 to detect a potentially unwanted application. But the fact that it will label it as a "threat" concerns me, and it does not identify the setting in NOD32 that caused this detection. So therefore customers could think it is a virus.

The NOD32 interface should say "A potentially unsafe application was found"...

We have many EXE's all over the world using Themida, and this does cause me some concern.

But, if we get a very rare report of this going forward, then hopefully the interference will be minimal. But as I am sure Rafael is concerned, I am concerned about NOD32's wording or not identifying the "threat" category when it finds Themida.

[stevehal]

Also, we could not submit all our EXE's. That would be entirely impractical and some of our EXE's are too big to submit.

We got a customer writing already.

I really hope something is changed.

[Marcos]

We will certainly discuss this matter with the developers. I just proposed them a solution so that both parties are satisfied.

[smalpree]

After a lot of research we have definately got a Themida protected virus. A version of Opanki that is named WINSONY.EXE.

Themida is preventing McAFee from stopping it.

We have determined that Themida is too dangerous to our environment to allow any product protected by Themida on the network. We can not have 27,000 nodes exposed to such a threat.

The only string in the infected executables that can be detected is "themida"

So we have asked McAfee to treat any excutable with the Themida string as a virus.

Just like we can't blame the gun manufactures for the people that use guns to commit crimes we can not blame the writes of Themida.

However, we do have a company policy where guns are not allowed, So the same will now go for Themida as well.

It is my opinion that the writers of Themida have a responsibility to collaborate with the Anti-Virus companies to come up with a solution that allows for their lgitimately protected clients to operate while allowing the Virus Scan tools to destroy evilware.

Quote:

Originally Posted by rahucha

Hello,

I'm a developer in Oreans Technologies and we have developed Themida to protect applications against cracking. We are receiving many complain from our clients saying that NOD32 reports their applications as potential thread (Win32/Packed.Themida)

Yesterday, we contacted ESET about this issue and today we just got an email saying the following:

--

If you feel that NOD32 is giving a false positive on a particular file please do the following:

Email the specific file to scan@virustotal.com to verify if the infected file is indeed a threat. This service is free and is used to scan any sample using a dozen AV scanners without the need to install on your PC.

1. Create a new email message to scan@virustotal.com.

2. Type 'SCAN' in the Subject field.

3. Attach the file to be scanned (maximum 10 MB in size).

4. You will then receive an email with a report of the file analysis.

5. Once verified, forward the email to samples@eset.com so our Virus Lab can analyze the results.

NOTE: Due to the high volume of submissions we receive daily, we are unable to provide feedback on submissions at this time.

--

Which seems that nobody is really replying and a template is just given after 24 hours.

We know that there are lots of malware protected with Themida (unfortunately), but there is no reason to suppose that all software protected with Themida is malware. An ellegant solution would be to really inspect the file on memory and detect if the file is malware or not, and not just detecting as malware when packed with Themida.

We hope that Eset can give a fast solution to this as it's affecting our clients (and potential clients).

We are happy to assist you on anything that you need.

Thanks,
Rafael

[Marcos]

Quote:

Originally Posted by smalpree

The only string in the infected executables that can be detected is "themida"

This is true for a portion of Themida-packed files, not all have this string in the header.

[smalpree]

Like I point out; a gun in the wrong hands is a dangerous thing...

I attempted contacting the makers of Themid to get some assistance fighting the problem and the only respose I got was:

~No private email without permission of both parties. - Ron~

To learn more about the danger:

Here is a link: ~Link removed. No links to malware, cracks, etc on these forums. - Ron~

This video is one of dozens showing how to use Themida to create a virus that defeats virus programs and hides keyloggers.

This video also shows how to crack the Themida software and get keys so they don’t have to pay for it.

I find it a bit ironic that a product that is designed to protect software developers from having their intellectual property stolen is a victim of having their intellectual property stolen.

[CDreier]

I am an 'average' user of NOD32, and found this thread because I also got the Win32/Packed.Themida a short time ago when attempting to install a add-on aircraft to Microsoft Flight Simulator from the Flight1 software vendor. They are a reputable company that I've done business with on several occasions, but have now contacted them since I fully trust NOD32. If this is a false-positive, then I indeed think there is some problem, especially for the company using Themida. Thanks.

[ronjor]

A few off topic posts removed from this thread.

Please keep in mind this is the Official Support Forum for Eset and their products.

[stevehal]

The problem is that everyone loses.

First, our corporation would have to stop recommending NOD32 to our customers if this can't be resolved (we have been recommending it for some time now).

We would hurt due to lost sales for the products out there that are flagged.

Rafael would be hurt because the more this type of thing occurs the more likely it could remove such a good product from the market.

So lets hope Rafael and ESET can work things out.

Kneejerk reactions are not good.

From a technical point of view, in the future, if detection is a must, then NOD32 should possibly not flag it in such a way to be as alarming as it looks now. Customers write things like (THERE IS A VIRUS IN YOUR SOFTWARE!). NOD32 should notify the customer that due to their selected settings, a certain application was detected that is likely not a virus (I am sure there are 100+ good applications to maybe 1 virus - I bet the ratio is much higher). In this case Themida is only detected when the customer selects potentially unwanted application detection from NOD32 options. But when it reports, it reports just the same as a virus.

[flyrfan111]

Quote:

As far as antivirus detection, I tested Themida against 5 randomly selected samples of unpacked malware in the Shadowserver repository. Different AV vendors gave different results obviously, but the trend was clearly against AV detection of Themida protected malware. Perhaps AV vendors should make it a priority to research Themida and warn or flag suspicious any file detected to be protected with Themida? True, you will get false positives with this as some legitimate applications may use Themida as protection. However it may be a small price to pay to provide users with a fighting chance to detect and address new strains of Themida protected malware.

I believe that the ramifications are quite large for those of us in the malware and botnet research camp. The ease of use and the simple interface concerns me as it is basically a load, check, and go process to create a virtually uncrackable piece of malware. With the increased use of rootkit technology making malware already more complex, tools such as Themida will just add to the challenges.

Enitre article can be found here;

http://www.shadowserver.org/wiki/pmw...endar.20061227

[Niklass]

This is really worth to discuss. All of malware packed with Themida bypass AV engines, because of the compression and encryption Themida uses. The solution to me its in the hands of the Themida developers, as there is no way to detect if there is a malware encrypted / hided because of the algoritms they are using to pack.-

[stevehal]

Flyfan, Niklass,

But there are a few elements not discussed...

If a virus writer uses a packer, such as Themida, UPX, ASPack, PECompact, or any number of different applications, the file still exists as bytes on the disk. And of course no matter what happens before the file is executed, it is simply an inanimate object, like a piece of paper. Bytes do nothing.

If the writer uses any packer from any company, it will no longer be detected in a disk scan because its byte order has changed (unless the the anti-virus product knows how to detect and unpack such files).

But still it is in byte form and all that needs to be done is for the AV vendor to update their definitions. This is because it may still be the same virus packed, but it's byte order has simply changed with a packer (there may be 100's of packers out there).

I do not think it is possible for the core bytes to mutate AND still be packed by Themida, so in a sense, this is actually a small security benefit (unless such packer was on the users system).

So the best end result would be for ESET and Oreans to work this out. For the longer term this will be a good practice because it will surely come up again with any developer tool that all the sudden becomes used by a virus writer.

[flyrfan111]

The problem with Themida is that it is specifically designed to PREVENT analysis of files that are packed, if you read the article I linked to instead of just the part I quoted.

Quote:

When used, Themida will increase the size of the executable by a fair amount, typically at least 500Kb. This is due to the protection code that is added to the executable in order to further deter analysis.

It was designed to prevent reverse engineering and to secure applications. AV researchers NEED to reverse engineer malware in order to figure out how to stop it and fix it. If the files are encrypted there is no way to analyse them before execution short of brute forcing the password to break the encryption which would obviously create a large performance hit on the system as it attemtpted to guess the encryption.

http://www.shadowserver.org/wiki/pmw...endar.20061227

[stevehal]

Yes, you are correct. One may not be able to reverse-engineer the files, if this is precisely important to the AV company. But if I understand correctly, reverse engineering a virus is not the only method to determine a virus?

One could do a system watch, and see what changes occur. If every virus had to be reverse engineered, I do not think updates to definitions could come as quick.

So, if a virus is identified, one could use the part of the bytes for the definitions, and that is where Rafael could work with the AV companies out there.

There will always be packers, protectors, obfuscators, out there. Especially with Dotnet code which is not as strong against reverse engineering as past unmanaged code. So with this, how do AV products and executable code that is processed by another program exist together?

[i_g]

Quote:

Originally Posted by rahucha

An ellegant solution would be to really inspect the file on memory and detect if the file is malware or not, and not just detecting as malware when packed with Themida.

That's not a solution at all, unfortunatelly. The malicious file has to be detected before it's started, not afterwards - when it's already running and has possibly performed its payload.

Quote:

Originally Posted by stevehal

NOD32 should notify the customer that due to their selected settings, a certain application was detected that is likely not a virus (I am sure there are 100+ good applications to maybe 1 virus - I bet the ratio is much higher).

I don't want to underestimate Orean's sales, but I really doubt it. Working for another AV vendor, I can say that we receive thousands of unique Themida-packed samples each month, most of them being malicious. So the actual ratio is more likely to be inverse than you think.

Quote:

Originally Posted by stevehal

But still it is in byte form and all that needs to be done is for the AV vendor to update their definitions. This is because it may still be the same virus packed, but it's byte order has simply changed with a packer (there may be 100's of packers out there).

I do not think it is possible for the core bytes to mutate AND still be packed by Themida, so in a sense, this is actually a small security benefit (unless such packer was on the users system).

Right, updating the virus definitions solves the problem for one sample. However, detecting the packer is meant as a part of pro-active protection. Malware authors may repack the malicious file automatically every minute (or even faster) and update the file on some web site this way. There's no way the AV company can react quickly enough to protect its customers in this case - unless the antivirus is able to unpack the file (whose unpacked content is most likely to stay basically the same - because the authors can hardly update the malware source code that fast), or it detects the packer...

[d_sotos]

Some help here!
After scanning my pc, this is the result:
File C:\WINDOWS\win32.exe is infected with a variant of Win32/Packed.Themida application. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

My options are: 1) Leave 2)Rename 3)Delete
Any idea what to do?

Thanks in advance

Quote:

Originally Posted by d_sotos

Some help here!
After scanning my pc, this is the result:
File C:\WINDOWS\win32.exe is infected with a variant of Win32/Packed.Themida application. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

My options are: 1) Leave 2)Rename 3)Delete
Any idea what to do?

Thanks in advance

Delete (of course) + check on "Copy to quarantine"

[danieln]

Important informations for developers of the legitimate applications who intend to use Themida or similar protectors:
http://www.avertlabs.com/research/bl...elephant-trap/
quote "If you feel that you really must use an obfuscating protector at least digitally sign your files."

The anti-malware companies expect the developers which use the abused protectors to properly identify their files. The properly filled VERSION INFO and a valid DIGITAL SIGNATURE are required.