AMON & UPX

I am testing now NOD32 that i really like.
The only thing which annoy me is the fact that once you have packed a virus with UPX, AMON doesn't detect it anymore.

That this feature be more ressource consuming, ok, but why not let the choice to the user with an option ?
Is such option is planned to be added in the future ?

 

I perfectly agree about archives like RAR,ZIP,ACE, etc...
In order to run viruses you have to unpack them.

But UPX packs executables in a manner that the destination is still an executable.
An UPX packed program can be launched directly without unpacking it.
The executable is unpacked in memory, not on the Hardrive.

I admit to not have tried to launch the packed worm, in case AMON would fail it i would be infected.
The scanner has the option to unpack UPX, but not AMON apparently.

Are you saying me that AMON catch UPX viruses once unpacked in memory ?

If someone want to try, i can send him a packed Swen worm.

 

Hehe - you are right

In fact, I've been pestering them with this issue for some time now (cf. see sir_carew's most recent topic, the 'features' poll: https://www.wilderssecurity.com/showthread.php?t=19459

In fact, although the nod32 on-demand scanner does scan inside archives, it is NOT so with AMON. In fact, amon does not scan inside archives (normal or SFX) either. But in a way, this makes sense - Amon resides in memory as an on-access scanner (resident guard, or 'monitor') - in fact, I don't think any AV monitor scans inside archives & packers. Imagine - every time an exe file were accessed or created, the monitor would have to look at the executable's HEADER to determine if it is an SFX archive OR a runtime packer packed in a fashion KNOWN to the AV, and if so would have to scan inside it - that would slow it down considerably!

The problem is, runtime packers are MUCH dealier than even SFX archives since they unpack directly into memory. Which is why antivirus monitors, which don't scan inside them, are powerless against a packed virus/worm, even if it is a known virus packed with a known method.

And besides, even if an AV monitor were to systematically scan inside all runtime packers, no AV to this day can scan inside ALL types of packers - the leader in this field is maybe KAV, which recognizes 600 types of packers, yet not all of them, not to mention custom-made packers.

So as I pointed out in the other thread, the only failsafe alternative would be to give the monitor the ability to continuously scan the MEMORY - that way, even a virus packed in a customized (therefoere unknown) way, would be caught, since anything, no matter how much packed and crypted, has to shed its cloaking once in memory before it can be executed. The TH (Trojan Hunter) THguard works this way: it does not scan the HDD (on file-access), instead scans the memory.
But once again, neither amon nor any other AV monitor scans the memory.

If Amon were given this feature, this would barely slow it down (look at TH: it's lightning fast!) and would make it impervious to any packed virus.

BTW. this implies that the packed swen virus will most certainly NOT be detected, UNLESS the PACKED signature itself is part of the signatures, which is sometimes the case (but that's more like "cheating" lol): for example the Trojan Win32/Xenozbot10 is part of the Nod32 signature definitions, but only in a packed form, which means that its true specific upx-unpacked form is not detected by Amon, nor any form of it packed in a different way than the default method! In detail:

1- original upx-packed Xenozbot: 89 kbytes, detected by Nod (Amon or on-demand scanner)
2- unpacked Xenozbot: 230 Kbytes, NOT detected by Nod
3- unpacked then upx-repacked but in 2 different ways, both differing from the original method in step 1: 81,5 Kbytes and 91 Kbytes, both are NOT detected by Nod.

So the only way to avoid this is:
- to store only the UNPACKED SIGNATURES in the definitions list (I don't know how many AVs do this, I know Dr Web does so)
- EITHER give Amon the ability to recognize & scan inside upx-files on-access, but that would slow it down and would not even protect against unknown packing methods
- OR have Amon scan the memory while running!!

 

Sorry, couldn't help it

and yet, I said
"this implies that the packed swen virus will most certainly NOT be detected"

So 'maybe' the Eset guys read my post, realized their mistake and quickly released a corrective update, which 'maybe' happens to be the one gkweb is about to test, in which case swen will be caught!

 

My previous AV does detect Swen, and the Packed UPX Swen.
That's why i was wondering why NOD32 doesn't

Yes may be they have the UPX form signature, whatever it is cheating or not, it does detect the file.

I agree that we have to have the signature of ITW form.
So if the ITW is packed, to have only the packed related signature.

But, since the scanner has the capability to unpack UPX to compare against
his unpack signature database, i would like an option for AMON to do it too.
If it take more ressources, let the choice to the user (me i would certainly enable it, since NOD32 is very light).

 

It does not become late even if it attaches the option of UPX defrosting to AMON.
There are few UPX compressed files.
What is necessary is to thaw only UPX compression FAIRU, if it corresponds by inspection at the time of OPEN.
And what is necessary is just to call decompressed dynamically.