how easly is to bypass avira ?

Read this topic please: http://forum.antivir.de/thread.php?threadid=22082

I am little bit worried about my safetly right now

 

i wouldnt be too worried, all av's can be bypassed in some way if they really wanted to.

"kav and dr.web are unpacking monsters,"

i like that tho

 

It is actually true you know

 

that is just a bashing topic there... Read Stefan Kurtzhals answer. There is no need to add dozens of packers because anyway they can be easily bypassed. If you detect the malware after extraction is ok.

 

I do know one AV that doesn't do packer/crypter specific detection. Avast!

 

I think that you may be wrong. I often see Win32/Trojan.gen (UPX) in MIRT.

 

Thats not generic UPX detection. It just states that some generic malware was detected under UPX packer.

 

Well, I was wrong
What about AVG?

 

"Virus found Win32/CryptExe". This is the only possible packer detection I have noticed from AVG. There was another called "Win32/PEPatch" but I verified this to be real malware and not just a packer detection.

 

It's still a packer dependant detection which was luckily correct on some malware...

 

No, there are many variants of Win32/PEPatch reported by AVG unlike the Win32/CryptExe detection, which was always detected as just "Win32/CryptExe". For example "Win32/PEPatch.I, Win32/PEPatch.Y, Win32/PEPatch.X" etc.

When there is a packer detection from an AV, usually there are no variants - for example "Mal/Packer", not "Mal/Packer.A", "Trojan.NSAnti.Gen" (BitDefender), "TR/Crypt.XPACK.Gen" (Avira)

After searching a little bit about it, I found out that "Win32/PEPatch" is given to malware which modify portable executable files like winlogon.exe (for example)

 

What about custom packers?

It's clear, if you want you can bypass almost all av based on signatures. That's one point where HIPS/CIPS can really give an help

 

i think they all add them,

drweb: Trojan.Packed.132

 

Firecat, those variant packer detections are most probably just packer detections with dependences. McAfee is using similar (well at least i know they used to in the past). It was like this:

Packer: UPack -> YES
File size treshold: 200KB
+ some extra internal characteristics

If you had UPack packed file taht was 1,1MB in size, McAfee left it out since UPack packed worms/trojans were never this big (because of transportation reasons).
If you had UPack packd executable with size of 55KB, McAfee jumped with name like New malware.u (just example).
So it's not a fully aggressive packer detection that will jump on any packed file but it was more selective, resulting in less false alarms than lets say QuickHeal that jumps on any runtime packed file regardless of ther characteristics. Pack Notepad.exe with more exotic packers and it'll be always flagged as malware.

 

Wrong. Even total wrong. PE_Patch is a synonym for additional patched files after runtime packing for example. If you pack a file with UPX and redirect the Entrypoint to some strange extra decrypting function (such as decrypting the UPX sections first before calling the UPX Unpacker stub - for example via XOR) it will be flagged as PE_Patch. Basically that means a second or third etc layer before the "real" entrypoint.

 

And regarding the topic - you can "easily" bypass *ANY* Security Software. And if there are only 2 known and verified options how to do that the next moronish user who has absolutely no idea what hes doing will find a 3rd one by accident.

 

Some flag it like this, some like KAV also try to properly decompress PE_Patched stuff (and also clearly show that to user). Thats why we see PE_Patch in the scan logs almost all the time since almost all samples today are obscured one or another way...

 

Partly wrong

Others can decompress that too via Emulation. You just have to "collect" the instruction flow from the emulator and you can easily detect such things. There is no particular "signature" for PE_Patch since it can be done in many different ways eg. XOR, ROL, ADD, SUB etc. etc. etc.

 

I made that conclusion based on searching for the KAV name of it - Trojan.Win32.Patched.something - KAV's viruslist said something like that.

But then, is "PEPatch" the same thing as "PE_Patch"? Because the underscore is NOT there in the AVG detections.

 

Thanks for this info, I think you are right. In any case, I've noticed those two detections from AVG, and those are packer based detections and thats the point I wanted to make.

 

How is it possible to bypass a whitelist, assuming that the whitelist was done on a clean system?

Which name does VBA32 use to flag packers?
And ClamAV?

 

PEPatch or PE_Patch is the same thing. It's just the way how we write it

 

lucas1985:
For executables that depends on the method used for doing the whitelisting. However whitelisting is by default still vulnerable to exploits, in-memory execution (see i.e Win32/CodeRed http://www.viruslist.com/en/viruses/encyclopedia?virusid=23374), Malware that is not in binary executables like scripts (VBS, Batch etc.), or Macro Viruses for dozens of applications.

Whitelisting isn't the holy grail either, you know. And you can't do it on a corporate gateway.

 

And so I think the question is: what are the security vendors doing about it? Other than labeling people who discover loopholes and bring them to attention as "moronish", I mean?

 

Let us face a few things:

- It is always easier to demand a solution to a problem, than to come up with one.
- It is always easier to come up with a solution to a problem if you do not have to adhere to the laws and boundaries of reality.
- The first and second law of thermodynamics do not apply to the proud citizens of planet Moron.

IT security people are working on edge between ultimate protection and what reality demands concerning usabilty, performance and available ressources. To drive the point home, Microsoft has delivered the ultimate software tools to protect your computer from attacks decades ago with one of its first operating systems. They were, and still are, called FORMAT.COM and FDISK.

Now admittedly these tools have a few drawbacks when it comes to usability, but you can't get any safer than that on a software level.