Interesting Tests

http://www.raymond.cc/blog/archives/2010/02/03/best-performing-speed-and-memory-usage-antivirus-and-internet-security-for-2010/

Interesting is the Test Nummer 6: Detection

- Bifrost trojan being crypted with Incognito to avoid detection. Theoretically it should bypass all antivirus scan time because each stub is nearly 100% unique, thanks to the polymorphic generator. This test will show how good is the runtime scan of an antivirus (heuristic).


Is In version 4.2 planned something against this technology?

 

Testing detection by recompressing already known malware is not a test but creation of brand new malware. People from the security community would punish him immediately if he really think he's doing a credible test.

 

That makes no sense. I accept that detecting the malware when it's packed it can be considered as new malware (e.g. a new signature). However, if the anti virus doesn't detect it when it's unpacked then the anti virus is useless.

All people have to do is pack any malware with this tool, and others like it and they will avoid complete detection.

In my mind this shows the weakness of the unpacking methods in the anti virus (whilst scanning) and the detection mechanisms when running the code, purely because the code is effectively emulated on a bespoke VM machine, and the generated code is unique for each packed executable.

~ Removed Posted Link as per Policy ~

 

Attached picture to explain how the packed code can avoid detection by running on a custom VM engine. (as link was removed.)

Although whilst the generated packed code may be unquie each time, the VM engine will be the same.

 

I recently read that "test" and after a search I found this topic
I agry with Marcos that this is a creation of brand new malware but there are 2 questions.
Does security community (especially ESET) knows about that crypter (Incognito)?
If it is really suspicious or malicious or dangerous (say it whatever you like), are they planning to do something?

 

I think the problem here is not the incognito software that can allow you to pack malware in forms that it can avoid detection.
The problem is that, no matter if the security software you have installed did not detect the malware when it was packed because when in that state it is harmless, but if when unpacked it was able to detect it or not, and if detected, it was able to block it from doing harm.

I don´t complain if ESS cannot detect all packed types of malware out there in the wild. What I don't like is that when the malware is unpacked and run in my system it cannot detect it. THAT IS A PROBLEM.

Having said that, you can see in the test that many AV solutions id not detect the packed archived but when it was detected may of them could successfully block it (i don't consider successful the detection and inability to block the archive).

And clearly, when unpacked I would have expected Eset's software to detect and block the threat because then it is a known malware and it is no longer camouflaged.