Kaspersky and code permutation vulnerability

Can someone confirm Kaspersky's alleged code permutation vulnerability? I was searching Google for random Kaspersky reviews and came across the below website that discusses Kaspersky and other anti-virus/anti-trojan software and how they compare to code permutation using a program called Code Pervertor. Thanks!

http://illusivesecurity.il.funpic.de/viewtopic.php?t=56

 

This will most likely affect KAV...I read somewhere that when infected files are even slightly changed (i.e.entry point or unknown packer) KAV will not detect it...McAfee is not affected by this.

Suppose you have a sample of virus netsky. In these cases KAV will NOT detect it:

1)If you pack it with an unknown packer like Armadillo
2)If you use the code changer

This is because KAV signatures are very weak and bound to the exact type of file the malware was originally found in. The engine does not have 'flexibility'.

 

With kav4.5 you have an option(command line) called redundant scan wich covers this "vulnerbility":-This is taken from Kav 4.5 instuctions,which by now is quite an old product so it appears kaspersky were yet again ahead of the rest!!:-
In most cases a virus registers itself in the entry point of a file with a reference to its body, which is usually appended to the file contents. To delete such viruses you only need to run an ordinary scanning operation that will remove the virus code located in the file entry point and the virus body pointed to by the initial address.

However, sometimes the virus divides its body into several parts and places them into clean areas of the file. In this case an ordinary scanning operation will neutralize the virus (i.e. the virus code in the entry point and main part of the virus body will be deleted) but some of its parts will remain in the file.

In this case you need to run the redundant scan operation that will check not only the file entry points but also the entire contents of your file.

The redundant scanning tool is recommended if no virus was detected in a normal scan but the system is still behaving strangely (for example, there are frequent instances where the computer restarts by itself, unnaturally slow performance from applications, etc.) Otherwise, we do not recommend enabling the redundant scanning tool as it noticeably slows down the scanning rate and increases the probability of false alarms.

 

That report may have been right at the time but not now.

I downloaded the 8 perverted versions and scanned as below.

SYMCORP9 2 of 8 Detected
BITDEF FREE 4 of 8 Detected
ESCAN FREE 8 of 8 Detected
KAV PERS 8 of 8 Detected

 

Whoo! And Ianb, our AMD Sempron/Athlon64 problem with eScan has been fixed and will be in the next build.

 

And in case you were wondering ............

McAfee VSE 8.0i ......... 8 out of 8 detected.

 

I'm sure KAV has Armadillo amongst its list of packers now.

 

Excellent, NOD32 detected ALL.

 

Hi Firecat,

Was the escan free the trial version of the AV or Mwav. Is there a difference in the scanning effectiveness of the two?
I notice the Bit Defender free did not fare well.

Regards,
Jerry

 

But that only means signatures was added for these specific perverted versions of these specific malwares. It is the easies thing to do. The real test is what they do if you take a recent (detected) malware and "pervert" it. Will KAV/BitDefender/etc detect it? I doubt.
-hojtsy-

 

You are partially right, KAV does unpack some very old versions of Armadillo, but not the newer ones. KAV can unpack v2.x of Armadillo, but I'm not sure about 3.x and onwards.

 

The eScan free version is NOT a full-fledged scanner and is only meant for a thourough analysis of PCs. The eScan I was talking about is the commercial edition which has features comparable to AVs like NOD32, KAV, Dr.Web, F-Secure etc.

MWAV is the real name for eScan free edition. There is NO DIFFERENCE to the scanning engines used between the commercial and free versions. Both use the same engine.

 

Firecat,

Thanks a lot.

Jerry

 

I just tested about 30 different malware with different perverter versions and KAV happily kept detecting them all.

So I guess people should actually test stuff instead of simply stating 'facts' which are untrue.

 

That's right, KAV can't unpack Armadillo v3.x (yet)

 

About this discussion... I don't know if it's relevant to light this issue out this much... Every scanner has holes, KAV has, Norton has, McAfee has... all of them...

For now I never heard about serious probs caused by this "weak" point... so calm down everybody... no need for panic

 

Why worry about Kav note being able to unpack this when most AV's can hardly unpack most things!

 

I'd have to say that this would be a good reason to have a memory based anti-trojan scanner as a second line of alerting/defense, once they are unpacked it is much easier to find them....

And I cannot leave out process guard and regdefend to lessen the chance of the trojan hiding itself and/or terminating the AT scanner
(nb: substitute favourite sandbox/app protection/registry protection above)

 

1.
I believe that Kaspersky have simply downloaded the (harmless) samples from our forum and added them to their signature database. I think this comes close to cheating.

The following dangerous samples which are contained in our test archive are still not detected (although the non-permutated original samples are detected):

Perverted.Lithium103.exe
Perverted2.MEW11SE12.CIA13.exe
Perverted2.NotPacked.TequilaBandita12f.exe

2.
I do not think that code-based signatures are necessarily weak (although they are easily affected by tricks like code permutation or run-time compression). Text-based signature or signatures taken from the resource section have other weaknesses. Our upcoming Signature Quality Evaluation Series will hopefully explain this in more detail.

3.
@Expert

"I just tested about 30 different malware with different perverter versions and KAV happily kept detecting them all."

Could you please be more specific. Which samples did you pervert? Unless you allow us to verify your results we cannot be sure whether your findings are correct or not.

 

Nautilus is right on target about Kav.

 

Every virus scanner is vulnerable to code permutation - because you basically create a completely new variant of the malware. If the malware is still detected it is because the virus scanner has a signature in a non-code area (McAfee does this quite often) or because of heuristic detection which doesn't rely on signatures.

This is no "vulnerability" - you created a new malware and some people don't seem to understand the concept of generic detection and identification of malware. If some virus scanner picked a special signature for a certain malware variant, it is not supposed to detect other variants. Unless a generic signature was picked. Signature scanning was never designed to handle this kind of problem (patched/modified malware). That's what heuristics are for, see NOD32 or Norman.

Also, as permuting is basically creating a new malware and creating and/or releasing malware is illegal in some countries, I would be carefull...

 

Code permutation will affect many AVs not just KAV. NOD32/Dr.Web are saved by heuristics, and McAfee is saved by scanning virus signatures in non-code areas as Stefan said.

However I think McAfee's method may not completely remove the virus at hand, although I can not verify this.

Some time back, a code changer was used to change the icon of a file that was created by a trojan and McAfee didn't detect it.

Similarly for KAV, when the packer is changed or the code changer was used, it couldn't detect at all. Luckily my eScan has a memory scanner.

Other products might not be able to unpack the file at all.

Therefore, I feel it is necessary to understand that all AVs have engine problems, and malware will not be changed (perverted) and distributed because they have to keep several AVs in mind and exploiting the vulnerabilities of 20 or so scanners is a very tough job indeed.

This type of attack has never occurred in the real world thus far. All AVs are still offering decent protection. Therefore this is not a very big issue.

Have a great day

Best Regards,
Firecat

 

@Stefan

In my opinion, it does not matter whether you call code-permutation, rebasing, OEP manipulation etc. a "vulnerability" or not. What matters to me is that some scanners perform better than others with respect to specific threats. If KAV does not use a heuristic or (additional) signatures taken from the resource section in order to detect perverted samples ... it will simply offer less performance than others scanners do. (And with respect to certain other threats KAV may offer a better performance than those others scanners.) For a user it is important to know in which situation a scanner performs bad and in which situation it performs well. Such knowledge will allow the user to include several complementary scanners into his personal concept of layered security.

Do you know of any jurisdictions that penalize the creation (and not only the use/distribution) of malware? Does this also apply to non-replicating malware? In such case: is there a significant difference between permutated and run-time compressed/Armadillo-protected malware?

Moreover, I wonder whether you believe that it is illegal to code a bomb called Megatest which exploits the "cursed disk" effect?

@Firecat

I will never ever believe what an AV/AT software developer will tell me and, therefore, I doubt that eScan has a working memory scanner ;-) Let's try to figure it out ...

Moreover, I believe that code-permutation has definitely been used ITW. It has been used by replicating malware, it has been used by z0mbie, it was rediscovered by Aphex and there are threads about the permutation tool in one of the biggest trojan boards ...

 

isn't it ok...gentleman...start your engines....