Unpacking ability of some AV's

All i have to say to this royal major bullshit (i mean the test - not the postings except from some members)

is:

 

Sorry got bored with reading posts defending/attacking Nod on this issue and I don't know if someone has posted this before but isn't a packed file "safe" and only becomes dangerous when unpacked?So as long as any AV detects the nasty on unpacking,and not necessarily inside packer/archive,isn't it doing its job of protecting our PCs
This isnt a defence of Nod just a factacked files aren't dangerous(I use Kav myself so judging by the way Kav v Nod posts seem to pan out here I should be gloating over these results!)If any AV doesnt detect the unpacked malware then this does pose a problem

 

All of us know that NOD32 isn't perfect, every AV have pros and cons, but don't know why someone make tests like these, when we just look at the results and see that they are false...

 

This applies only to archives (like ZIP,RAR,CAB,7z etc...) but NOT to runtime packers (like UPX,PKLite,Morphine,AsPack etc...)

 

gigaman, the additional signatures are no solution, they are actually a "cheat". No AV program should do this, but I think there are a few out there.
There is no way for an outstander to tell how actually an AV program detected malware, if unpacking was involved or not.

And some people didn't understand the principle of runtime packers. They don't drop unpacked files on the hard disk to execute them (well CEXE does ;-) ) but they unpack in RAM only. There is no way for on-access scanners to catch the malware if the scan engine is not able to unpack the malware, with the exception of behaviour blocking and similar approaches.

 

Why is this so bad? In my opinion, it doesn't really matter how an AV detects the malware - the important thing is that it detects and stops it.
You may even say that (theoretical) adding of all the possible packed signatures is asymptotically equivalent to the unpacking.

I was just trying to say that it's simply not possible to do, because (except for special cases) you'd have to add an enormous amount of signatures (much bigger than practically possible).

 

@Skeeve

"Simply packing some unpacked malware with different runtime packers is *not* a valid test. As I said before, for ITW malware, some AV companies might have created those samples internally on their own, and added signatures for the repacked files aswell as the original file.

So how do you know if the malware was detected after unpacking or is actually detected in it's packed state?"

_________________


We do it the following way: we pick several different unpacked malware samples (including some less popular samples) and compress/crypt it with the same packer/crypter.

I consider it highly unlikely that an AV/AT producer has created signatures for the compressed/crypted variant of every single sample we use. If there is only one miss (i.e., the packed sample is not detected although the unpacked sample can be identified) such issue should be further investigated and it is generally safe to assume that there is no reliable decompression support for this packer.

 

Hello! I'm author of the article about unpacking capabilities at Anti-malware.ru that you're talking over. I want to add some comments:

1. The test was performed by IBM specialists and it's reliable because it's independent from AV vendors.
2. Some AV vendors could release new versions (i know exactly about unpacking capabilities updates in Dr.Web, Nod32 and KAV) but they are insignificant.
3. Nod32 detected NONE packed Nimda (5% - the result of detection pure unpacked Nimda). In fact that's why Nod32 is so fast (see http://www.anti-malware.ru/index.phtml?part=compare&anid=speed).

Nod32 can detect viruses in archived or packed files because it don't unpack they, but search "over it" using special signature (for the detection of 5 different packed Nimda it must have 5 signatures). It's cheap easy way!

Anyway, i had known the best AV before this test was published. It's Kaspersky Anti-virus, it supports 1200 versions of various packers, impressing benefit!

 

@IlyaOS

Do you know whether the Nimda samples were still functional/not corrupted after they were packed?

AFAIK NOD32 uses a generic unpacking engine (emulation) and not a static, signature-based unpacking engine (like Kaspersky). I do not know for sure but I could imagine that an emulation will simply stop if a packed malware sample is corrupted (i.e., it may not continue to unpack it which is not a bad thing because a corrupted sample is not dangerous anymore).

 

I want to add now some comments too, before it runs out of borders with this ridiculous nonsense.

If this "test" is performed by a bunch 12 years old - is it also "reliable" because it's independent? That this test was done by guy which work for IBM says NOTHING. Or are you going to tell me that it was done by Mr. David Chess? If yes, tell him greetings i'm pretty much disappointed.

>> "because it don't unpack they, but search "over it" using special signature"

How the hell can you state such ridiculous claims? This alone proves that you have NO UNDERSTANDING of technical things (regading AV) at all. NOD32 even lists all (static unpacking) in the scan report !!! All what is unpacked via Emulation is not listed. BUT UPX, ASPACK, WWPACK etc IS LISTED AND EVEN UNPACKED VIA STATIC UNPACKERS! I know that for VERY SURE. Of course it's not good that the packed samples IN THIS CASE are not detected, but you cannot say based on this that we have NO UNPACKING. That's NONSENSE!

 

@Michael

AFAIK NOD32's static unpacking engine does not support UPX 0.84 (i.e., the version that is frequently used by hackers because it does not yet provide unpacking information (= upx -d)). However, NOD32's advanced heuristics (emulation) can unpack UPX 0.84.

Do you know whether my statement that an emulation cannot unpack corrupted samples is correct?

 

OFF TOPIC

@Michael

I just noticed your signature (malware research forum). Do you know whether only AV developers will be admitted to this forum or is there also a chance for a reviewer to join this community?

 

I think you should ask Mike through PM. He'll give you further info regarding this...

 

Nautilus, corrupted samples cannot be unpacked via code emulation. Well, lets say it depends how corrupted they are. For instance if the entry point points into nirvana - where should the code emulation start to execute? This sample would not even run - so it's not a threat. However, most of the static unpackers are able to unpack such "corrupted" files. You don't need a valid entry point for instance. They just expand the sections and restoring the original entry point. Next thing is invalid opcode ( ala 0x00 0x00 0x00 0x00 ) after the entrypoint. Static Unpackers "don't care" about this, because they do not need the unpacker stub. Only the packer detection could be affected by this, but basically you can unpack every UPX file with static unpacking functions even if the unpacker stub itself is corrupt. This file wouldn't run of course as long as the unpacker stub is damaged. But you can unpack it via STATIC. A emulator reaches there unknown opcode and stops. As i said before, not a problem because this file wouldn't run anyway.

 

@RejZoRThanks. I have just registered myself. Let's see what happens ;-)

 

@Michael Thanks for confirming this.

 

They weren't corrupted. If it was so KAV and Bitdefender wouldn't detect they too!

Happy Bytes, well, you can tell your opinion directly to IBM
Personaly i think the test is correct because discussed problem exist ONLY for Nod32 and its headeche Eset. Why didn't Nod32 detect Nimda ... i don't know exactly, it's a question to developers.

Happy Bytes, all in your hands, you can make you own test with any virus and provide us with it. And I promise, if you make it'll be published at www.anti-malware.ru. Good luck!

 

@IlyaOS

"They weren't corrupted. If it was so KAV and Bitdefender wouldn't detect they too!"

As explained before (= differences between KAV (static UP) and NOD32 (emulation) you cannot safely conclude that a sample, which is detected by KAV, is not corrupted.

Do you know which version of UPX was used to compress Nimda? Which Nimda variant did you use? I would like to perform the same test.

 

Do you realy think i'm unable to do av tests?
I consider this as a joke
If you can name me - let's say at least 1000 threats WITHOUT THE HELP OF ANY AV SCANNER - including polymorphic stuff in binary files just with the help of a disassembler then we continue speaking

 

A warm welcome to Wilders, IlyaOS. Thanks for adding your comments.

 

@Michael Thanks for the quick admission. Nice forum!

 

UPX 1.25W and Nimda.A (it was downloaded from direct links to VX Heavens malware removed - malware posting/links against TOS, but this link is broken now)

 

@IlyaOS

Thanks for providing this information! IMHO that's exactly the right attitude.

 

I'm resercher, i don't need to know all threats, usually for such things i use sites like www.viruslist.com
I like your Nod32 protection at this thread but it's actually not the best AV.
It has excellent speed, euristics ... but sorry that's all. I can't recomend this one to anyone.

 

Anyway, please, e-mail me about your test results to info@anti-malware.ru.
I would be interesting to compare.