kav now unpacks Armadillo

hi

take a look at this


AVP 3.0 Daily Update for DOS, Win 3.xx, Win9x, NT, OS/2, Novell, Linux
-------------------- ---------------------------------------------

To update your AVP 3.0 you should copy AVC database and AVP.SET file to AVP
3.0 directory. The records in anti-virus database are:

{snipped}

Decompression support added for:
Armadillo, Morphine, PECompact, PE_Patch, PE_Patch.PECompact,
PecBundle, UltraProtect

 

Say what?

 

CHECK HERE:
https://www.wilderssecurity.com/showthread.php?t=18473&highlight=ARMADILLO

There are other threads here just like that too.

bottom line is that kaspersky is the only scanner to unpack this, and many other exe protectors too. Armadillo is the protector that has been the cause of most worries... *g*

 

Thanx Ilukka for sharing this major improvement with us.


GREAT NEWS and again proves that kav isn't just another player on the market.

bye

 

illukka, have you tested it already?
At least with my Armadillo-packed samples (various Armadillo versions), it doesn't seem to work, as KAV only detects that the files are packed with Armadillo, but it can't unpack and detect the malware itself (similar to what McAfee does with several "un-unpackable" packers/crypters when activating the "guru" mode)...

 

i tested the basic version of the trial version 2.85. I used the default options of this crypter for a trojan. On-Demand Test: KAV detects (unpacks) the armadillo packer, but didn´t(!) detect the trojan. The trojan installs the server, the autostart and runs in the backround. Then i just tested the ewido memory scanner..and this one detects the running trojan in the memory..nice..very nice

 

nope but i will, just downloaded the newest version+ i think i have 2 or 3 other versions installed

 

I suppose, that confirms my findings, right?

 

yeah guys, i packed a CIA 1.23 beta rat with armadillo 3.70 a trial, using pro emulation, lowest compression, highest protection( )
none of all the scanners i have detected the file with on demand scan tried with a couple of online scans.. NO-ONE detected it

kav personal pro 5 doesn't seem to show pack info in the reports(or i cant figure it out, had it for 3 days).. so i cannot comment if the packer was detected or not..
think i'll just go back to 4.5

 

That's good news illukka. Of course, I have known for longtime that KAV has the best unpackers.

 

Hm,how is with packers and Norman? It doesn't need them coz it simly executes the file in Sandbox and watches what it does. You don't need unpacker for this right?

 

Sometimes a picture says more than words ...

http://img25.exs.cx/img25/1781/kavmeetsarmadillo.jpg

 

Unfortunately, Norman doesn't use its Sandbox as a "generic unpacking engine", as you suggest; i.e. it apparently doesn't scan the unpacked process/file after sandboxed execution via signatures, but instead uses only heuristic methods.
In contrast to that, Nod32's 'Advanced Heuristic' (based on emulation) obviously does use signature scan, and therefore serves as a reasonable "generic unpacker".

Anyway, I fear that Armadillo is too difficult for both scanners to emulate/execute in a sandbox...

 

May I suggest that ",.-" could insert all his packed files into one (or several) archive(s), submit it to Norman's online sandbox, and post the results (the reference ID should be sufficient) here :
http://sandbox.norman.no --> "Sandbox Live" --> "Submit a sample".

Actually, I expect that the emulator will give up before the end of the emulation (would be too slow).

Well. This is probably a good idea, but not so obvious. The big problem is that, for some packers, you will never have a complete version of the malware unpacked in memory at the same time (this is the case for Armadillo, afaik), or that some parts of its code may have been moved around by the packer (ASProtect "stolen bytes"). For the other packers, the problem is to find when emulation should be stopped: if stopped too early (i.e. before the original entry point), the malware will not be completely unpacked, and stopping it too late results in a loss of time (and in this case, signature has to be chosen carefully). Last but not least : emulating the instructions used to unpack the program is much more time consuming than executing it. Anyway, it is a generic unpacker, not a universal one.

 

@tweakie
Yes, as I already assumed above, both Nod32's AH and Norman's sandbox apparantly fail to emulate 'through' files, which are protected by Armadillo, ASProtect and other advanced protectors - at least, according to my tests with several samples at jotti, Norman's "live sandbox" and Nod32 locally installed on my machine.

The problem with testing Norman's sandbox is, as said above, that it only uses heuristic methods (which often fail to detect trojan activity in the first place), while Nod32's AH apparantly uses heuristics as well as signatures (which frequently leads to exact identifications of malware by AH).

 

@Tweakie

Have a look ... http://boardadmin.bo.funpic.de/viewtopic.php?t=46

 

Very interesting tests ! I did not know this forum. Just a question :
did you check that all your 556 samples are actually running
correctly ?

The results exhibited in your logs illustrate several features:
the ability of scanning packed/unpacked malwares using signatures or
using the sandbox. Concerning the Sandbox, there are several issues :
Is it able to emulate through a given packer ?
Is it able to emulate the malware itself ?
Is it able to flag the sample "behind" the packer as a malware ?

From your logs, and if we assume that Norman does not handle
explicitely any packer for signature scanning (might be wrong, but I
think so), by carefully comparing the original dataset to
Norman's results it comes:

1- Packers that can be handled (emulated through) by Norman Sandbox:

- Obsidium
- Mew
- Morphine 1.2
- Netwalker
- PCGuard
- FSG
- JDPack
- PECrypt
- PeX
- PkLite32
- Yoda's Crypt
- Aspack
- UPX (also with UPX redir)
- Petite
- ACProtect
- Crunch
- Exestealth
- WinKripT

2 - Packers that cannot be handled by the Sandbox:

- Armadillo
- ASProtect
- DBPE
- PEShield
- Krypton
- Thinstall
- PELock
- Peetles

3 - Packers for which I could not draw a conclusion (mostly due to
the dataset):

- PEEncrypt
- EZip
- WWPack32
- UltraProtect
- Xtreme Protector
- SVKProtect
- Exeshield
- JDProtect
- telock