Anti-virus can't keep up with threat onslaught

Discussion in 'other anti-virus software' started by Thankful, Apr 12, 2012.

Thread Status:
Not open for further replies.
  1. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    yeah try that when you are Studying IT

    but Offline Machines are the Best Peace of Mind at the Moment
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,206
    Location:
    The land of no identity :D
    Just discovered a brand new facebook malware dropper. At the time, only "A" had a signature out (;)). Now, a few others also detect it.

    I guess the real problem is that malware authors have a lot more time on their hands than people working on anti-malware products (on average). Thus, new variants are released faster than signature updates can be rolled out.
     
  3. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    There are alot of malware writers, or rather, people providing crypters/droppers aka "FUD service" (= fully undetected). These droppers drop the original trojan in memory, not to hard disk - your on-access scanner sees nothing. So if your malware wrapped in such a crypter gets detected (either by detecting the crypter or managing to decrypt the protection layer), just get the next crypter from another FUD service while the author of the first crypter adapts to the detection. Alas, it seems they make enough money to afford this.

    In theory, these dropping method should be easy food for behaviour blockers, so I guess they adapt against that type of detection aswell because they still manage to bypass various behaviour blockers out there.

    Just google for "tejon crypter", this is just one example of such a "tool". Check out it's "feature" list... :-(
     
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    v1.7 New Engine! 2012

    +Very Stable
    +Very Powerful
    +Obfuscator PE
    +Bypass Kaspersky Internet Security 2012 (Included) (Proactive Defense)
    +Bypass OutPost Firewall
    +Bypass Zemana Keylogger (HIPS)
    +Bypass Comodo Internet Security (HIPS)
    +Bypass AntiHook (HIPS)
    +Bypass SpyShelter (HIPS)
    +Bypass Avast Antivirus (Proactive)
    +Bypass Norton Internet Security (Proactive)
    +Bypass Avast Antivirus
    +Bypass Eset Nod32
    +Bypass GData Internet Security
    +Bypass TrustPort Antivirus
    +Bypass Panda Internet Security
    +Bypass Dr Web Antivirus
    +Bypass Avira Internet Security
    +Bypass Avg Internet Security
    +Bypass AV360
    +Bypass BitDefender & 2012+Anti AV Database Update
    +Remove AV From Disk
    +Major Icon Quality
    +Clone File Properties
    +Best Binder
    +Speed Increase 300%
    +Add Vista Resource Manifest
    +Anti Avira Heuristic Detection
    +Anti Nod32 Heuristic Detection
    +Fix Pe Checksum
    +Fake Error Generator
    +Compatible (Windows 2000 / Xp / Vista / Windows 7 / Windows 8 [32/64Bits] )
    +Script Support!

    +Process Suspended
    +Process Killer
    +Run Only in Admin Mode
    +Cannot Run in safe Mode
    +Anti-Tracing (Anti Craking)
    +Set File Atributes
    +Anti Kaspersky (Kaspersky Bypass Proactive Defense)
    +Binder
    +Activex Registration
    +Anti Heuristic Detection
    +Anti-Firewall (ByPass)
    +Vista UAC (ByPass)
    +NEW Engine
    +Very Stable

    +File Bundle (DLL Bundle + Register ActiveX/OLE/COM control)
    +Anti-Heuristic Detection
    +Obfuscation of your executable helps protect it against tampering and cracking.
    *Process Killer (Multiple Process Killer)
    *Cannot Run in Safe Mode
    *Run Only in Admin Mode
    *Set File Attributes

    *Anti-Shadow User Pro
    *Anti-Clean Slate
    *Anti Sandbox (Fortres)
    *Run as Fake Process
    *Delete Me (Execute & Delete RDG Loader)
    *Anti JoeBox (Enhanced)
    *Anti-Anubis (Enhanced)
    *Anti-CWSandbox (Enhanced)
    *Sleep Sec. Run program after x Seconds. 0 to 999 (Enhanced)
    *Process Ghost
    *Change Process Name

    *Anti-Debugger
    *Anti-Sandboxie
    *Anti-virtualpc
    *Realig Sections
    *Anti-IDA Debugger
    *Anti-CWSandbox
    *Anti-Norman Sandbox
    *Anti-Anubis
    *OEP Stolen Bytes (Enhanced)
    *Checksum CRC
    *Anti-OllyDbg
    *Anti-ThreatExpert
    *Anti-JoeBox
    *Anti-VMWARE
    *Anti-VirtualBOX
    *Anti-Debugger2
    *Overlay support (EOF Data)
    *Sleep Sec. Run program after x Seconds.
    *Exceptions (0 to 1000)
    *Get All Privileges
    *Change Icon (Enhanced)

    *OEP Stolen Bytes (Enhanced)
    *Anti Virtual Machine (Max) = Heuristic
    *Anti-SunBelt Sandbox
    *Anti Deep-Freeze
    *Anti-Returnil Vistual System
    *Anti-Malware Defender
    *Anti-Wine(Linux)
    *Anti-Xen Virtual Machine
    *Password Protect
    *Execute With Command Line (parameters)
    *UnHook All API
    *Anti-Attach Loader (Protect RDG Loder)
    *Execute as NT AUTHORITY\SYSTEM
    *Restore API


    Bugger. Indeed :( (if true oc)
     
    Last edited: Apr 15, 2012
  5. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    :eek:

    if all above claim are true, its very frightening fact
    I hope they are only exaggerating

    they even have anti-sandboxie :ouch: -> what's the meaning of this?
    are they bypassing sandboxie?
     
    Last edited: Apr 15, 2012
  6. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    799
    No, it means the executable will detect it's running in the sandbox and will not deliver its real/malicious payload, thus evading analysis.
     
  7. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    thanks for the answer
    it's really re-assuring :D
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,576
    Location:
    USA
    I would think Appguard would block it :)
     
  9. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    403
    Location:
    Event Horizon
    I see a lot recommendations for these browsers lately, can anyone explain whats so good about google chrome? I use Opera for quiet a while now without any addons and I am very pleased with it. In the settings turned off javascript and only allow it for my favorite websites so I don't need an addon for that. I also have an e-mail client integrated and mouse gestures which are very comfortable.
     
  10. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Google is very fast in updating Chrome when there is a new exploit. It also does silent auto-update. I have seen many users blocking/ignoring the Firefox updates for example. Plus it does contain it's own version of Flash, not depending on Adobe updates. Sometimes Google even updated their version of Flash before Adobe.
     
  11. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    403
    Location:
    Event Horizon
    thanks for the info, didn't know all that. The flash thing and the updates are a good argument. Only thing is I don't like tracking of google through their browser and I find opera to be more comfortable with mouse gestures, e-mail etc. AppGuard would also block all those chrome updates when they launch from user space. I would have to drop protection pretty often I guess which might be annoying. Also my opera runs sandboxed and emet protected all the time;)
     
    Last edited: Apr 15, 2012
  12. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,850
    Scary stuff. I'd like to see if it can bypass the almighty DefenseWall, since I see it wasn't listed on there.
     
  13. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    I was pleased to see the "bypass" and "anti" lists that Baserk listed did NOT include Webroot SecureAnywhere and/or Prevx.....:)
     
    Last edited: Apr 15, 2012
  14. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Tejon Crypter was also discussed in this old thread.
     
  15. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Uhm, they bypass the regular detection of every AV scanner anyway, they don't even mention that "feature" anymore.
     
  16. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Now I'm confused, it can bypass Avira Internet Security, but it also has anti-Avira Heuristic Detection. So it means that if one person use avira standard setting which use heuristic detection , the malware wont run o_O
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yep, I'm really interested in it too. May I have a sample of it?
     
  18. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Got the pocorn and cola ready. I am also Interested to see how Defensewall handles it and Appguard if any one tested it.
     
  19. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Actually I am looking for samples too. I am not going to buy that crypter just to test it.
     
  20. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    799
    I'm fairly certain that good* HIPSes, sandboxes and policy restriction sandboxes are immune to these kind of crypters. For example, malware x uses SeDebugPrivileges to elevate itself, HIPS like applications will notice the action because they monitor the API. When malware x is crypted via said crypter it won't change the fact that malware x uses SeDebugPrivileges, it's not changing the code itself, just cloaking it.

    It's a bit of a different story with behavior blockers because of the way some are implementing protection. Some BBs are made so that if a certain set of actions are performed by malware x then a detection is triggered, opposed to a specific API in case of HIPS etc. Depending on how the detection ruleset is created it may give leeway to some evasion techniques employed by crypters.

    I could be wrong though. :D

    (by good I mean having system hooks that are not easily unhooked from usermode)
     
  21. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    You would be surprised how many normal programs show "ugly" behaviour, causing false positives for behaviour blockers. So it is getting more difficult to find the balance between catching typical malware behaviour and false positives.

    The malware writers are attacking behaviour blockers like normal scan engine detection, it just takes more work. But it also more difficult to update and QA new behaviour blocker rules.

    And 64 bit did not make things easier for the AV programs. Actually, we lost of hooking abilities. :( You could say, 64 bit worked in favour of the malware writers. They still can do the things they want.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,738
    Location:
    U.S.A. (South)
    And the trend is toward even more rapid migration over to 64 bit units for them to become the norm i guess.
    I didn't see ThreatFire or Mamutu on the list of the anti's but then thats a very exhaustive list indeed. Anti-Deepfreeze, Returnil types apps are sure to be a good plug for some attention.

    Noticed on their website in the lite version they mention the likes of Clam, ad-aware? etc. I surely would like to have a crack at a sample of it. We'll see who fishes this one up first. LoL

    I never did fully understand why more attention wasn't given to pursuing more developments of (rule-based)? Behavioral Blockers then it was. They always had a particularly useful place IMO as an in-between for AS & AV's against the unknowns not yet detectable by the usual conventional security apps.
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I think now after 40 years in the business I'll divide my own PC's into 2.

    One with the best layered security I can muster that does 2 things only banking and private email. All connects to https only. ONLY MY WHITE LIST OF SITES VISITED.

    The second machine (an iPAD?) does the risky stuff surfing, forum posts amazon book buying, movie watching, games etc etc


    That's it using the old KISS concept.
     
  24. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Well, it's been fine for me and i hope it continues like that :D:D
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Ever since Google went over the top on their new privacy policy I have avoided them and their products like the plague. Found I really don't need them.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.