defeating kav and nod32

Discussion in 'other anti-virus software' started by trojan, Dec 28, 2005.

Thread Status:
Not open for further replies.
  1. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    There are many apps around specifically aimed and sold as "undetecting software" ,trojans and virus that would otherwise be "detected" will be made "undetected" to mention a few of these types of software, (morphine ,antidote ,mr undetectable) Most of these undetecting programes don't come for free and are soon detected because of thier widespread use ,These apps have no legitimate use there only intended use is for protecting "malware apps"

    However for many months which is longer than most trojans themselves stay undetected i and many others i presume have used legitimate "software protcetion"
    or "anti crack software" to protect "malware" and successfully defeated all antivirus tested including kav, nod32, mcafee,norton, in both real time! and scan time!
    my questions are how widespread is this use of "software protection" tools used to protect malware?

    why has kav not caught this method?

    being a big fan of kav myself and user of kav for many years im a little disopointed in kav being defeted so easy, as this method requires no knowledge simply just point and click undetection no knowledge of assembley or xor encryption needed. Since "anti crack software" is only intended for legitimate use, i have not seen any of theses software types sold or advatised to protect "malware" there sole intention is for protecting legitimate programes from being cracked,

    will this make detection harder as this software is legitimate?

    will gennuine programes protected with this method of software protection give false positives? :eek: :cool:
     
  2. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Can the malware still do its stuff when in a "protected "state by these programs though?.I dont know much about it but i guess it encrypts it somehow so would the viruses still be able to function in that state?.
    tia
    ellison
     
  3. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Has the vendor been notified? If so, how long ago?
     
  4. Happy Bytes

    Happy Bytes Guest

    it's quite easy to answer: There are not enough resources (developers) to handle this. You'll hardly find a few 100 worldwide who would be able to write professional unpackers for the use with av.

    There's a big difference between the rubbish unpackers (mostly memory dumpers) what you can find on several unpacking tools websites.
    This will for instance not work with different OS Systems and it's far to dangerous to run malware for unpacking before identifying it.

    In an real-life-av developing and integrating state (including testing, QA etc) it can take several months to include one unpacker.
    (this depends of course on the complexity of the packer)

    UPX, Upack, NSPack, MEW etc are quite easy. You do not need special expierenced staff for this. It becomes a bit more tricky with Armadillo, because you have there multithreading communication via so called nanomites. (One task holds there the jump table for the other task - thats why you have in some armadillo packed executables 2 tasks running...)

    It's quite easy to build a generic detection for this Morphine stuff - even if it claims to be polymorphic (it actually is even). Still there are a lot of "mistakes" in the morphine helping you to detect it ;)
     
  5. Netherlands

    Netherlands Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    159
    Have you tried KAV/KIS 2006 (BETA is very stable) it has a Enhanced self-defense technology that protects all KAV/KIS 2006 services. This technology ensures no malicious code can influence the product’s functioning.
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Thank you, HB, for a totally informative answer. You are one of the major reasons why I enjoy Wilders & recommend it to my friends.
     
  7. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    i have been testing differnt anti crack softwares and sofar the malware itself is undamaged aslong as no other previous packers were used like mew upx etc if so then simply unpacking with upx or mew then repacking with the anticrack software seems to work. with the undetector programe antidote which works very well and also encrypts all the droped dlls etc there is settings to preserve all the written settings within the malware as this is a programe desinged for protecting malware

    yes and kav beta makes no differnce to detecting malware with this method but malware that adds registry entrys and startups will be detected by any app that has those functions
     
    Last edited: Dec 29, 2005
  8. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    To be frank, HB's presence here was one of my decision to go with nod.
     
  9. Happy Bytes

    Happy Bytes Guest

    :eek: o_O :eek:
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Awww, someone likes you alot HB :D ;) :p
     
Loading...
Thread Status:
Not open for further replies.