defeating kav and nod32

There are many apps around specifically aimed and sold as "undetecting software" ,trojans and virus that would otherwise be "detected" will be made "undetected" to mention a few of these types of software, (morphine ,antidote ,mr undetectable) Most of these undetecting programes don't come for free and are soon detected because of thier widespread use ,These apps have no legitimate use there only intended use is for protecting "malware apps"

However for many months which is longer than most trojans themselves stay undetected i and many others i presume have used legitimate "software protcetion"
or "anti crack software" to protect "malware" and successfully defeated all antivirus tested including kav, nod32, mcafee,norton, in both real time! and scan time!
my questions are how widespread is this use of "software protection" tools used to protect malware?

why has kav not caught this method?

being a big fan of kav myself and user of kav for many years im a little disopointed in kav being defeted so easy, as this method requires no knowledge simply just point and click undetection no knowledge of assembley or xor encryption needed. Since "anti crack software" is only intended for legitimate use, i have not seen any of theses software types sold or advatised to protect "malware" there sole intention is for protecting legitimate programes from being cracked,

will this make detection harder as this software is legitimate?

will gennuine programes protected with this method of software protection give false positives?

 

Can the malware still do its stuff when in a "protected "state by these programs though?.I dont know much about it but i guess it encrypts it somehow so would the viruses still be able to function in that state?.
tia
ellison

 

Has the vendor been notified? If so, how long ago?

 

it's quite easy to answer: There are not enough resources (developers) to handle this. You'll hardly find a few 100 worldwide who would be able to write professional unpackers for the use with av.

There's a big difference between the rubbish unpackers (mostly memory dumpers) what you can find on several unpacking tools websites.
This will for instance not work with different OS Systems and it's far to dangerous to run malware for unpacking before identifying it.

In an real-life-av developing and integrating state (including testing, QA etc) it can take several months to include one unpacker.
(this depends of course on the complexity of the packer)

UPX, Upack, NSPack, MEW etc are quite easy. You do not need special expierenced staff for this. It becomes a bit more tricky with Armadillo, because you have there multithreading communication via so called nanomites. (One task holds there the jump table for the other task - thats why you have in some armadillo packed executables 2 tasks running...)

It's quite easy to build a generic detection for this Morphine stuff - even if it claims to be polymorphic (it actually is even). Still there are a lot of "mistakes" in the morphine helping you to detect it

 

Have you tried KAV/KIS 2006 (BETA is very stable) it has a Enhanced self-defense technology that protects all KAV/KIS 2006 services. This technology ensures no malicious code can influence the product’s functioning.

 

Thank you, HB, for a totally informative answer. You are one of the major reasons why I enjoy Wilders & recommend it to my friends.

 

i have been testing differnt anti crack softwares and sofar the malware itself is undamaged aslong as no other previous packers were used like mew upx etc if so then simply unpacking with upx or mew then repacking with the anticrack software seems to work. with the undetector programe antidote which works very well and also encrypts all the droped dlls etc there is settings to preserve all the written settings within the malware as this is a programe desinged for protecting malware

yes and kav beta makes no differnce to detecting malware with this method but malware that adds registry entrys and startups will be detected by any app that has those functions

 

To be frank, HB's presence here was one of my decision to go with nod.

 

Awww, someone likes you alot HB