detect packer/cryptor

Discussion in 'malware problems & news' started by sn4k3, Sep 10, 2004.

Thread Status:
Not open for further replies.
  1. sn4k3

    sn4k3 Guest

    is there good prog with updated DB 2 scan exe files 2 detect by wich the file is crypted or compressed
     
  2. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi sn4k3,

    Suggesting a program is beyond my experience, but I received an education about your question from these two pages.
    Have a look...

    SearchSecurity

    WorldHistory

    Until your question is addressed directly, please let me know if you found this enlightening...

    GF
     
  3. lololo348

    lololo348 Guest

  4. sn4k3

    sn4k3 Guest

    thanx alot guys PeId is what i want
     
  5. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Oop's! Guess I was wrong interpreting your request :doubt: ...
    but now I know ;).

    GF
     
  6. netxman

    netxman Registered Member

    Joined:
    May 28, 2004
    Posts:
    17
    Anyone can tell me if there is a prog can crypte or compress a file undetected by AVs?
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Actually there are several, however, we focus here on helping people to keep from getting infected, not in helping to make malware files undetectable, if that is what you are asking.
     
  8. netxman

    netxman Registered Member

    Joined:
    May 28, 2004
    Posts:
    17
    Sorry sir,I can't find a place to ask here. :oops:
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    For what purpose are you wanting such an application?
     
  10. netxman

    netxman Registered Member

    Joined:
    May 28, 2004
    Posts:
    17
    Yes , it's trojan,just to joke with somebody. Not you,you seem maneating. :p
     
  11. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Blackspear? Nah, he's too friendly.
    There are far better ways to use your energy. Besides, you ought to be careful how your joke might be taken ;).

    GF
     
  12. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    If this "somebody" is running Kaspersky, lets just say you will have a VERY difficult time making it undetected.

    Even as a joke I would not recommend infecting others with a trojan. It is NOT very nice ;)
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is off topic from the main thread.

    This is also against Wilders Terms of Service, it would as well be a very dangerous joke, if it went beyond your friend and started to infect others, you would find yourself running from the law...

    I would suggest climbing a tree with a water balloon, all that can happen there is you get stuck up the tree for a few days when your friend returns with their pit-bull to guard the tree ;) :D

    Cheers :D
     
    Last edited: Sep 19, 2004
  14. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    From doing just a tiny bit of reading on the subject, it is not really that hard to make a trojan undetectable from Kaspersky. This is why I also use two different anti-trojan scanners in addition to Kaspersky. The anti-trojan scanners that I picked cover some of Kasperky's weaknesses.

    Just about all Trojan scanners and Kaspersky can detect out of the box trojans that can be downloaded from the various websites that offer them. From the little I have read, though, any trojan can be modified to bypass the weaknesses of any scanner that can be chosen including Kaspersky.

    Which is another reason not to let people know the exact security arrangement on your computer. All scanners can be beaten which is why other ways of securing the computer must be used including common sense.


    Starrob
     
  15. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    By Blackspear :
    I agree. Seems it was over here, by sn4k3 :
    Good time to lock this thread?
    I did enjoy your addition though Starrob, but...

    GF
     
  16. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I agree, but trust me KAV is not one of the easier AVs to fool either (in regards to detection). Any arrangement you formulate to defeat detection in KAV will probably work on 90% of other AV scanners. The unpacking engine in KAV is definitely one of the main reasons for this. But note that KAV also has a lot of very skilled analysts who understand a lot of how cryptors (and other tools and methods) are being used to bypass detection in scanners. There was an instance that a cryptor was released publicly and KAV had detection in 1-2 days. And not just for the public version but also for the modified versions of it when used in conjunction with each other.

    If one is to look at it another way... any malware that is released in the wild is going to be detected sooner or later. The benefit that KAV has is that they do not have to depend on a new signature to detect malware that is runtime compressed or crypted. And if they do need a new signature they will probably be among the first, with updates that are now available hourly. I would say that KAV is one of the very few (among its competitors) that have both the resources and skilled personnel to do this. But I am sure you are probably already aware of the pros in KAV as you seem to use it as well ;)

    Sure there are cons to KAV as well. And there are probably quite a number of ways to bypass it. But like you mentioned any trojan can be modified enough to bypass any scanner. So the point there seems rather mute. But I do agree with you here
    Perhaps you are simply pointing out that I exaggerated too much about KAV and emphasis needs to be placed in other areas as well? :D
     
  17. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    It is pretty well known that there is one commercial runtime packing program that even Kaspersky admits they can not unpack which means that if you want full protection then what is needed is a strong memory scanner.

    Memory scanners that can scan modules as well as processes are prefererred.

    Another part of the solution in my opinion is Processguard in conjunction with a registry monitor (A Registry monitor in which you can choose what keys are monitored is preferred).

    Processguard is necesarry because if I happen to click on something that a strong anti-virus like Kaspersky is unable to pick up and which is also able to get by the memory scanner because it is faster than the scanner...well, then it will have to get past the protection of Processguard which is quite difficult.....pretty near impossible for the average hacker and even difficult for a very knowlegable hacker.

    Even with Processguard, PG V2 has vunerabilities. I read in one forum awhile ago that someone claimed to beat PG and install a trojan (I forget whether it was version 1 or version 2 that it claimed to beat). PG V3 will hopefully, remove the few vunerabilities left in that program. Hopefully, PG V3 which will be out soon and will make it as close to impossible as you can get for things like rootkits, DLL injecting trojans and keyloggers to operate.

    I have a whole lot of layers....including common sense....maybe I am a bit paranoid but I also don't think I will be one of those people running around to different forums trying to get my Hijack this log read. I read too many people's miseries to let it happen to me.


    Starrob
     
  18. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    "Perhaps you are simply pointing out that I exaggerated too much about KAV and emphasis needs to be placed in other areas as well? "


    Exactly.....emphasis in other areas....layered protection. :)



    Starrob
     
  19. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    PGv2 only has one known vulnerability (\device\physicalmemory), it was PGv1 which had a couple. The \device\physicalmemory attack isn't specific to Process Guard - many popular firewalls are also vulnerable for example, and it's also not a severe threat due to the complexity of the attack (the demo only worked under W2K), but nevertheless it was an attack that could be used so PGv3 which will be released later today fixes that.

    Regards,
    Wayne
     
    Last edited: Sep 19, 2004
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Very nice, thank you for that information Wayne...

    Cheers :D
     
  21. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Thanks for the correction. I will be among the first in line for version 3


    Starrob
     
  22. netxman

    netxman Registered Member

    Joined:
    May 28, 2004
    Posts:
    17
    I just think this is a drowsy forum before,now I know there are many many divers here to watch everybody :D .

    Thanks Starrob ,thanks all to give the good knowledge. :cool:
     
  23. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    I see this is turning out to be a rather useful thread, which, I was hoping for.
    Didn't mean to jump the gun.

    Thanks to Starrob, Rerun, and Wayne for pointing out possibilities,
    and pulling the topic along.....very interesting.

    GF
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Indeed, it has peaked my interest with Process Guard 3.

    Cheers :D
     
  25. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I am definitely in agreement with you here, and am glad that is cleared up :)

    Are you aware of any other scanner that can unpack this commercial packer?
    A strong memory scanner is also quite difficult to find. Some are only on-demand. Some are not "true" memory scanners. Even BOClean is vulnerable in some ways http://scheinsicherheit.sc.funpic.de/boclean.htm . I guess that further emphasizes the point on having layered protection.

    Can not argue the importance of having PG though ;)
     
Loading...
Thread Status:
Not open for further replies.