How can you tell if a file has been "obscured"

Discussion in 'other anti-trojan software' started by CARCHARODON, Mar 5, 2003.

Thread Status:
Not open for further replies.
  1. CARCHARODON

    CARCHARODON Registered Member

    Joined:
    Oct 1, 2002
    Posts:
    68
    Location:
    Portland, Or. USA
    I'm curious.. I just ready Nancy's newsletters on how to avoid trojans at the following link.

    http://users.boardnation.com/~mickeytheman/showthread.php?t=403

    BTW, thanks Nancy! Its a very good newsletter.

    Anway, in it she say lookout for software that has been compressed with UPX, ASPACK, INFLATE or other "file-obscuring" technologies. I know that most trojan detection programs will tell me but is there any other way to tell that a file has been compressed with one of these technologies?

    just curious, I've never used any of these because I have no reason to. :D
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    There are utilities to tell you if files are packed, in many case the packer applications themselves will do this for you. I'm not big in this area, but I have downloaded UPX 1.24 from http://upx.sourceforge.net/ after reading through a discussion on this topic in the NOD32 Beta forum here (link).
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Kaspersky Anti Virus for example shows if a file is packed (if the option is enabled). But only for packers that are recognized by KAV. The current GAV version has this feature as well but as it is still under development the amount of recognized packers is at the moment still limited.

    There are some tools available that check if a file is packed or not (but of course only for 'known' packers). As I currently don't know a reliable source to download these kind of tools I couldn't provide you with a link.

    wizard
     
  4. Andreas Haak

    Andreas Haak Guest

    Well ...

    Quite reliable and with the option to unpack:
    http://66.36.228.12/protools/files/utilities/ fs.zip

    Quite reliable, no unpack option, but open source:
    http://www.unet.univie.ac.at/~a9606653/gettyp/


    Made first link unclickable, because it was a direct download link. repaired the second link.
     
Thread Status:
Not open for further replies.