how easly is to bypass avira ?

Discussion in 'other anti-virus software' started by yaslaw, May 17, 2007.

Thread Status:
Not open for further replies.
  1. yaslaw

    yaslaw Registered Member

    Joined:
    Feb 27, 2005
    Posts:
    167
    Location:
    Poland
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i wouldnt be too worried, all av's can be bypassed in some way if they really wanted to.

    "kav and dr.web are unpacking monsters,"

    i like that tho :D
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    It is actually true you know :)
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    that is just a bashing topic there... Read Stefan Kurtzhals answer. ;) There is no need to add dozens of packers because anyway they can be easily bypassed. If you detect the malware after extraction is ok. :)
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I do know one AV that doesn't do packer/crypter specific detection. Avast! :D
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I think that you may be wrong. I often see Win32/Trojan.gen (UPX) in MIRT.
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Thats not generic UPX detection. It just states that some generic malware was detected under UPX packer.
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Well, I was wrong :D
    What about AVG?
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    "Virus found Win32/CryptExe". This is the only possible packer detection I have noticed from AVG. There was another called "Win32/PEPatch" but I verified this to be real malware and not just a packer detection. :)
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It's still a packer dependant detection which was luckily correct on some malware...
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    No, there are many variants of Win32/PEPatch reported by AVG unlike the Win32/CryptExe detection, which was always detected as just "Win32/CryptExe". For example "Win32/PEPatch.I, Win32/PEPatch.Y, Win32/PEPatch.X" etc.

    When there is a packer detection from an AV, usually there are no variants - for example "Mal/Packer", not "Mal/Packer.A", "Trojan.NSAnti.Gen" (BitDefender), "TR/Crypt.XPACK.Gen" (Avira)

    After searching a little bit about it, I found out that "Win32/PEPatch" is given to malware which modify portable executable files like winlogon.exe (for example) :)
     
  12. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    What about custom packers? :)

    It's clear, if you want you can bypass almost all av based on signatures. That's one point where HIPS/CIPS can really give an help ;)
     
  13. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i think they all add them,

    drweb: Trojan.Packed.132
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Firecat, those variant packer detections are most probably just packer detections with dependences. McAfee is using similar (well at least i know they used to in the past). It was like this:

    Packer: UPack -> YES
    File size treshold: 200KB
    + some extra internal characteristics

    If you had UPack packed file taht was 1,1MB in size, McAfee left it out since UPack packed worms/trojans were never this big (because of transportation reasons).
    If you had UPack packd executable with size of 55KB, McAfee jumped with name like New malware.u (just example).
    So it's not a fully aggressive packer detection that will jump on any packed file but it was more selective, resulting in less false alarms than lets say QuickHeal that jumps on any runtime packed file regardless of ther characteristics. Pack Notepad.exe with more exotic packers and it'll be always flagged as malware.
     
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Wrong. Even total wrong. PE_Patch is a synonym for additional patched files after runtime packing for example. If you pack a file with UPX and redirect the Entrypoint to some strange extra decrypting function (such as decrypting the UPX sections first before calling the UPX Unpacker stub - for example via XOR) it will be flagged as PE_Patch. Basically that means a second or third etc layer before the "real" entrypoint.
     
  16. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    And regarding the topic - you can "easily" bypass *ANY* Security Software. And if there are only 2 known and verified options how to do that the next moronish user who has absolutely no idea what hes doing will find a 3rd one by accident.
     
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Some flag it like this, some like KAV also try to properly decompress PE_Patched stuff (and also clearly show that to user). Thats why we see PE_Patch in the scan logs almost all the time since almost all samples today are obscured one or another way...
     
  18. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Partly wrong :D

    Others can decompress that too via Emulation. You just have to "collect" the instruction flow from the emulator and you can easily detect such things. There is no particular "signature" for PE_Patch since it can be done in many different ways eg. XOR, ROL, ADD, SUB etc. etc. etc.
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I made that conclusion based on searching for the KAV name of it - Trojan.Win32.Patched.something - KAV's viruslist said something like that. :)

    But then, is "PEPatch" the same thing as "PE_Patch"? Because the underscore is NOT there in the AVG detections. o_O
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Thanks for this info, I think you are right. In any case, I've noticed those two detections from AVG, and those are packer based detections and thats the point I wanted to make. :D
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    How is it possible to bypass a whitelist, assuming that the whitelist was done on a clean system?

    Which name does VBA32 use to flag packers?
    And ClamAV? :D
     
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    PEPatch or PE_Patch is the same thing. It's just the way how we write it ;)
     
  23. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    lucas1985:
    For executables that depends on the method used for doing the whitelisting. However whitelisting is by default still vulnerable to exploits, in-memory execution (see i.e Win32/CodeRed http://www.viruslist.com/en/viruses/encyclopedia?virusid=23374), Malware that is not in binary executables like scripts (VBS, Batch etc.), or Macro Viruses for dozens of applications.

    Whitelisting isn't the holy grail either, you know. And you can't do it on a corporate gateway.
     
    Last edited: May 18, 2007
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    And so I think the question is: what are the security vendors doing about it? Other than labeling people who discover loopholes and bring them to attention as "moronish", I mean?
     
  25. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Let us face a few things:

    - It is always easier to demand a solution to a problem, than to come up with one.
    - It is always easier to come up with a solution to a problem if you do not have to adhere to the laws and boundaries of reality.
    - The first and second law of thermodynamics do not apply to the proud citizens of planet Moron.

    IT security people are working on edge between ultimate protection and what reality demands concerning usabilty, performance and available ressources. To drive the point home, Microsoft has delivered the ultimate software tools to protect your computer from attacks decades ago with one of its first operating systems. They were, and still are, called FORMAT.COM and FDISK.

    Now admittedly these tools have a few drawbacks when it comes to usability, but you can't get any safer than that on a software level.
     
Loading...
Thread Status:
Not open for further replies.