Kaspersky and code permutation vulnerability

Discussion in 'other anti-virus software' started by hot120, Feb 28, 2005.

Thread Status:
Not open for further replies.
  1. hot120

    hot120 Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    2
    Can someone confirm Kaspersky's alleged code permutation vulnerability? I was searching Google for random Kaspersky reviews and came across the below website that discusses Kaspersky and other anti-virus/anti-trojan software and how they compare to code permutation using a program called Code Pervertor. Thanks!

    http://illusivesecurity.il.funpic.de/viewtopic.php?t=56
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    This will most likely affect KAV...I read somewhere that when infected files are even slightly changed (i.e.entry point or unknown packer) KAV will not detect it...McAfee is not affected by this.

    Suppose you have a sample of virus netsky. In these cases KAV will NOT detect it:

    1)If you pack it with an unknown packer like Armadillo
    2)If you use the code changer

    This is because KAV signatures are very weak and bound to the exact type of file the malware was originally found in. The engine does not have 'flexibility'.
     
  3. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    With kav4.5 you have an option(command line) called redundant scan wich covers this "vulnerbility":-This is taken from Kav 4.5 instuctions,which by now is quite an old product so it appears kaspersky were yet again ahead of the rest!!:-
    In most cases a virus registers itself in the entry point of a file with a reference to its body, which is usually appended to the file contents. To delete such viruses you only need to run an ordinary scanning operation that will remove the virus code located in the file entry point and the virus body pointed to by the initial address.

    However, sometimes the virus divides its body into several parts and places them into clean areas of the file. In this case an ordinary scanning operation will neutralize the virus (i.e. the virus code in the entry point and main part of the virus body will be deleted) but some of its parts will remain in the file.

    In this case you need to run the redundant scan operation that will check not only the file entry points but also the entire contents of your file.

    The redundant scanning tool is recommended if no virus was detected in a normal scan but the system is still behaving strangely (for example, there are frequent instances where the computer restarts by itself, unnaturally slow performance from applications, etc.) Otherwise, we do not recommend enabling the redundant scanning tool as it noticeably slows down the scanning rate and increases the probability of false alarms.
     
  4. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    That report may have been right at the time but not now.

    I downloaded the 8 perverted versions and scanned as below.

    SYMCORP9 2 of 8 Detected
    BITDEF FREE 4 of 8 Detected
    ESCAN FREE 8 of 8 Detected
    KAV PERS 8 of 8 Detected
     
  5. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Whoo! And Ianb, our AMD Sempron/Athlon64 problem with eScan has been fixed and will be in the next build.
     
  6. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    And in case you were wondering ............

    McAfee VSE 8.0i ......... 8 out of 8 detected.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I do agree - signatures are easily to circumvent - and KAV is by far an exception to the rule. This example is merely just that: an example. Armadillo - can be regarded as merely an example.

    Nautilus - who runs the OP quited site - surely will/could confirm this, as others can.

    regards,

    paul
     
  8. TonyW

    TonyW Guest

    I'm sure KAV has Armadillo amongst its list of packers now.
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Excellent, NOD32 detected ALL.
     
  10. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi Firecat,

    Was the escan free the trial version of the AV or Mwav. Is there a difference in the scanning effectiveness of the two?
    I notice the Bit Defender free did not fare well.

    Regards,
    Jerry
     
    Last edited: Feb 28, 2005
  11. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    But that only means signatures was added for these specific perverted versions of these specific malwares. It is the easies thing to do. The real test is what they do if you take a recent (detected) malware and "pervert" it. Will KAV/BitDefender/etc detect it? I doubt.
    -hojtsy-
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    You are partially right, KAV does unpack some very old versions of Armadillo, but not the newer ones. KAV can unpack v2.x of Armadillo, but I'm not sure about 3.x and onwards.
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    The eScan free version is NOT a full-fledged scanner and is only meant for a thourough analysis of PCs. The eScan I was talking about is the commercial edition which has features comparable to AVs like NOD32, KAV, Dr.Web, F-Secure etc.

    MWAV is the real name for eScan free edition. There is NO DIFFERENCE to the scanning engines used between the commercial and free versions. Both use the same engine.
     
  14. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Firecat,

    Thanks a lot.

    Jerry
     
  15. Expert

    Expert Guest

    I just tested about 30 different malware with different perverter versions and KAV happily kept detecting them all.

    So I guess people should actually test stuff instead of simply stating 'facts' which are untrue.
     
  16. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    That's right, KAV can't unpack Armadillo v3.x (yet) :p
     
  17. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    About this discussion... I don't know if it's relevant to light this issue out this much... Every scanner has holes, KAV has, Norton has, McAfee has... all of them...

    For now I never heard about serious probs caused by this "weak" point... so calm down everybody... no need for panic :)
     
  18. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Why worry about Kav note being able to unpack this when most AV's can hardly unpack most things!
     
  19. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I'd have to say that this would be a good reason to have a memory based anti-trojan scanner as a second line of alerting/defense, once they are unpacked it is much easier to find them....

    And I cannot leave out process guard and regdefend to lessen the chance of the trojan hiding itself and/or terminating the AT scanner
    (nb: substitute favourite sandbox/app protection/registry protection above)
     
  20. -ntl-

    -ntl- Guest

    1.
    I believe that Kaspersky have simply downloaded the (harmless) samples from our forum and added them to their signature database. I think this comes close to cheating.

    The following dangerous samples which are contained in our test archive are still not detected (although the non-permutated original samples are detected):

    Perverted.Lithium103.exe
    Perverted2.MEW11SE12.CIA13.exe
    Perverted2.NotPacked.TequilaBandita12f.exe

    2.
    I do not think that code-based signatures are necessarily weak (although they are easily affected by tricks like code permutation or run-time compression). Text-based signature or signatures taken from the resource section have other weaknesses. Our upcoming Signature Quality Evaluation Series will hopefully explain this in more detail.

    3.
    @Expert

    "I just tested about 30 different malware with different perverter versions and KAV happily kept detecting them all."

    Could you please be more specific. Which samples did you pervert? Unless you allow us to verify your results we cannot be sure whether your findings are correct or not.
     
  21. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129

    Nautilus is right on target about Kav.
     
  22. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Every virus scanner is vulnerable to code permutation - because you basically create a completely new variant of the malware. If the malware is still detected it is because the virus scanner has a signature in a non-code area (McAfee does this quite often) or because of heuristic detection which doesn't rely on signatures.

    This is no "vulnerability" - you created a new malware and some people don't seem to understand the concept of generic detection and identification of malware. If some virus scanner picked a special signature for a certain malware variant, it is not supposed to detect other variants. Unless a generic signature was picked. Signature scanning was never designed to handle this kind of problem (patched/modified malware). That's what heuristics are for, see NOD32 or Norman.

    Also, as permuting is basically creating a new malware and creating and/or releasing malware is illegal in some countries, I would be carefull...
     
  23. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Code permutation will affect many AVs not just KAV. NOD32/Dr.Web are saved by heuristics, and McAfee is saved by scanning virus signatures in non-code areas as Stefan said.

    However I think McAfee's method may not completely remove the virus at hand, although I can not verify this.

    Some time back, a code changer was used to change the icon of a file that was created by a trojan and McAfee didn't detect it.

    Similarly for KAV, when the packer is changed or the code changer was used, it couldn't detect at all. Luckily my eScan has a memory scanner.

    Other products might not be able to unpack the file at all.

    Therefore, I feel it is necessary to understand that all AVs have engine problems, and malware will not be changed (perverted) and distributed because they have to keep several AVs in mind and exploiting the vulnerabilities of 20 or so scanners is a very tough job indeed.

    This type of attack has never occurred in the real world thus far. All AVs are still offering decent protection. Therefore this is not a very big issue.

    Have a great day :)

    Best Regards,
    Firecat
     
  24. -ntl-

    -ntl- Guest

    @Stefan

    In my opinion, it does not matter whether you call code-permutation, rebasing, OEP manipulation etc. a "vulnerability" or not. What matters to me is that some scanners perform better than others with respect to specific threats. If KAV does not use a heuristic or (additional) signatures taken from the resource section in order to detect perverted samples ... it will simply offer less performance than others scanners do. (And with respect to certain other threats KAV may offer a better performance than those others scanners.) For a user it is important to know in which situation a scanner performs bad and in which situation it performs well. Such knowledge will allow the user to include several complementary scanners into his personal concept of layered security.

    Do you know of any jurisdictions that penalize the creation (and not only the use/distribution) of malware? Does this also apply to non-replicating malware? In such case: is there a significant difference between permutated and run-time compressed/Armadillo-protected malware?

    Moreover, I wonder whether you believe that it is illegal to code a bomb called Megatest which exploits the "cursed disk" effect? :p

    @Firecat

    I will never ever believe what an AV/AT software developer will tell me and, therefore, I doubt that eScan has a working memory scanner ;-) Let's try to figure it out ...

    Moreover, I believe that code-permutation has definitely been used ITW. It has been used by replicating malware, it has been used by z0mbie, it was rediscovered by Aphex and there are threads about the permutation tool in one of the biggest trojan boards ...
     
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    isn't it o_O ok...gentleman...start your engines....:)
     
Loading...
Thread Status:
Not open for further replies.