Kaspersky and code permutation vulnerability

Discussion in 'other anti-virus software' started by hot120, Feb 28, 2005.

Thread Status:
Not open for further replies.
  1. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    @ntl:
    So code permutation HAS occurred already? OMG then we need to fear. I also have McAfee on the other OS though...Good thing, the combo of KAV engine/McAfee engine should be good enough to protect my PC...maybe I should add Panda's truprevent to this setup?

    And NO, I am not a 'developer' for MicroWorld eScan, I am simply an independant tester and nothing more, just that I am close to them as I maitain regular contact and therefore have a good insight on what they want from their customers.

    If you tried the eScan free edition you see that it scans the memory...can anyone tell me HOW good that scan is?

    Regards,
    Firecat
     
  2. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Nautilus, I still don't get what you want to prove. Or just cause panic?

    Permutating the code of existing malware is creating a new malware.
    And you suggest you detect (real) new malware by old signatures?
    You are not getting the point.
    There are a few ways to catch new (real or permutated) malware:

    - heuristics
    - signatures in the resource area (which "cheating" from my
    standpoint as an engine programmer)
    - generic signatures which are flexible enough to ignore the permutation
    - behaviour blocking

    And so what? If you get way more than 100 new malware samples every day, you just shrug when you get a permutated sample. Who cares? It's just another boring malware. If you permutate a few thousand samples, who cares, I will write a heuristic/generic detection in a few minutes to catch them all.

    You should talk about real problems & threats, not about pseudo elevated problems :)
     
  3. -ntl-

    -ntl- Guest

    @Stefan

    I have not started this topic but merely replied to it and provided certain additional information.

    I do not make a big fuzz and I do not cause panic. As always, AVs like you use this argument as a bad excuse.

    I do not suggest to detect new malware by using old signatures. I agree that you still don't get the point. I say that performance matters. And with respect to permutated malware a sophisticated scanner using one or more of the detection methods you have described above simply performs better than, for example, many scanners based on Kaspersky technology.

    Last but not least, it's always funny if you talk about collateral damages. I know that AVs do not really care if a few hundred or thousand computers are infected before a new signature is created. But the infected people do. Moreover, you fail to talk about non-replicating malware. This is where code-permutation really matters.
     
  4. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    A quote from Schouw on Dec 22, 2004 states that at least one sample should now be detected without exact signatures.

    "We are working on it.
    At the moment we detect one sample we didn't detect before - no, we didn't add exact signature. :)"

    http://forums.useice.com/cgi-bin/ikonboard.cgi?;act=ST;f=1;t=1741;
     
  5. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    You KNOW that or you make blind assumptions? Funny, how you know that? How many people from Antivirus companies you actually know and have spoken to?

    I fail to talk about non-replicating malware? Maybe because our customers don't have any problems with it? It is interesting how you seem to know better than the AV companies which problems the customers of those companies actually have. I am sure you have detailed inside knowledge to that...
    What FACTS you actually base your statements on? Could you please so kind to share your knowledge with us?

    If you are such a top-notch experte in malware, tell me, on how many scan engines did you work so far, why you don't work for any of the AV or AT companies? You shouldn't make any assumptions about scan engines if you don't have actually detailed knowledge about them. I am sure Kaspersky will take you with a kiss, they desperately need to find out why their scan engine is so horribly flawed. :)

    You want perfect protection from unknown malware. That is impossible, no serious AV company claims to have that or actually provide it. You can bypass every protection somehow. No heuristic and no behaviour blocker is perfect. It's just how much effort you put into trying to bypass them.
     
  6. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    This so called vulnerability was discussed months ago!,just seems to be a rehash of the same thing:-"wow somebody has discovered a potential vulnerability in Kav,lets make a meal out of it!!"
     
  7. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Steve1955,

    This obviously isn't a vulnerability unique to KAV alone. KAV tends to be mentioned in the context of this particular construct since some users presume that KAV's exceptional detection statistics necessarily equate to complete invulnerability. I'm not placing you in this camp, just noting why KAV seems to catch more of the heat on this specific topic.

    Blue
     
  8. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    So if its there for a while it should have been fixed by now right?
     
  10. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Because it is no *vulnerability* to miss new malware. It you modify the code of malware (and the tool does permutate some KB of it, not only a few bytes), it is a new malware. The changes to the code are permanent and cannot be undone, like you can do with PE-EXE packers and crypters. Those don't modify the malware code directly but only add a layer of "protection" around it.

    There is nothing to "fix" except to add better heuristics and behaviour blocking.
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Oh, I see. Thanks Stefan :)
     
  12. --ntl--

    --ntl-- Guest

    @Stefan

    1.
    If you make statements like "If you get way more than 100 new malware samples every day, you just shrug when you get a permutated sample. Who cares? It's just another boring malware." you should not be surprised that I talk about collateral damages.

    2.
    As regards non-replicating malware (trojans): your ignorance is typical for an AV. Just because it's more difficult for you to obtain such kind of malware you should not simply ignore it. It does exist and it affects also corporate customers like Valve. Following your logic ATs would be completely useless.

    3.
    I will refrain from commenting on the quality of your own scan-engine. This would just be a reiteration of a thread @ Rokop Security.

    4.
    "Because it is no *vulnerability* to miss new malware. ... There is nothing to "fix" except to add better heuristics and behaviour blocking."

    Again. Nobody cares whether you call it a *vulnerability* or not (except you). Only performance matters. A software developer whose product is affected by OEP manipulation tricks, rebasing, code permutation etc. should simply add behaviour blocking (like it is used by the a2 IDS), a good heuristics (like it is used by NOD32), and/or additional signatures taken from the resource section (see McAfee).

    5.
    Please stop whining.
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    ntl,

    I'm very confused right now.

    While Stephan did say "If you get way more than 100 new malware samples every day, you just shrug when you get a permutated sample. Who cares? It's just another boring malware."

    Didn't he also say that he'd just make a generic signature to detect them all?

    And Stefan did say that its best to add behaviour blocking and better heuristics to the scan engine.

    Forgive me if I am writing in ignorance as I am really very confused as to what's correct and what's not.

    Regards,
    Firecat
     
  14. --ntl--

    --ntl-- Guest

    @Firecat

    No worries. We are just flaming each other. Basically, we both say the same. If you want to detect permutated samples you need to use:

    "- heuristics
    - signatures in the resource area (which "cheating" from my
    standpoint as an engine programmer)
    - generic signatures which are flexible enough to ignore the permutation
    - behaviour blocking"

    What Stefan apparently does not like is that the entire code-permutation issue is not simply hushed up.
     
  15. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    And where is the "vulnerability" ? Kaspersky catches things with generic signatures when all other simply fail due to lack of packers or generic engine.
    NOD32 sometimes catches Rbot/SpyBot or two with heuristics(along with those detected by separate signatures) while Kaspersky catches nearly all of them with just one generic signature. Premutation problem? Like Stefan said,who cares. I don't see it from user perspective.

    What about other AVs? They fail when you just use some more exotic packer (the code inside is exactly the same). Most of them will fail if you change the structure of the same malware. So i wouldn't call this only Kaspersky "vulnerability".
     
  16. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Thanks guys. I believe that this issue will affect every scanner out there, it shouldn't be centered on KAV only.

    Yeah I guess a good heuristic/generic detection would take care of everything.
     
  17. Happy Bytes

    Happy Bytes Guest

    ntl, pack 10 random picked files with upx for instance. then 'pervert' (what a word...) 5 of them. send me all 10 files - i will restore them 1:1. :eek:
     
  18. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    You don't get the point, we add the sample with the same speed as every other kind of malware. Why should we especially focus on a permutated sample? Only because you created it and distributed it?

    Well AT only scanners are quite useless in my eyes because they don't really offer additional protection over a decent virus scanner combined with tools like Process Guard. And those AT programms do not protect at all against the most common and widespread threats - so what are they good for then?

    Oh and we don't ignore such kind of malware. Actually I like backdoors, trojans and worms. They are SO easy to add, if you would have any clue you would have noticed it recently. ;-)

    In case of Valve, wasn't a commercial remote access program used? So that's your point again? I am pretty sure our customers would *love* it when we detect PC Anywhere as malware. ;-)

    So if you agree that only heuristics and behaviour blocking will protect against new malware, so what is your point at all? You are talking about bad performance, that is nonsense. You are talking about missing features.


    Ya, you really should stop with it Nautilus. You still not wonder why every AV/AT company does ignore you? You are so far off reality it's very amusing.

    BTW, how you know that non-replicating malware got onto computers of our customers? Being a RAT fanboy, I wouldn't be surprised if you had some part in that.


    @Firecat:

    Don't be confused by Nautilus, he lives in his little own world where trojans are threatening the security of the entire world or so.
    Point is, his remarks are completely wrong and based on no facts. He has no inside information how AV companies work. They don't ignore trojans at all and him claiming this alone proves he has no idea what's going on.
    He thinks he a great only because he is able to play around with a tool he didn't write by himself and that he does't even understand obviously.
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Stefan, I dont agree that AV companies ignore Trojan samples. Why if companies ignored Trojan samples, then would KAV have the trojan detection it has today? Would we have seen the rise in Trojan detection of AntiVir?

    I know a bit of this, having been testing AV products (formerly eScan, now ArcaVir) for almost a year, and every suspicious file I had was detected as trojans, which is why I disagree that AV companies do not pay attention to trojans.

    @ntl: Actually trojans are very easy to find, just go to any illegal site including crack sites and hack forums etc. you'll find trojans by the dozen.

    Best Regards,
    Firecat
     
  20. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Firecat, i don't think ntl would have any trouble finding that sort of stuff!!! ;) :D
     
  21. --ntl--

    --ntl-- Guest

    @RejZoR

    "So i wouldn't call this only Kaspersky "vulnerability"."

    Agreed. Other scanners are affected, too. But it seems that the users of such other scanners do not have a problem to accept it ;-)

    @Firecat

    NOD32 seems to generically detect most permutated samples. Pretty impressive.

    @HappyBytes

    What would be the purpose of this exercise. Would you do it with the help of an automatic tool (i.e., do you suggest that a sophisticated scan engine should be able to undo permutations)? I believe that z0mbie himself has described how to undo such permutations.

    @Stefan

    "You don't get the point, we add the sample with the same speed as every other kind of malware. Why should we especially focus on a permutated sample? Only because you created it and distributed it?"

    Stop misleading people. I have already explained that the danger of code permutation mainly relates to non-replicating malware BECAUSE you will quickly receive a sample of any replicating, permutated malware. By contrast, you have no clue how many permutated non-replicating samples are ITW. Generally, they won't be submitted to you within a reasonable period of time and, therefore, you cannot create a new signature.

    "You are talking about bad performance, that is nonsense. You are talking about missing features."

    Bad performance due to missing features? This is getting ridiculous.

    "BTW, how you know that non-replicating malware got onto computers of our customers? Being a RAT fanboy, I wouldn't be surprised if you had some part in that."

    Ahh...your last "strong" (though somewhat speculative) argument? Just for the record, I do not have any victims and while I do not claim to be a saint I was never involved in things like these:

    "1996:

    More recently, Crypt Newsletter recovered a software boobytrap written by Stefan Kurtzhals, a German programmer who associates himself with an organization called Virus Help Munich and dabbles in the writing of anti-virus software. Kurtzhals wrote this software bomb, called Megatest, in an attempt to trick a more successful competitor with the "cursed disk" effect. In electronic mail obtained by Crypt, Kurtzhals said, "I have quite good [connections] to both AV companies and virus coders, but it's not perfect yet. I need more connections and information. Hmmm, quite funny. I get both AV software and new viruses for beta testing." Kurtzhals added the "cursed disk" fault used in his boobytrap "is also known to almost every better virus coder. It will be mentioned in [the Australian virus-writing magazine] VLAD#6, too. I've seen a preview of some it's [sic] parts." Kurtzhals anti-virus software (not the "cursed disk" boobytrap), called Suspicious, is available from the Munich, Germany, Web-site."
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Hey y'know...your right! that's just an example for saying how AV companies can easily find trojan samples.
     
  23. Happy Bytes

    Happy Bytes Guest

    And to add some technical facts to this almost useless discussion:

    The statement on some websites which are hosting this 'pervertor' (i really hate this word) are not even true. That you cannot unpack files after 'perverting' for instance. This is nonsense!

    I'll tell you why:

    Take a few files out of the system folder (calc.exe or whatever) pack them with the UPX executable compressor. Then 'pervert' them. After that, try to
    unpack these files via UPX -d calc.exe for example. You will be probably very much suprised that it does unpack this files without any clitch !

    That is because this P-Word does exchange 4096 bytes after the entrypoint.
    However, it does not really exchange 4096 bytes, it just tries to do that in this buffer range. Most of the unpackers having ther unpacking stub attached at this position. Now, if you can count 1 and 1 together you should know that alternating this unpacker stub doesnt prevent the packed sections from unpacking if you use your own unpacking algorythm who expands the packed section data. UPX.EXE -d (whatever) is the best example for this.

    That said: As long as nobody takes signatures starting from the entrypoint within the first 4kb nothing will happen. However, Kaspersky uses this range for CRC checksums for runtime packer detection. That means might fail if it doesnt detect that a file is runtime packed, because it will not try then to unpack this file and will just scan it in plain raw format.

    The P-word does exchange for instance 011h into 013h / 0BDh what does (from a point of assembly language) excactly the same combined with the register values after this opcode.

    So it is pretty much easy to detect so called perverted samples in static runtime packer stubs. because you know already where you have to expect which bytes. If it is perverted, you have differences there. You will see this very easily if you check it with a disassembler, the file is upx packed (pusha as first opcode ala 060h could be a first fact for this for some upx versions.
    Now if you find a lot ( at least 4 or 5 ) 013h 0BDh statements this sample is perverted, because UPX never uses this bytecodes for the equ opcodes.

    Isn't it easy ? :D
     
  24. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    @ntl:
    I guess...NOD32 heuristics are great. What about ArcaVir? Anyhow, that just proves that a generic detection or heuristic detection would pretty much take care of these threats.

    However, KAV relies mostly on generic signatures than heuristics, so it might be a problem, or it might not be too.

    Regards,
    Firecat
     
  25. --ntl--

    --ntl-- Guest

    @HappyBytes

    "That you cannot unpack files after 'perverting' for instance. This is nonsense!"

    I was not aware of such statement. Moreover, many of our permutation tests were performed with unpacked samples.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.