Kaspersky and code permutation vulnerability

ntl, then it depends on the executable binary with which compiler it was compiled. This unpacked perverting shouldn't affect Visual Basic Backdoors/Trojans/Worm if you scan it with KAV for instance.

 

ROFL, where did you got that nonsense from? I wrote a software bomb?
Nautilus is so pathetic, if he runs out of arguments he revers to randomly generated text. Keep it coming, it's getting more and more amusing.

BTW, speaking of dates, the code "perverter" source is like 5 years old. Never caused any problems in the past 5 years so I wonder why Nautilus is getting so build up with it. He is a bit late in discovering it, oh well...

 

@ntl:

Mind telling us where this news about Stefan comes from?

 

To all:

Let's keep this discussion centered on the thread topic, not peripheral issues that are basically unrelated to the present discussion. Thanks.

Blue

 

Is it OK to ask this:

If the code pervertor is 5 years old now, then AV companies have had a large amount of time to fix the effects. So it should be fixed by now right (a generic/heuristic signature or so)?

 

Now that I think of it, since this has been left alone for 5 years, it bears no significant effect whatsoever as there have been very few (virtually nonexistent infact) amount of samples that got through using perverted code. Heuristics and generic detections have done a lot of good to the industry.

 

Firecat,

he googled for my name and found a fake "interview" in a VX magazine. An interview that I never did, actually, it's made up.
I wrote a 2 antivirus programs in the past, all of them focusing on heuristic detection. SUSP had a heuristic scanner/analyser, behaviour blocker, crc test and memory heuristic, F/WIN32 was specialized on detecting Microsoft Office macro viruses and analyzing them. All of them were small shareware products I made in my spare time, so there were actually no competitors I could possibly wanted to harm. I did them for fun. ;-)

BTW, I am still member of VHM, so are Tjark Auerbach, Raimund Genes, Rainer Link, Andreas Marx, Dirk Kollenberg and more.

Firecat, you got it right. After 5 years, the "perverter" had no significant impact. All Nautilus is trying is to get attention. He doesn't actually intend to help people protect against permutated malware nor he wants to help the AV companies. Where are his suggestions and recommendations? All he keeps saying is that AV products are "flawed" because they don't work like *he alone* thinks they should work.

 

@Firecat

I will comply with BlueZanetti's request and not further comment on the peripheral issues. (People can search the google webcache on their own.)

"If the code pervertor is 5 years old now, then AV companies have had a large amount of time to fix the effects. So it should be fixed by now right (a generic/heuristic signature or so)?"

That's not how it works in AV industries. No changes will be made unless a problem is made public.


@Stefan

"He is a bit late in discovering it, oh well..."

You should better read http://illusivesecurity.il.funpic.de/viewtopic.php?t=56 ...

 

@Stefan:

Where do you work now other than VHM? I didn't believe that news (from ntl) anyway. I also googled your name and found your history relating to F/WIN32 and a few other AV programs.

 

@Stefan

"An interview that I never did, actually, it's made up."

This may very well be the case (or not). I would not have mentioned this article if you did not wrongly suggest that I infect people with trojans.

"Where are his suggestions and recommendations?"

My suggestion is that you should not exclusively rely on a scanner which is affected by this problem. Moreover, I tell people which scanners are affected and which scanners are not affected. Why do you have a problem with that? Why is it so important to keep people uninformed?

 

Ahem...ntl,

I dont believe it either that you infect people with Trojans.

I think What Stefan meant by "suggestions and recommendations" is that he wanted you to give a suggestion as to how it can be fixed in the engine, or if you have any idea of a workaround, a new heuristics pattern or generic signature etc. since you know a lot about the pervertor.

Regards,
Firecat

 

My thanks to all for pulling the discussion back on track.

Here's my impression of the situation.

Stefan is correct in noting that this simply creates a "new" malware, whose signature can be added at will. If enough simple variations on a basic package are accumulating in a database, I'm sure a more generic detection signature would follow. In that respect, it is not a bona fide vulnerability.

-ntl- is correct in pointing out the focus should be on a scenario in which the malware is non-replicating. In this case there is no indiscriminate proliferation of the malware sample and a very modest likelihood that it will end up in the submission queue for any AV vendor. So it comes down to the question of whether one views this as a potentially significant vector. In this instance I would tend to side with -ntl-. Although petty cybervandalism is still a major cause of malware generation, ethically challenged business interests and criminal elements are now a growing source of malware. They have a financial incentive to go the extra mile so to speak in customizing their packages if it significantly aids in accomplishing their objectives. Personally, I do not feel that -ntl- off-base in raising this as an issue. I see it as a potential near-term future concern. Whether or not it materializes on a very large scale is somewhat irrelevant. It is not a vulnerability per se, but a potential ongoing shortfall in coverage.

Just my thoughts....

Blue

 

I agree with BlueZanetti.

Moreover, I would like to emphasize that I did not say that code permutation will stop the world from turning. I merely mentioned this issue ... that's it.


@Firecat

"I think What Stefan meant by "suggestions and recommendations" is that he wanted you to give a suggestion as to how it can be fixed in the engine, or if you have any idea of a workaround, a new heuristics pattern or generic signature etc. since you know a lot about the pervertor."

I do not know more about the pervertor than Stefan does. The pervertor is no secret at all. Stefan cannot reasonably expect me to tell him how to code an advanced heuristic (like it is used by NOD32) or a behaviour blocking system/IDS (like it is used by a2). First, I do not exactly know how such technology works and, second, to the extent I do know how it works (because the developers told me) I won't disclose their business secrets.

 

@ntl:

It was just what I thought about Stefan's words in my previous post OK? It might be different too!

Regards,
Firecat

 

BTW, would having a memory scanner be enough to stop perverted malware? Both eScan and ArcaVir have a good memory scanner...

 

@Firecat

A memory scanner which uses code-based signatures should be affected, too.

Moreover, why do you believe that eScan has a good memory scanner? I would be extremely surprised if this were true.

 

Well I'm not sure actually, eScan memory scanner scans memory, processes and all related DLLs, isn't that all that's required in a memory scanner?

ArcaVir takes a longer time though, so its probably doing a better scan.

 

There are several types of memory scanners:

1. Fake Memory Scanners

They scan any program running in memory ... with the help of a file scanner.

2. Process Memory Scanners

Real memory scanner but only scans processes (e.g., TDS-3).

3. Process and Module Memory Scanners

Real memory scanner which scans not only processes but also modules (DLLs).

4. "Complete" Memory Scanners

Such scanners scan the entire memory and can also detect code-injecting trojans like Flux. There are various topics on this trojan both in this forum and in our forum. (Again AV/AT software developers got pretty upset when I mentioned that several scanners had difficulties to detect this nasty. But in the meantime, most of them have reacted.)

 

OK I guess eScan is the 3rd type of scanner from your list from what I saw. ArcaVir too fits in the 3rd type.

 

As far as i know avast! can fit into category 4. But only by On-Demand scan performed through my avast! External Control using Thorough Memory Scan method. Normal memory scan which is performed upon Simple Interface startup fits into category 3. Ok a bit offtopic...

 

RejZoR you have an ArcaVir license, can you tell us whether it fits into category 3 or 4?

 

Thanks for all the input and advice fellas!

Just checking back in. I used to run Norton Corporate 8.1 and thought it was the best thing since LisaRaye in Player's Club. Then I started really getting into computer security and maintenance. I began reading about anti-virus programs and trojan stoppers, and I was consistently led to KAV for the AV and a combination of TH, Boclean, and TDS-3 for the AT. I am currently running KAV Personal alongside TH 4.2 and feel very secure. I also use Firefox as my web browser. Oh, and I have Ad-Aware SE 1.05 just for GP. I think I am very well protected with those three safety measures in place. I'm very impressed with KAV. I know different people take to different programs, but whatever works for that person is what they are going to swear by. Right now, I swear by my setup, though others could see a better solution. Remember though, a couple of months ago I swore by Norton CE, so nothing is set in stone. In this age of code permutations, we as consumers have to be just as flexible as the threats we fight to avoid. Peace!