kav now unpacks Armadillo

Discussion in 'other anti-virus software' started by illukka, Nov 2, 2004.

Thread Status:
Not open for further replies.
  1. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi

    take a look at this


    AVP 3.0 Daily Update for DOS, Win 3.xx, Win9x, NT, OS/2, Novell, Linux
    -------------------- ---------------------------------------------

    To update your AVP 3.0 you should copy AVC database and AVP.SET file to AVP
    3.0 directory. The records in anti-virus database are:

    {snipped}

    Decompression support added for:
    Armadillo,
    Morphine, PECompact, PE_Patch, PE_Patch.PECompact,
    PecBundle, UltraProtect
     
  2. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    168
    Say what?
     
  3. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  4. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Ilukka for sharing this major improvement with us.


    GREAT NEWS and again proves that kav isn't just another player on the market.

    bye
     
  5. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    illukka, have you tested it already?
    At least with my Armadillo-packed samples (various Armadillo versions), it doesn't seem to work, as KAV only detects that the files are packed with Armadillo, but it can't unpack and detect the malware itself (similar to what McAfee does with several "un-unpackable" packers/crypters when activating the "guru" mode)... o_O
     
  6. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    i tested the basic version of the trial version 2.85. I used the default options of this crypter for a trojan. On-Demand Test: KAV detects (unpacks) the armadillo packer, but didn´t(!) detect the trojan. The trojan installs the server, the autostart and runs in the backround. Then i just tested the ewido memory scanner..and this one detects the running trojan in the memory..nice..very nice :)
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    nope but i will, just downloaded the newest version+ i think i have 2 or 3 other versions installed
     
  8. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    I suppose, that confirms my findings, right? :)
     
  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    yeah guys, i packed a CIA 1.23 beta rat with armadillo 3.70 a trial, using pro emulation, lowest compression, highest protection( ;) )
    none of all the scanners i have detected the file with on demand scan tried with a couple of online scans.. NO-ONE detected it

    kav personal pro 5 doesn't seem to show pack info in the reports(or i cant figure it out, had it for 3 days).. so i cannot comment if the packer was detected or not..
    think i'll just go back to 4.5

    :(
     
  10. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    That's good news illukka. Of course, I have known for longtime that KAV has the best unpackers. :D :D
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Hm,how is with packers and Norman? It doesn't need them coz it simly executes the file in Sandbox and watches what it does. You don't need unpacker for this right?
     
  12. ,.-

    ,.- Guest

  13. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Unfortunately, Norman doesn't use its Sandbox as a "generic unpacking engine", as you suggest; i.e. it apparently doesn't scan the unpacked process/file after sandboxed execution via signatures, but instead uses only heuristic methods.
    In contrast to that, Nod32's 'Advanced Heuristic' (based on emulation) obviously does use signature scan, and therefore serves as a reasonable "generic unpacker". :)

    Anyway, I fear that Armadillo is too difficult for both scanners to emulate/execute in a sandbox... :p
     
  14. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    May I suggest that ",.-" could insert all his packed files into one (or several) archive(s), submit it to Norman's online sandbox, and post the results (the reference ID should be sufficient) here :
    http://sandbox.norman.no --> "Sandbox Live" --> "Submit a sample".

    Actually, I expect that the emulator will give up before the end of the emulation (would be too slow).

    Well. This is probably a good idea, but not so obvious. The big problem is that, for some packers, you will never have a complete version of the malware unpacked in memory at the same time (this is the case for Armadillo, afaik), or that some parts of its code may have been moved around by the packer (ASProtect "stolen bytes"). For the other packers, the problem is to find when emulation should be stopped: if stopped too early (i.e. before the original entry point), the malware will not be completely unpacked, and stopping it too late results in a loss of time (and in this case, signature has to be chosen carefully). Last but not least : emulating the instructions used to unpack the program is much more time consuming than executing it. Anyway, it is a generic unpacker, not a universal one.
     
  15. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @tweakie
    Yes, as I already assumed above, both Nod32's AH and Norman's sandbox apparantly fail to emulate 'through' files, which are protected by Armadillo, ASProtect and other advanced protectors - at least, according to my tests with several samples at jotti, Norman's "live sandbox" and Nod32 locally installed on my machine. :)

    The problem with testing Norman's sandbox is, as said above, that it only uses heuristic methods (which often fail to detect trojan activity in the first place), while Nod32's AH apparantly uses heuristics as well as signatures (which frequently leads to exact identifications of malware by AH).
     
  16. ,.-

    ,.- Guest

  17. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Very interesting tests ! I did not know this forum. Just a question :
    did you check that all your 556 samples are actually running
    correctly ?

    The results exhibited in your logs illustrate several features:
    the ability of scanning packed/unpacked malwares using signatures or
    using the sandbox. Concerning the Sandbox, there are several issues :
    Is it able to emulate through a given packer ?
    Is it able to emulate the malware itself ?
    Is it able to flag the sample "behind" the packer as a malware ?

    From your logs, and if we assume that Norman does not handle
    explicitely any packer for signature scanning (might be wrong, but I
    think so), by carefully comparing the original dataset to
    Norman's results it comes:

    1- Packers that can be handled (emulated through) by Norman Sandbox:

    - Obsidium
    - Mew
    - Morphine 1.2
    - Netwalker
    - PCGuard
    - FSG
    - JDPack
    - PECrypt
    - PeX
    - PkLite32
    - Yoda's Crypt
    - Aspack
    - UPX (also with UPX redir)
    - Petite
    - ACProtect
    - Crunch
    - Exestealth
    - WinKripT

    2 - Packers that cannot be handled by the Sandbox:

    - Armadillo
    - ASProtect
    - DBPE
    - PEShield
    - Krypton
    - Thinstall
    - PELock
    - Peetles

    3 - Packers for which I could not draw a conclusion (mostly due to
    the dataset):

    - PEEncrypt
    - EZip
    - WWPack32
    - UltraProtect
    - Xtreme Protector
    - SVKProtect
    - Exeshield
    - JDProtect
    - telock
     
    Last edited: Nov 5, 2004
Loading...
Thread Status:
Not open for further replies.