Looking for heuristics?

Discussion in 'other anti-virus software' started by winx5, Oct 29, 2005.

Thread Status:
Not open for further replies.
  1. winx5

    winx5 Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    26
  2. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    I fear the old AntiVir heuristics rather have a "false positive" here, most likely detecting some exe packer as Win32.Virus.

    Just took a look at the sample, seems someone opened an executable with a text editor and saved the result.
    The text editor replaced all zero bytes with spaces (0x20), making the executable invalid and non-working.
    I wonder if thats the same sample though, got a different MD5 and test5.exe instead of test5.txt.
     
    Last edited: Oct 29, 2005
  3. winx5

    winx5 Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    26
    Hi Stefan,

    I can confirm that it is a malware, a trojan downloader.
    NOD32 blocked it from being downloaded.
    By looking in the Threat Log, i found it's URL and downloaded the file Test5.txt with WGET to keep the PE intact.
    I also decompressed it with UPX, debbugged it and found out that it contacts a server to download more trojans.

    I can PM you the URL if you are interested.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    For those interested in another example (I ceased taking screenshots after I'd got about 70 images with unique variants):
     

    Attached Files:

  5. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    winx5, can you send the URL or sample to heuristik@antivir.de?

    The test5.exe that was sent to us from VirusTotal was not the same sample you uploaded it seems (different MD5)
     
  6. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Is it so that you just managed to get the top 3 heuristics scanning engines in to the same picture? :D

    Best regards,
    Firefighter!
     
  7. winx5

    winx5 Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    26
    Stefan,

    It's now sent. :)

    Firefighter,

    Count Antivir as the fourth... :D
     
  8. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Maybe? ;) But none has said anything about the heuristics in Kaspersky 6.0.15.222a (preBeta1 - step 7)! :doubt:

    Best regards,
    Firefighter!
     
  9. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Firefighter, does that version of KAV6 beta has anything new regarding heuristic detection?
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    There is Proactive Defense module, that works pretty much the same as TruPrevent. Except it's still very very beta and doesn't exactly function as it should (for now).
     
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    I noticed the behaviour blocker, but it's too much work to test an entire collection against it by launching every file. So it's hard to say how good actually its "detection" ratio is.

    I thought that KAV6 has a slightly better file heuristic, even though KAV 4.5 and 5 should use the same AVC files, hm.
     
  12. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I have not tested that new Kaspersky Pre-Beta yet. About heuristics, I don't even know how I can test that against large sample collections, because Kaspersky detects almost everything. :D But there is a simple method with DrWeb 4.33.

    If you want to check how good DrWeb's heuristics is, Please, remove all your defs except those today riskware ones, check first by without heuristics, if no detections occured, enable heuristics and scan your all samples collection. :D

    Best regards,
    Firefighter!
     
    Last edited: Oct 29, 2005
  13. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Can anyone tell which are those av:s that are able to scan with heuristics only except NOD? Also those tricks as DrWeb has are welcome. ;)

    Best regards,
    Firefighter!
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I remember that on the Kaspersky forum, a developer had stated that KL was considering improving the heuristics engine of KAV 6.x.

    BTW, I dont think the AVC files contain the heuristic engine, what they do contain is the generic detection engine. ;)
     
  15. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    There is both gen.avc & ca.avc=code analyzer.:)
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    For those interested, here is how NOD32 provided zero time protection to the latest mass mailing threats without needing to update (the total number of occurences was taken from www.virusradar.com):

    Number of a variant of Win32/Bagle worm in 2005-11-01:
    2005-11-01 22 : 4137
    2005-11-01 21 : 1959
    2005-11-01 20 : 3434
    2005-11-01 19 : 2354
    2005-11-01 18 : 1438
    2005-11-01 17 : 407
    2005-11-01 16 : 0

    Number of a variant of Win32/Mytob worm in 2005-11-01:
    2005-11-01 22 : 50
    2005-11-01 21 : 23
    2005-11-01 20 : 7
    2005-11-01 19 : 2
    2005-11-01 18 : 0
     
Thread Status:
Not open for further replies.