No more safety without AntiVir !! Is it the only one ?

Discussion in 'other anti-malware software' started by Metting, Nov 19, 2006.

Thread Status:
Not open for further replies.
  1. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    Hi board

    I have tested many antimalware scanners : AV, AT, AS etc. against very well known and easily detectable malware but encrypted with Themida runtime packer, all of them have failed except Avira AntVir in all encrypted malwares and Pest Patrol in some of the encrypted malwares.

    Specifically I have tested these AV's : KAV, NOD32, BitDefender, Pc-Cillin, Norton, AVG, Avast.

    And these AT's and AS's : AVG (Ewido), T Hunter, T Remover, SpySweeper, SpywareDoctor, SAS, Ad-Aware Pro, SpyBot, A2, TMAS.

    Note : I tested every scanner with a Themida encrypted malware wich is easily detectable by the same scanner when it was not encrypted !!

    No one succeeded except Antivir all the time, and Pest Patrol some times, all other failed every time .

    It is a very annoying test result which means that any trivial but Themida encrypted malware can easily infect a machine protected by any first class AV or AT or AS but AntiVir !

    Now I cann't feel safe any more without AntVir.

    Did you try any other scanner against Themida encrypted malware?
    If not please do and share your results with us.
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I would agree there isnt any better.:)
     
  3. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    977
    Location:
    Brooklyn, USA
    Did you use free version of AntiVir or paid version and thanks.

    Gary
     
  4. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    @ huntnyc

    Free Version
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Well duh! Considering your avatar, take this with a biased grain of salt.


    So, you use a very specific testbed that only includes one sample, or one type? And from that you conclude that AntiVir must be the best? I'm sorry you'll need to do a little testing in order for your conclusions to have any weight to them.

    Don't get too comfortable. Take into account a pproducts track record. It is entire possible to AntiVir to not do well on the next official test. It is a very good product but it is not the best there is. Nor is any for that matter.
     
  6. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Would any HIPS or behavior type programs have detected this? Like ProSecurity Free, or Cyberhawk?
     
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    When you execute it (they work on behaviour, ie when the malware acts). Same goes for the av's, maybe they would detect them upon extraction, i don't know.
     
  8. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    You got me wrong I didn't test all scanners with the same malware, I tested every one with a 2 or 3 very well known malwares to it specifically.

    I didn't say that AntiVir is the best, but simply I said it is the only one who was able to detect the malware before encryption and after encrypted by Themida.
     
  9. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I'm curious, did you test these products with their default settings? NOD32, for instance, has an option to scan runtime packers. If memory serves, it is not enabled by default, but someone please clarify this if I'm wrong. I'm really not familiar with the other products you tested, but they certainly must include options not enabled by default that would increase the detection rate if enabled.
     
  10. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    HIPS should be able to detect the bad effect on the system, because HIPS detect the influence of the malware on the system not the malware it self. and there is no difference if the malware it self was encrypted or not because HIPS don't depend on sigs.
     
  11. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    No for our bad luck
    For example : NOD32 and KAV accept Themida encrypted Biforse trojan running in the memory very happily.

    Other scanner show similar silent action even when malware was in working phase !!!
     
  12. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Just use Avira then, and don't worry if that is what it takes.

    Jerry
     
  13. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    NOD32 2.7.16 was tested with maximum security level enabled, including runtime packers, Advanced Hueristics, Anti Stealth and every thing else.
    Try it your self with a very old malware but encrypted by Themida!

    All others were tested with the highest level of security available.
     
  14. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Metting,
    I read your posts about this in a thread about Pest Patrol recently.
    This is good for AntiVir.
    A question though.....
    Would malware need to be decrypted before it could actually do anything?
    The reason that I ask is because you stated that these samples were detected by multiple programs before they were encrypted.
     
  15. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Okay, thanks Metting. I'll take your word for it. I suppose to minimize the risk of infection from one of these encrypted malwares is to download executables from well-known, trusted sites, as I always do. I don't use shareware or torrent programs of any kind. BTW, is it possible to recognize these thermida-encrypted files by their file extensions?
     
  16. shockedAVguy

    shockedAVguy Guest

    Thank you, thank you, thank you!! When I saw this thread I was surprised more then I have ever been and amazed at the same time. I immediately called Eugene and said, "We messed up big time! Over at Wilders this guy discovered a hole that had never occurred to any of us before. We'd better jump on this right now or our scanner is done for!"

    Ever thought of pursuing a job in our labs?
     
  17. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a

    :D you really talked with Eugene? :eek:
     
    Last edited: Nov 20, 2006
  18. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Did a quick Google on Themida and malware. Found that F-Secure detects Themida encoded malware also.

    SourMilk out
     
  19. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    How about Dr. Web antivirus? Did you test it?
     
  20. herbalist

    herbalist Guest

    Be careful what you read into those results. At the moment, it means that AntiVir is capable of detecting malware encrypted with that particular packer. With a different packer or encryption method, the results could well be different. AVs can react to new packing or encryption methods but it's impossible for them to anticipate all the methods could be used. The tools are freely available that can make malware undetectable by any AV.
    I uploaded a copy of graypigeon, a known malware to 2 different online sites that use multiple scanners. The results are shown in the links below.
    Scanned by Jotti.
    Scanned by Virustotal.
    I'm suprised by the ones who didn't recognize this unencrypted malware, starting with PrevX1, NOD32, and Microsoft!
    I then encrypted graypigeon by a method not normally used, renaming it testpest..exe and uploaded it to both sites. Here's the results.
    Jotti scan of encrypted malware.
    Virustotal scan of encrypted malware.
    I'm not going to identify the method I used to encrypt this file for obvious reasons. This was strictly to demonstrate that signature based detections have no chance against encrypted malware, unless the vendor has already seen malware encrypted by that particular method.
    Rick
     
  21. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    None of them got it o_0... So if someone got that on a computer... and executed it so... w.e damage could be done... would an anti-virus like kaspersky stop it... or not until the next version with heuristics?
     
  22. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    There is something I dont understand, there should be some point at executing an encrypted exe that the AV will detect it or not? Try executing your encrypted trojan Herbalist and see if your AV detects it. o_O
     
  23. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    No,

    malware encrypted by themida can do it's work while encrypted.

    Themida simply protects the area in memory in which the malware or any other themida encrypted file works, so it is impossible for any program to read this memory area except if the program has a special way to pass through this protection, and this penteration of themida protection is what AntVir handled with success.
     
  24. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    Thanks SourMilk

    any one ready to test F-secure ?
     
  25. Metting

    Metting Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    100
    No I didn't, I hope some one will do
     
Loading...
Thread Status:
Not open for further replies.