TDS-4 Emu

Discussion in 'Trojan Defence Suite' started by cguest, Nov 11, 2003.

Thread Status:
Not open for further replies.
  1. cguest

    cguest Guest

    1.
    Wayne has announced that TDS-4 will feature an emulation (generic unpacking engine). I find this quite interesting because of the following reasons:

    Many AV scanners have an emulation that can simulate the execution of encrypted viruses in a kind of virtual machine. However, I do not know many AV/AT software producers who have developed an emulation which is able to deal with non trivial containers (i.e., run-time compressors like UPX, PE crypters or commercial protectors). IMHO, even Kaspersky AV does not have a working emulation but uses a static unpacking engine.

    Static unpacking engines cannot unpack unkown compressors / crypters / protectors because they require a "signature match" before the static unpacking routines come into play. Moreover, static unpacking engines are vulnerable to OEP obfuscation techniques and other modifications of the unpacking stub of a compressed malware sample. This leads to a rather unpleasant situation. Every script kiddy can camouflage a trojan by compressing it with an unkown packer, a known packer whose unpacking stub has been modified, or a sophisticated commercial protector like Armadillo. No AV scanner will detect such samples unless it uses "weak" signatures taken from the resource section like McAfee does. (Allegedly, AV producers consider it impossible to automatically unpack sophisticated commercial protectors like Armadillo.) The only defense against such protected trojans are memory scanners like they are used by BOClean, TDS or Trojan Hunter.

    2.
    The question is whether an emulation will solve this problem. In theory, an emulation should be able to unpack every compressed / crypted trojan. However, the coding of an emulation is complex and quite tricky. For example, the coder has to take care of the following issues:

    a)
    If an executable contains uncommon opcodes, which are not supported by the emu, the emu may crash or be unable to correctly process the file. A malware coder may intentionally use uncommon opcodes.

    b)
    An emulated virtual machine is slow. Mucher slower than a real computer. An emu will not merely slow down the speed of a scanner. There is also the risk that a malware coder will try to exploit the speed difference between a real computer and the emulation (e.g., by adding wait loops to the malware's code).

    c)
    Commercial protectors (or malware coders) may use anti-debugging techniques which prevent a file from being executed in a virtual machine (i.e., an executable may try to figure out whether it is executed on a real computer and may stop running if it finds itself running in a virtual machine).

    3.
    Therefore, it comes as a big surprise to me that a small company like DCS has developed an emulation (and not only a static unpacking engine for a limited number of packers). It will be interesting to figure out how powerful the emu is. Allegedly, NOD32 Version 2 uses an emu, too. However, it is not able to unpack sophisticated commercial protectors. Moreover, Andreas Haak is working on an emulation for a long time. But it has not been released yet.

    In summary, I am pretty excited ... ;-)
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    "cguest" (;)),
    Thanks for your interest in our emulator, but it's a bit early to speculate on what it can or can't do - we haven't said anything about it nor is there any demo available, and some of what you've said is misleading and in some cases simply incorrect so although I've got a fair idea, I'm not sure exactly what you're trying to achieve with this thread? Please allay my suspicions ;)

    Actually you did make one very good point though, but indirectly ... that no detection methods (emulation included) are perfect, all have various advantages and disadvantages (which also vary from implementation to implementation), but emulation as you know is still a very powerful weapon to have in the arsenal that greatly increases the detection capabilities of the scanner -- if it didn't, anti-virus scanners wouldn't use it.
     
  3. cguest

    cguest Guest

    Hi Wayne:

    "but it's a bit early to speculate on what it can or can't do "

    True. But the word "emulation" sounds exciting.

    "and some of what you've said is misleading and in some cases simply incorrect"

    Please correct my mistakes so that I won't make them again.

    "not sure exactly what you're trying to achieve with this thread?"

    Actually, I cannot even image what you have in mind :) I am just curious about the emulation. But I understand that it is still too early to talk about it.

    "very powerful weapon to have in the arsenal that greatly increases the detection capabilities of the scanner -- if it didn't, anti-virus scanners wouldn't use it."

    Yes. It definitely has a great potential. That's why I am so curious.

    Cheers.
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I understand your curiousity (I too find it a very interesting topic) and you're more than welcome to talk about it, theorise etc, but until we release it it's not something we have any interest in discussing, I'm sure you understand. :) *back to work*

    Cheers,
    Wayne
     
  5. cguest

    cguest Guest

    "but until we release it it's not something we have any interest in discussing,"

    That's okay with me. But in this case I should also be allowed to dispute your claim that I have made any false or completely misleading statements ;-)
     
  6. cguest

    cguest Guest

    I guess what Wayne dislikes is that, for example, I have not properly distinguished between a virtual machine and an emulation but used the term "emulated virtual machine". Technically speaking, both terms ("emulation" and "virtual machine") have a different meaning. The distinction is quite important. But not for understanding my posting.
     
  7. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    without any hidden thoughts: I am quite excited about it as well. I don't know as much about it or about programming in general as Wayne or cguest, but I'm learning from threads like these, so I am happy that cguest posted and opened the opportunity for me to again learn something more about system internals as well as I'm hoping eventual misleading points will be corrected.

    Having seen the way DCS have dealt with process-to-process attacks, which involved a kernel-level OS driver (which I prefer thinking of as a configurable OS patch ;) ) and all sorts of nifty protection, I am assuming it will be a very interesting low-level approach and at the same time I'm confident that it will be as secure and effective as necessary.

    Looking forward to seeing some more (talk) about it (sooner or later).

    Andreas
     
  8. dguest

    dguest Guest

    You might be interested in the following:

    There will not only be two (TDS-4, a2) but three AT scanners featuring an emulation. Ewido has just released a public beta. The emulation already works. I do not want to post additional information because this is the TDS forum. But the concept of Ewido looks very interesting. In particular, their efforts to ensure signature quality.
     
Thread Status:
Not open for further replies.