The Ultimate MemScanner Challenge (BOClean, TDS-3, TH and others)

Discussion in 'other anti-trojan software' started by ano1, Dec 28, 2003.

Thread Status:
Not open for further replies.
  1. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    The file "archive3.jpg" is a password protected .rar archive (i.e., it must be renamed before it can be opened /w WinRAR). The archive contains two relatively new trojan servers (Theef 2 beta 5). Both servers are visible and entirely harmless zoo trojans. The first sample is not compressed at all. The other sample is protected with Armadillo's Copy-Mem II technology which encrypts pages of memory.

    Usually, Memory Scanners do not need to decrypt trojan servers at all. (AT software producers have created MemScanners because attackers started to protect their trojans /w compressors, crypters or the like. MemScanners rely upon the fact that a compressed trojan server is usually unpacked when it is loaded in the computer's memory.)

    The above rule does not apply anymore. I am curious whether there is any MemScanner on the market which is able to detect Copy-Mem II protected malware.

    Please send me a PM if you are interested in the exact download location and the password for the archive. I will not post a direct link because this would not be in line with the TOS (according to Paul).

    If you believe that your AV or AT scanner can detect the Armadillo-protected Theef server while it is running please let me know. I will be happy to verify such claim. It will be interesting to know who comes first ... but please note that cheating (like creating special sigs for the Armadillo-protected zoo sample or scanning for window names) will not be tolerated ;-) Moreover, I won't take into account any generic filescanning techniques (e.g., scanning the resource section of the files).

    Good luck

    EDITED1: In the meantime, Andreas Haak has (almost) convinced me that it is quite easy to detect Copy-Mem II protected malware by taking signatures from those parts of the file which are executed first and, therefore, are likely to be a part of the first (unencrypted) memory page. Unfortunately, this is still a theory since the a2 mem scanner does not work yet.

    EDITED2: If you are interested in the samples and do not receive a reply from me you may also ask Paul Wilders who knows the PW and who is responsible for this PM procedure ;-)
     
  2. ano3

    ano3 Guest

    Taken from the developer's website:

    "The majority of "backdoor compromises" involve FAMILIAR trojans which have been "encrypted," "repacked," "patched," "hex edited" or otherwise modified to obscure them from "pattern matches." ...

    Many antiviruses do well and detect about 90% of trojans in the wild. It's the other 10% which are modified that is the major concern, and known trojans can be easily configured to elude file scans even when they're "known." BOClean doesn't bother. Once they're unpacked or decrypted and go to run, they must shed their "cloaking" and this is where BOClean comes to the rescue. Instantly."

    I am curious whether BOClean can handle the Copy-Mem II protected sample. Unfortunately, there is no BOClean trial.
     
  3. controler

    controler Guest

    Have you sent the file to any of the fine AV-AT makers
    yet? Has any of the members asked if you would send it to them? Your writing looks familiar :D


    con
     
  4. ano4

    ano4 Guest

    "Have you sent the file to any of the fine AV-AT makers
    yet?"

    No. But in the meantime, they should have created a signature for Theef 2 beta 5 anyway. In addition, they can dl it from the official Theef website, my website or ask Paul who has the PW & the samples. Also note that TH users were never at risk since TH's generic scan can detect every Theef server. (Unfortunately, this does not apply to other trojans).

    In addition, I would like to mention one more time that my samples are harmless zoo trojans. Their single purpose is to determine whether a mem scanner can handle CPMII-protected malware, i.e., we are talking about a potential threat and not a real threat. At least so far.

    "Has any of the members asked if you would send it to them? "

    Yes.

    "Your writing looks familiar"

    Thanks. :-* That's deliberate.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS has standard detection for Theef. More may be added, including special detection ;) We add extra detection for common families and Theef is one which is used a little. But nothing like the use Assassin, Optix, MoSucker, CIA and a few others get.
     
  6. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    Theef suffers from various design flaws. You can easily take signatures from the resource section (e.g., RCData -- PACKAGEINFO or TFORM1) in order to detect it.

    However, there are better trojans out there which do not facilitate a detection via a scan of the resource section. In such case it is more important to find a way to overcome CPM-II protection.
     
  7. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Sorry I missed this one ... we'd gotten a link to the file(s) in question a few days ago where someone had asked us to check it and BOClean had no problem detecting either. Do feel free to verify against BOClean if you'd like ...
     
  8. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    Hi Kevin,

    Thanks for contributing to this topic.

    1.
    Do you know why BOClean detected both samples?

    2.
    Do you believe that detecting CPM-II compressed malware is no problem at all (even if a trojan does not have a .resc section like theef)? Other mem scanners do have problems ...

    3.
    I consider to upload a CPM-II protected server which does not have a .resc section. However, such server would not be a harmless zoo trojan (since there are apparently no visible servers w/o a .resc section). Therefore, I would not be able to reveal the password to persons who are not AV/AT software producers etc.
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No problem detecting it with TDS either, even on old databases :)

    So the memory protection is not doing anything to stop the memory scanner. All memory scanners SHOULD be able to detect this, depending on having signatures of course.

    But I added a bit more detection anyway, and will update the advanced sigs to detect various packed samples as soon as possible
     
  10. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    @Gavin

    I have tried to detect it with signatures dated Dec 28, 2003. Process Mem Scan detects nothing. Same applies to Object Mem Scan. File scanner stays silent.

    Then I have used sigs dated Jan 7, 2004. File scanner detects nothing. Obj Mem scan says nothing. Process Mem scan detects ... nothing.

    Are you sure that you scanned the Theef2b5Armadillo.exe sample? Is my TDS defect/misconfigured?

    (The unpacked file Theef2b5.exe is detected of course. By the file scanner and by the mem scanner due to generic detection -- icq notify.)
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hmm I'll have to look into that, I ran the Armadillo version and scanned with a month old database, detected it fine o_O
     
  12. worried

    worried Guest

    As for Trogan Hunter - sure theef seems no prob. but.. the TH module mem scanner seem to fail fairly all dll injections o_O. Seems to make this guard virtual useles. Correct me if I'm wrong here - please!.

    worried
     
  13. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    worried,

    TrojanHunter hasn't failed any test with process-injecting trojans here... what trojan are you using? If you have one it isn't detecting, could you send it to submit@trojanhunter.com ?
     
Thread Status:
Not open for further replies.