Which AT's unpack, & which do NOT?

Discussion in 'other anti-trojan software' started by bellgamin, Apr 13, 2003.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I can spell *unpack* & that's about the extent of my knowledge on this topic.

    I have read here & there that some AT's & AV's can unpack trojans, whereas others either cannot, or are limited in their abilities.

    #1- What is meant by this?
    #2- How important is this ability to an AT's effectiveness? Specifically, should it be a prime factor in selecting an AT &/or an AV?
    #3- Of the *big name* AT's & AV's, which ones are "good" or "not so good" at doing this?

    {Hangs head & blushes...} Uhh... I already bought Trojan Remover before I ever heard about this unpacking thing. Does anyone know if TR is okay [or not] from this standpoint?

    regards......bellgamin
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello bellgamin, I am no expert on packing & unpacking but maybe this will help.

    Packers do simply as their name suggests, they 'pack' or 'compress' a program (dll's also) much the same way something like PkZip does.
    The weakness of every packer is of course its unpacking 'stub', put very simply, if a program runs it must be unpacked at some stage.

    1. AV's & AT's use many methods to find Viruses or Trojans Unpacking is just one.
    2. Probably the most important things are that the AV - AT programme is updated regularly & has good customer support.
    3. My personal opinion, Kaspersky & NOD32 for viruses - TDS3 & BO clean for Trojans

    You can find most of the information here at Wilders forums or by reading through the main www.wilders.org site. Also check ot the in depth information about Trojans at www.diamondcs.com.au
     
  3. anvil

    anvil Guest

    @bellgamin

    1. 'Packing' or 'compressing' is a powerful method to hide malware from file scanners, because the file's appearance will (almost) completely change.
    Only scanners with an unpacking engine can _reliably_ detect (some) packed malware before execution.
    (Note: an unpack engine can only unpack those packers, which are "known" to it - so an unpack engine has to be updated regularly and can't possibly unpack all packers.)

    2. Since packing of backdoors/trojans is almost obligatory in the 'scene', I think unpacking capabilities are very important for an AV/AT.
    Memory scanning (TDS3, Trojan Hunter,...) can be some kind of alternative, but since the malware is only detected _after_ execution, it could have done anything before its own termination - including the termination of the AV/AT (which is not only theory!)...

    3. There are only few AV, which have a mentionable unpack engine: KAV (and derivatives), McAfee, RAV, DrWeb, Bitdefender (hope, I didn't forget one...)
    I don't know any AT, which has a powerful unpack engine - which is quite sad imho...

    Trojan Remover has neither an unpacking engine, nor memory scanning... better luck next time. ;)
     
  4. Vampirefo

    Vampirefo Guest

    As said above an unpacking is very important, hopefully you wont have to find out first hand how important. I use McAfee it has a great unpacking engine, I used NAV for a while and was testings some Trojans, I got first hand experience how import the unpacking engine was.

    As soon as I ran the Trojan it killed NAV, crashed it hard, I had to go to Norton's site to get information on how to fix NAV. After the Trojan killed NAV so violently, upon reboot NAV resident scanner wouldn't work, and I kept getting different errors from NAV.

    Once I manually unpacked the Trojan, NAV would block it's execution, but while The Trojan was packed NAV did nothing, but die.

    So basically if The Trojan or Virus is programmed to kill your AVP, or AT, and it slips by detection, upon execution it will kill your AVP, or AT, sometimes as in my case causing the user to get help in repairing the AVP, or AT.

    The best and easiest way to slip by detection is to packed the Trojan or Virus, most script kiddies, and hackers know which AVP's don't have unpacking engines, and which AVP's have weak unpacking engines.
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    WHY do all you people insist upon giving me a whole bunch of disturbing facts, instead of the reassurances and good news that I came here foro_O :oops:

    Seriously, I truly & deeply appreciate the time and expertise that went into all your comments.

    What you folks have said makes me wonder about some stuff I have read about KAV lately. Namely, KAV now seems to have the reputation that:

    #1 It has a superb unpacker.
    #2 It uses plenty of system resources and slows things down a lot.

    Is #2 above a major consequence of #1 above?

    If so, does that mean that [in one sense, at least] the script kiddies & hackers are winning the game?

    regards......bellgamin
    ~~~~~~~~~~~~~~~~~
    P.S. Please -- SOMEbody tell me that AVG gives me all the protection I will ever need. :cool:
     
  6. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    No. Version 3.5 uses less then 3 Mb of memory and has no impact on CPU whatsoever. Detection Capabilities are the same!



    Technodrome
     
  7. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Vampire,

    I'm curious, you said that NAV was unable to detect the trojan in it's packed state, but then when you executed it, it crashed the AV? Or NAV prevented it's execution?

    Did the trojan do anything while in it's packed state?

    Thanks for the info...
     
  8. anvil

    anvil Guest

    @JimIT

    I think he meant NAV got crashed, because (in almost all cases) NAV can't prevent a trojan from executing, if this trojan has been packed - and then the trojan can do _anything_ to 'poor' NAV... :'( ;)
     
  9. Vampirefo

    Vampirefo Guest

    Yes upon execution it crashed NAV, the Trojan was an AV killer, meaning it was programed to take out certain Antivirus programs, NAV was one AV's it was designed to take out.

    A lot of bigger Trojans target AV's, that's why an unpacker is necessary, if the Trojans didn't disable or crash the AV, then the AV would detect them, when they unpacked, or uncloaked.

    A packed Trojan is just in cloak mode or hidden, the Trojan is just waiting to be executed, once it's executed,it takes out the AV, then the firewall, provided, your firewall and AV are targets.

    The Trojan, can't do anything, until it's executed, then it's no longer packed or cloaked, but seeing the AV and firewall are disabled nothing is left to stop the Trojan from connecting to the Internet.

    Now if you run TDS-3 or TH, or some other layer of protection then it would be stop, But I am just talking about people who use one layer of protection, eg, just an AV.
     
  10. Vampirefo

    Vampirefo Guest

    Yes, this is what I meant.
     
  11. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Interesting! Did you download the trojan w/NAV's resident scanner in place, or did you disable it, etc.? Did you scan the packed trojan with NAV's on demand scanner?

    The reason I ask, is because we've had pretty good fortune with NAV's trojan-catching abilities (so far).

    *Jim knocks wood*
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Vampirefo sed...
    A packed Trojan is just in cloak mode or hidden, the Trojan is just waiting to be executed, once it's executed,it takes out the AV, then the firewall, provided, your firewall and AV are targets.


    For the very reason mentioned by Vampirefo, my integrity checker [AdInf] randomly generates a hash-name for its main executable. The name is unique for each customer. Thus, a Trojan can't find AdInf's executable. Or so the theory goes.

    If this simplistic approach actually works, I wonder why NAV & other security software folks aren't using it?

    Another thought:
    I have heard that BOclean concentrates exclusively on spotting Trojans AFTER they become active in memory. Correct? If so, I wonder: Can a packed Trojan do any damage while in a packed status? If not, why isn't BOclean's approach more or less THE *ideal* solution?

    If I am on a wrong track, please set me straight soon. Otherwise, I have decided that BOclean is the way to go. My TrojanRemover [I already paid for it] will do the on-demand scaning, & BOclean will do the real-time monitoring.

    A good way to go?

    regards......bellgamin
     
  13. Vampirefo

    Vampirefo Guest

    Yes, I downloaded the Trojan with resident scanner in place, The best way for me to explain it to you is by giving you an example this file is not dangerous in anyway, it's a firewall tester, or firewall killer.

    NAV detects it unpacked, uncloaked, I have packed it or put it in cloak mode, NAV will not detect it, and will allow it to run. Below are the same files, one is packed the other is not, you can see first hand safely of course by the demo, I provided below.

    http://angelfire.lycos.com/wv2/vampirefo/firewar.zip

    http://angelfire.lycos.com/wv2/vampirefo/firewar_Packed__Folder.zip
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Note on the two links in above post by Vampirefo...

    At the time I checked them, those are direct download links to zipped versions of the Firewar firewall test program.

    Firewar is discussed at this site: http://www.paoloiorio.it/fw.htm

    Please note, Vampirefo is not asking anyone to execute the firewar.exe files contained in those zip files, but rather simply to scan them with their AV/AT product to see the difference in detection between the packed (smaller) version and the original (unpacked) one.

    I have no issue with this, and it is a good example of how packed files get by some scanners.

    Of course, as ever, use caution when taking and running programs from anyone on the Internet.
    - LowWaterMark
     
  15. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    Cool pic s you got there Low Watermark :)

    Sorry to digress here
     
  16. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    GAV detects both packed and unpacked firewar samples that Vamp linked to (see pic). ;)
     

    Attached Files:

  17. anvil

    anvil Guest

    Since a packed trojan doesn't 'uncloak' until it has gotten into RAM, the only way to detect it in this state is a 'real' memory scan.
    I don't know _any_ AV with such a memory scanner. That's why the trojan doesn't even have to disable the AV to remain undetected. :rolleyes:

    Another case are ATs (BOClean, TrojanHunter, TDS3,...): those normally have a memory scanner which is capable of detecting any packed trojan - but only after the trojan's execution!
    So ATs suffer really hard from AV/AT-killing trojans.

    As mentioned above, this is not really necessary for filescanners (like NAV.)
    But some memory-scanning ATs actually do this: e.g. TrojanHunter generates a new filename for its guard on every startup (or something similar... don't know exactly :rolleyes: )
     
  18. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Anvil,
    TDS-3 has execution protection, where executed files are intercepted by TDS, scanned, and if a trojan is found, the execution is blocked. It's the only anti-trojan with this capability.

    Incidentally, we've already completed the unpack engine for TDS4. :)
     
  19. anvil

    anvil Guest

    @Wayne

    Yes, I know I wasn't very exact here - just wanted to point out the differences between 'file scanning' and 'memory scanning' with regard to packed malware.

    Nice to hear that your unpack engine is complete. :)
     
  20. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    It is, indeed interesting! With interesting results, which I shall not post here! ;)
     
  21. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I think it is--it is what I use, however I think it also depends on how much "futzing around" you like to do online, and how much "fiddling" you want to do with your online protection. I like having a good AV w/a dependable backup, and running BOClean as a trojan smasher, simply because I don't want to be scanning all the time.

    That's just me. You will hear dissenting opinions on this topic, and all points will be valid.

    I also administer a medium-size network with a lot of d/l going on 15 hours a day, and I don't have time to be scanning clients machines in addition to running backups and scanning with an AV. I want something out there as a "watchdog" that I don't have to babysit.

    Again, that's my point of view. Personally, I love what BOClean does, and their support, but there are equally valid options. :)
     
  22. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    will I'm no longer a member of gav blaze clutch fist with rage but i have to say Gladiator Antiviruse has some serious unpacking and killing power and its only a beta meaning not finish.

    i have to say as all my time as a Wilder's fan and newby gav is the most impressive comer up

    TDS is also excellent i love the execution protection it is still one of the more stronger applications there is out on the market with gladiator trailing next to it.

    allot of people here will argue say this and that throw monkey wrench's in there but see I'm no longer a gav team member and even with my angry which is ext-ream i still say Gladiator antivirus is a great way to go thats saying allot.

    i kinda wished that michale and wayne had work together .

    i don't think it ever crossed there minds but with g man wayne and jason with big mike the software would kick a$$

    maybe one day when i win the lotto ill buy all 4 of them to make something so unbelievable
     
  23. So what? People make far too much noise about "serious unpacking power". It is a nonsense. Dr. Web on our network detects *many* more viruses than GAV, and if they are compressed it finds and blocks them upon unpacking, and even Norton and McAfee will accomplish this, so why do you rate "serious unpacking power" as a desirable feature? Are you one of the brainwashed? :)

    dbg
     
  24. anvil

    anvil Guest

    @die blau ganz

    What's your point?
    As I mentioned above, DrWeb and McAfee have strong unpack engines, so these scanners can detect and block many compressed malware files.
    On the other side, Norton will NOT "accomplish this", because it can't unpack.

    What did you get wrong here? What has that to do with "brainwashing"?
     
  25. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    die blau ganz blah blah blah see thats one of the type of guys to throw a monkey wrench. lol

    will here something kinda cool i think any ways but not really a must have.

    i was useing a program called Win mx many I'm sure have heard-of it.

    Some hacker had loaded a new type of sub 7 in his share folder many here know i have TDS and Nav 2002 and tons of other stuff

    i had over 700mb in my share folder

    Nav 2002 active scan had indeed found the sub 7 trojan when i had move the folder nav alert went off

    I'm not sure if that means the trojan became active as soon as i moved the folder or nav just did it minor-active scan I'm hopeing the later.

    cause if it did become active from simply moving the folder That means TDS didn't catch it and i doubt that very much.

    Any how to continue on nortion wanted to put my 700mb folder in quarantine my god one file infected and norton wanted to wipe out everything.

    this was unacceptable.

    i had to find a way around it unfortunately i could use go back but not well enough to where i could keep what i wanted in my winmx folder the most i can do was go back before norton cought it

    after 3 attempts i finally did it

    see Norton active scan will quarantine a whole folder with tuns of stuff just to wipe out an infected file

    but if you right click on the folder scan for virus it will single out the one infected file and put it in Quentin

    yes i was able to save my 700mb folder and wipe the nasty from my system

    heres the screwed up thing imagine if a hacker had loaded a trojan sub 7 into lets say a folder in my system where critical operating dills and files are

    nav active scan would want me to send all of it to quarantine to either repair or delete not excitable at all

    could damage my system and what does a new-by do when he gets a nasty he quarantines the folder or virus and delets it guess what you just damaged your pc yuck.

    heres where Gladiator virus came into play even though i killed the nasty it was still in my computer lol harmless because it was in a restore file because of system restore and go-back meaning that any files are dormant in active

    no anti-virus or trojan detector will find this reason why is most likely because anything in a restore file cant hurt you lol

    so i had 3 sub 7 hideing out in system restore that were sleeping this was from rolling back with go-back 3 times when i was trying to figure out how to save my 700mb share folder lol

    Gladiator anti-virus was the only thing that found them
    unfortunately nothing in the world can delet anything in a restore folder which means gav wouldn't kill it nor Norton nor TDS

    some one from gav team just told me to shut do-wen system restore reboot and it wiped it out and start it al-gain lol and check system restore al-gain yeahhhhhh it worked

    my point is i don't like the ideal of a trojan hideing on my computer regardless if its harmless because its locked and basically quarantine in a restore folder

    And gav was the only program that alerted me to it.

    i had tested TDS and Norton and everything else it only detected the trojan on a right click direct scan

    meaning i had to know ahead of time it was there while gladiator did a full system scan and found all 3 lol

    to me thats a good thing and means gav don't play favorite's a trojan is a trojan wither its harmless or quartin i want it out lol and want to know it there
     
Thread Status:
Not open for further replies.