Introduction The threat: modified malware frequently remains undetected. Background Dangers resutling from run-time compression and other modifications. Example Two widely-used AV scanners are outfoxed. AV Reviews Sense and non-sense of AV reviews Scanners We examine the modes of operation and detection rates of several AV & AT scanners Forum ... and you can participate

 

-- Examples --

 

 

1. Example: Dangers resulting from run-time compressed or crypted malware

In order to demonstrate that compressors and crypters are not merely a theoretical possibility to conceal a trojan (or other malware) we will show you how easy it is to transform a well-known, widely spread trojan called Optix Lite 0.4 into a "stealth trojan" which cannot be detected by an AV scanner. Note that the following procedure does not constitute an "underground secret" anymore since malevolent persons have used this "trick" for a long time. Unfortunately, it still works ...

 

The first picture illustrates how comfortable and easy it is to use such a crypter. It really takes only a few seconds to camouflage a trojan.

 

("Only two more mouse clicks and the trojan is crypted ...")

 

The second picture shows the result. The unpacked trojan and the encrypted trojan.

 

("...and it's done.")

 

The following pictures demonstrate that a popular AV scanner only detects the unpacked (but not the encrypted) trojan while performing an "on-demand-scan" of the trojan files.

 

 

 

By the way, there is no reason to feel safe because the so-called permanent real-time monitor or "on-access-scanner" of your AV/AT software product is activated (the below sample picture shows Norton AutoProtect). If the "on-demand-scanner" is unable to detect a scrambled trojan this usually applies also to the "on-access-scanner" (i.e., the trojan will neither be detected when it is executed nor while it resides in the computer's memory and performs its malevolent actions). The following screenshot demonstrates that only the execution of an unpacked version of the Bionet 3.18 trojan can be prevented by the real-time monitor. By contrast, the UPX packed version of the trojan was executed and now makes itself comfortable in the computer's memory ...

 

 

 

Note: Usually, only AV/AT scanners that feature an unpacking engine or a similar efficient technology can reliably detect compressed or crypted trojans.


2. Example: Dangers resulting from design flaws

In order to save time, AV/AT scanners frequently scan only parts of a file. For example, certain scanners firstly determine the entry point (i.e., the location where the executable code of an application begins) and then perform the signature scan at a specific location calculated by taking into account the relative distance of such location from the entry point. This concept is severely flawed because it is just a matter of seconds to move the entry point with the help of a so-called PE editor. Frequently, the move of the entry point does not affect the function of a malware program. However, the scanner will perform the signature comparison at the wrong location and, therefore, the malware sample will not be detected.

The following screenshot illustrates how easy it is to move the entry point of the well-known trojan Bionet 3.18 from 9F20C to 9F20D:




The new entry point can be simply determined with the help of a PE editor.

Due to this minor manipulation a well-known scanner fails to detect the malware sample (although it can detect the original variant):

Note: Know your scanner's weaknesses. Never trust a single scanner (even if a software developer tells you that one scanner is more than enough).







Last update: January 2005