Old Malware Tricks Still Defeat Most AV Scanners

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

It's worse than we suspected...

[rickb928]

...and this [xkcd.com] pretty much says it all. Even for Windows.

We are in serious trouble, and have been for a while now. And nowhere to migrate to.

Re:Applied AI

[Anonymous Coward]

http://en.wikipedia.org/wiki/Halting_problem

Re:uh oh

[Anonymous Coward]

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Just had a virus hit at work.
Symantec 'detected' it but didnt stop it at all, within minutes we had ~60 computers infected.

Thank god the other 1200 computers we have where running linux.

Re:Padding with 0x00 bytes?

[Schadrach]

Virtumundo?

Re:Padding with 0x00 bytes?

[Tony Hoyle]

If it's the one I saw the driver even gets loaded in safe mode.

You have to boot onto a rescue DVD and find the driver file, delete that and it'll stop the driver loading. Then boot into safe mode (if you boot into normal mode the user mode code will reinstall the driver) and find every copy of the executable and nuke it.

If you miss one it's back to square one.

Personally I'd just reinstall...

Re:Padding with 0x00 bytes?

[Mister Whirly]

"I don't run a anti-virus at home, don't like them.

I am not overly fond of most AV software either, but I like an infected machine even less.

RECOVERY CONSOLE COMMAND DISABLE STOP DRIVER

[Anonymous Coward]

"I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders. - by mrops (927562) on Friday November 07, @01:40PM (#25678439)

Install RECOVERY CONSOLE as a bootup option

(Its installer alters boot.ini for this as it installs & it adds a bootup menu choice/option for using it once you reboot after installation of it)

To install it, that is done from your OS installation media's I386 Folder, via the commandline ->

winnt32.exe /cmdcons

Once it is in place?

You can issue the LISTSVC command there, & it will show this trojan/virus' name once you scan the list of drivers &/or services it presents (look carefully, & odds are, you will see it there).

Then, you would use the DISABLE command on it (that stops both services, AND, DRIVERS too) - ENABLE is the opposite command, just so you know (&, in case you make a mistake here).

APK

P.S.=> The Windows Networking you mention? I am going to assume File & Print sharing via LanManager networking... & IF you don't use a home LAN (or, connect into a work LAN/WAN, remotely from this infected system)? You can actually REMOVE it a couple ways (easiest ones are stopping the SERVER service via services.msc & setting its startup type to DISABLED (server provides file & print sharing is why) OR, just go to your LOCAL AREA CONNECTION, & uncheck (if not totally remove) "File and Print Sharing" and "Client for Microsoft Networks" there (because all you REALLY NEED to be online, is Tcp/IP)... this will not only help secure you, & stall this machination on your system, BUT, it will also give you back CPU cycles, memory, & other forms of I/O too, because you will be cutting off things you may have running that you do NOT really need to be... IF you are not part of a LAN/WAN, that is... apk

Re:Padding with 0x00 bytes?

[JCSoRocks]

I've tried VLC recently but I couldn't even get it to play the audio track on a .MOV file... I dropped it shortly after that. Is MPlayer any better? I remember using it long ago but I stopped bothering to install it every time I rebuilt.

The WinLogon section: Stop the 'phalanx' driver!

[Anonymous Coward]

In addition to what I posted originally here (thanks for the "modded up" status too, whoever did so):

http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261 [slashdot.org]

?

To access & stop the "backup" of this trojan's driver, since it apparently is using a form of "phalanx-like" backup of itself & its constituent part? Well, go here, using REGEDIT.EXE, once you reboot (after using RECOVERY CONSOLE's LISTSVC, + DISABLE comamnds to stall the driver itself) because this 'backup' portion you're seeing @ WinLogon MAY undo what you did, in deactivating the trojan's driver portion:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

And, in the right-hand side pane of REGEDIT.EXE? Look for the SHELL line (should ONLY have Explorer.exe in it) - odds are, that's the part that's controlling this 2nd part you noted, that notifies the trojan's driver portion!

Good luck!

APK

P.S.=> IF this thing's 2nd 'backup' portion isn't there, in the WINLOGON section you mentioned?

Then, examining ALL other startup areas (prior to the explorer.exe shell logon by you), to find its other part...

MSCONFIG.EXE is decent for this!

Autoruns (sysinternals/MS) is also...

OR

Startup CPL (Mike Lin)

Are ALL/EACH good candidates for the job...

(If not digging for those sections via REGEDIT.EXE (You'll need a list of startup areas Window has though, & it's MUCH MORE MANUAL than the other tools I noted/listed, a downside of doing it manually really vs. using automators such as the progs I just listed))... apk

Re:What they lied about using heuristics? NEVER!

[ultranova]

So guess how hard it will be to get them to run a perl script as root - either via sudo or other means.

Why would it need to run as root ? Running as a regular user, it can:

1. Start as soon as the machine starts by simply adding itself to the user's crontab.
2. Access the network, both TCP/IP and UDP/IP, and use all protocols that run on top of these.
3. Read the user's address book.
4. Listen to user's keystrokes and mouse movements, as well as take screenshots (but probably not if written in perl).
5. Attach itself as a debugger to any process owned by the user (such as the web browser), and read and control their internal state (but probably not if written in perl).

Add the fact that Gnome starts a shitload of processes with weird names to help mask the virus process, and I can see no reason whatsoever why a Linux virus would need or even want root privileges. About the only thing it can't do is send raw ICMP packets. That would be useless anyway, since exploiting holes in kernel networking stack would make said holes get fixed very fast indeed.