Old Malware Tricks Still Defeat Most AV Scanners 122
SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."
What they lied about using heuristics? NEVER! (Score:4, Interesting)
Considering the arguments I got in between the word 'Signatures' and 'Heuristics' when it came to anti-virus I'm not surprised.
They think heuristics are BLAH.*BLAH instead of BLAH...BLAH.
And even then, they don't get it right.
Re:uh oh (Score:4, Interesting)
Applied AI (Score:3, Interesting)
Re:Credit Card Companies (Score:5, Interesting)
while you are correct, the problem lies with the OS that needs the most AV support. Windows itself acts like a virus to change memory locations when certian apps are run. Thisis to ensure compatibility. With Vista msft has been trying to change such behaviour, but it took 6years for msft to notice the problem and at least until win7 until things start working better. Linux and OSX don't suffer from such things as badly as they depracrate old buggy features ona regular basis.
(Stupid) Useful Malaware Tricks? (Score:3, Interesting)
..a bit OT, but sometimes I wonder when will be the year of malaware on Linux or OS X.
Ugh! Scanners! (Score:4, Interesting)
This scanning aspect grows even more germane as we ascend into the commonality of terabyte drives.
We need better approaches to checking files for infections or payloads -- like checking them thoroughly once and then checking any newly created or altered ones at the time of alteration. But even there you take a performance hit, and I know most AV systems already does this to some extent (but will rescan all the drives periodically).
Ah, gotta love Windows. I much prefer to have a clean system and avoid any operations that might introduce a payload -- like running IE, for example.
Google's attempts to flag questionable sites is half-baked, and depends on GoogleBots catching the vulnerabilities before your browser does. And for the poor site owner that's been compromised, Google fails to provide enough details for the site owner to eliminate the potential problems.
Well, I don't use Windows as my primary platform for a number of reasons, virus vulnerabilities being one of them. Not to say Linux doesn't have its share, but they are far less common and if you keep up with the latest upgrades, you'll do OK for the most part.
I think we need to go in a direction of relying on hypervisor-wrapped OSes that can do selective rollbacks to the points before infection. This way, you eliminate the need for scanning everything all the time and better yet, you might put some of the malware protection in the hypervisor itself, at a level the guest OS or the malware could never detect nor evade.
Just a thought for free for some enterprising individual to go make $$$$ from!
Re:Padding with 0x00 bytes? (Score:2, Interesting)
Didn't Consumer Reports say this years ago? (Score:5, Interesting)
A few years back, Consumer Reports took some malware and made some trivial changes and almost all the AV vendors failed that simple test.
If you recall the AV vendors criticized Consumer Reports because they claimed it was the equivalent of producing new malware and that it was irresponsible.
Bottom line... this pretty much proves that AV has little or no value. You use it because everybody tells you that you have to use it, not because it provides any sort of comprehensive security (it doesn't even come close).
Re:Credit Card Companies (Score:1, Interesting)
Re:Credit Card Companies (Score:5, Interesting)
The thing about anti-virus software is that is stupidly tries not to be intrusive. AV software could be pretty much 100% effective with a few tiny changes, but those changes will make it more visible and annoying.
This won't protect against scripting language malware and exploits of ActiveX (or other in-process DLL code), but it will tend to stop what they can do in the long run. Exploit code can create an executable in some directory, but it won't be able to be run without a warning, even if that code contains no known virus.
Re:Padding with 0x00 bytes? (Score:5, Interesting)
Man, Let me tell you, Viruses have evolved. Really evolved. I don't run a anti-virus at home, don't like them.
In a moment of weekness I started watching a downloaded version of stargate, missed it on friday :( the WMV movie asked for a "codec" to be installed, guess what... (I know I should have know better)
Its been 4 weeks and I am still struggling with this virus. Most virus scanners detect this beast, however in my last 4 weeks, none can properly clean it. This has become somewhat of a challenge.
I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders.
Yesterday, I discovered, the crappy thing downloads and installs stuff off the internet.
Fortunately I have all data backed up.
I can re-install my XP anytime, but this has become too challanging to let go.
Here is a kicker, I tried infecting a qemu emulated XP VM, guess what, there is a newer version of the virus, somewhat different than 4 weeks ago. The new codec that downloaded wasn't the same that got downloaded to my machine.
So it seems these virus/trojan developers are well funded and doing this as a day job. Hoping this trojan shares some mp3s so RIAA can go after them, they seem to be more effective than FBI in tracking this kind of a thing.
Here to some good news, my dad's Vista PC is immune to this virus, so Microsoft may have done something right, or maybe the virus/trojan developers are not targeting Vista.
Antivirus/Antispyware 2009 (Score:4, Interesting)
Re:Ugh! Scanners! (Score:4, Interesting)
What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.
A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?
One reason: Kids.
One kid uses Linux as much as he uses Windows, and understands how to avoid malware. Alas, he has a lot of friends over that have not learned these important lessons.
Not to mention my other -- younger -- kid, who insists of downloading malware from Disney and other sites that *insists* on using IE to run at all.
Re: of course (Score:3, Interesting)
I am a web developer, quite proficient in javascript, and agree with the GP. No site should *require* js for navigation. There are established ways to mark up your menus, no matter how complex they may be, so that they may be navigated with js turned off while perhaps having enhanced usability or attractiveness for those who allow it to run. This is absolutely essential in the modern web: your most important visitor, the googlebot, doesn't run javascript - and obviously you want it to be able to follow links on your site.