Scanner weaknesses with trojans

Hi fellow forum members,

Producers of AV/AT solutions, that do not use a workable Unpacking Engine, have to use other methods to detect crypted or packed malware. Such vendors often add ready packed or crypted malware signatures to their databases. Signatures added in this way are made for malware that is already in the database. So not only the original but also some variants are there that may be detected.

Because of the manifold of packers and crypters available and the various compression levels and adjustments possible, one can easily imagine, that it is almost impossible to catch all. That would also mean that AV/AT scanners became very slow, so there has to be some sort of limited list, besides malware artist know exactly what kind of packer or crypter could trick what AV/AT scanner. When an AV/AT scanner has the special signature for packed and encrypted trojans, only the scanning of relatively unknown trojans will reveal if the unpacker engine is functioning as designed. In this case with a good unpacking engine, only one malware signature is needed, but then again some polymorphic trojans can be missed, and these are around, like e.g. MoSucker 3.0. If a specific unpacking method is not sustained, one must fall back on previous methods. With a hexeditor it is possible to cheat on the data packer header info, but that is not enough to cheat on a good unpacking engine.
Some Unpacking Engines also have so-called Emulation, the emulation of the code inside a virtual environment or sandbox to be analyzed, and this traps all unknown packing routines in its tracks. Especially so when the scanner also looks for safe-point signatures, see for further info: http://safeurl.de/?http://www.norman.com/documents/nvc5_sandbox_technology.pdf

polonus

I wonder how avast! handles this?Does it have a similar technology to Norman’s Sandbox?

Thanks

Mikey

Avast is quite good in terms of unpacking. We’re currently able to unpack some 80-90% of all malware, and are constantly adding new unpackers (see the avast revision history page for a proof :)).

Generic unpacker (emulator-based) is planned for avast 5 but let me just say that the situation is quite different from what’s been said in the article quoted by Polonus. The hard packers (that we don’t have currently covered) are more anti-disassembly and anti-tampering tools than mere unpackers and are generally very hard to crack. So a generic unpacker (without prior knowledge of the tricks used by the packer) either cannot unpack it at all (gets lost somewhere in the anti-debugging traps) or takes ages to do the job…

In other words, generic unpacking is a nice feature to have, but is definitely not a panacea…

Vlk

Wow i see… I’m glad avast! has so many unpackers covered.I’m sure alot of users will feel much better knowing this(me included).I’m also glad to hear that you guys are working on “generic unpacking” for version 5(lol can’t wait for it and yes i know we’ll have to wait a year or two for that).

P.S:And what is even more impressive is that you guys are still working now considering what day it is today and what the time is here in Europe… :o

Cheers

Mikey

Hi you all, Vlk and ReVaN, and others,

Yes, I am glad too, and I think this forum is a wonderful way of exchanging information, and it is stimulating for the end-user and the developer of our AV solution of choice. I think this is rather unique, and we should cherish this. It is for the mutual benefit of all that have an interest in keeping computers clean.
I am glad to be part of this process,

polonus

Glad to know Vlk… Isn’t it possible to start a thread, maybe into the Annoucements forum about the ‘new’, planned, features of avast 5?

Hi Tech,

Well this information be rather general, than explicit. Why you think we have all these viruses and malware in the first place, because malware authors can read and analyse what security people or developers of software put out for their very eyes. There was no virus for the mobile phone, because the workings were not to be read by everyone, also those with bad intentions. So this information must be classified and that is better for us, as it is for the malware developers. I always wonder why you can find proof of concept code everywhere, people are going to try it or resource hack it, or do you have another view in this matter?

polonus

Good to hear Vlk :slight_smile: I hope you guys will put maximal effort in detection for avast! 5.0. GUI and overall features are mostly level above other AVs, but detection is still and will probably always be most demanding thing that is never really reached (same applies to all AVs not just avast!). Keep us posted with such “small” developement secrets :slight_smile: