Does any common malware encrypt its signature? Do commercial AV companies detect such mal...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The LA Times reports that the same family of virus/malware/badware that inf
ected Target a couple of years ago is making the rounds again this year, ta
rgeting retailers.  The interesting thing to me was that the badware uses e
ncryption to change its signature.

My question is whether any 'common' badware such as detectable by today's c
ommercial engines have this capability.  Names would be nice or just an ack
nowledgement that such badware exists.  I'm curious as to how the commercia
l anti-virus companies even detect this type of badware, maybe they know of
 a initial signature that's always present before the badware morphs, and t
hey detect this signature?

RL

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

After serious thinking RayLopez99 wrote :
Quoted text here. Click to load it

This is the essence of what separates viruses from most other malware.  
Most of today's malware uses server side polymorphism to change its  
signature, but the polymorphic viruses accomplished this all by  
themselves.

Basically, they encrypt themselves as they reproduce and make a  
decryptor to decrypt it when the offspring itself executes. Then AV  
(not so much AM) detects the decryption algorithm which itself has  
polymorphism.

AV often has to emulate an execution environment to sandbox the  
decryptor to allow the beast to decrypt itself enough for not only  
detection, but for identification. This is one major reason why some of  
us like to emphasize that "virus" and "malware" are different despite  
what the average Joe thinks.

Actually, this technology is fairly old now, and it will be found in  
worms and viruses (self-replicating malware) which are less common than  
they used to be, and why one needs both AV *and* AM instead of just AM  
software.

You might like reading this:

https://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

FromTheRafters has brought this to us :

[...]

Also this if you still want more. Still, these are more than a decade  
old now.

https://web.archive.org/web/20070602060312/http://vx.netlux.org/lib/vmd01.html

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

FromTheRafters submitted this idea :
Quoted text here. Click to load it

Yet another article, this one more recent (like the Chicxulub event is  
recent).

https://securelist.com/analysis/publications/36305/review-of-the-virus-win32-virut-ce-malware-sample/

Maybe David H. Lipman knows of something more recent.

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

Quoted text here. Click to load it

A variation of the theme.  reFUD.me  was was a script kiddie site that had  
two functions.  One was to host multiple anti malware scanners, including  
Malwarebytes' Anti-Malware, and for a fee you can have your new malware  
scanned for detection without the files going to any anti malware vendors.

The second was "Cryptex Reborn" where you can get the malware binary  
crypted.  Then you can scan the file again without the file being submitted  
to anti malware vendors.  Once that malware binary was shown to no longer  
have detections, it was released into the wild.

hxxp://www.refud.me/reborn.php
"Cryptex Reborn offers the widest variety of options, giving you the chance  
to adapt to any situation and file. Each file will be 97% unique..."

In late October one of the site owners complained Malwarebytes was blocking  
access to the  reFUD.me site.

A sock puppet was created so the site owner could double team Malwarebytes.

It actually was quite funny how they said they would take action against  
Malwarebytes and the sock puppet actually wanted to get an employee in  
trouble.

The sock puppet wrote...
"I want to suggest to demote the moderator Zynthesist.

His behaviour is strictly improfessional and should not be accepted."

and...

"It is very clear for everyone to see that the website is not malicious and  
should not be blocked."

It was funny because they had unclean hands.  They were using Malwarebytes'  
software in a money making venture, that was malicious in nature, and had no  
license to use the software in that fashion but wanted to take action  
against Malwarebytes.

https://forums.malwarebytes.org/index.php?/topic/174483-refudme/
https://forums.malwarebytes.org/index.php?/topic/174624-refudme-2/

However, UK LE didn't see it as reFUD.me  actors saw it.  They took control  
over the server and arrested the site owners.

http://www.zdnet.com/article/uk-men-arrested-for-helping-malware-bypass-antivirus-protection/

During the month of November the reFUD.me  actors may have orchestrated a  
DDoS attack on Malwarebytes.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

David H. Lipman presented the following explanation :
Quoted text here. Click to load it

Thanks David, I was unaware of this interesting development. The nerve  
of some people!

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?


Quoted text here. Click to load it

It is cached content by Google ( don't know how long though )

http://webcache.googleusercontent.com/search?q=cache:http://www.refud.me/reborn.php

http://webcache.googleusercontent.com/search?q=cache:http://reFUD.me/scan.php

http://webcache.googleusercontent.com/search?q=cache:http://reFUD.me/history.php

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

On Friday, November 27, 2015 at 8:45:15 PM UTC+8, David H. Lipman  
Quoted text here. Click to load it
ed  
Quoted text here. Click to load it
  
Quoted text here. Click to load it

This raises indirectly the issue of whether, if you have a new .exe file, h
ow you can have it submitted to anti-virus vendors to put it on their "clea
n" list....I once did this for some program I released free, and after a we
ek or so I got a 'nothing bad with this software' green icon when presentin
g it to some online 'is this software good or malware' site (details escape
 me, it's been a few years).  

Also Visual Studio 2015 has a built-in function where you can submit your p
roposed program to Microsoft's 'Store' (sic, not sure that's their name, bu
t I think it is) and have it vetted as 'clean' and/or 'approved' or not.

In short, it seems that polymorphic virus/badware is alive and well, but th
e internet has moved to a more 'AOL'/'gated community' model where only app
roved software is sold, and most people don't click on attachments anymore.

PS--topic for another thread, but I still haven't understood how a browser  
visiting a malware site can infect your PC...I'd like a tutorial on how thi
s is done, maybe high-level, but something a bit technical.  I have seen SQ
L injection attacks explained and buffer overflows but that's about it.

RL

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

On Friday, November 27, 2015 at 8:45:15 PM UTC+8, David H. Lipman  
Quoted text here. Click to load it
ed  
Quoted text here. Click to load it
  
Quoted text here. Click to load it

This raises indirectly the issue of whether, if you have a new .exe file, h
ow you can have it submitted to anti-virus vendors to put it on their "clea
n" list....I once did this for some program I released free, and after a we
ek or so I got a 'nothing bad with this software' green icon when presentin
g it to some online 'is this software good or malware' site (details escape
 me, it's been a few years).  

Also Visual Studio 2015 has a built-in function where you can submit your p
roposed program to Microsoft's 'Store' (sic, not sure that's their name, bu
t I think it is) and have it vetted as 'clean' and/or 'approved' or not.

In short, it seems that polymorphic virus/badware is alive and well, but th
e internet has moved to a more 'AOL'/'gated community' model where only app
roved software is sold, and most people don't click on attachments anymore.

PS--topic for another thread, but I still haven't understood how a browser  
visiting a malware site can infect your PC...I'd like a tutorial on how thi
s is done, maybe high-level, but something a bit technical.  I have seen SQ
L injection attacks explained and buffer overflows but that's about it.

RL

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

On 2015-11-26 06:40, FromTheRafters wrote:
[...]
Quoted text here. Click to load it

This is like emphasising the difference between "peach" and "fruit".  
Illogical.

Since "malware" includes a number different types of evil (trojans,  
spyware, etc) the "average Joe" quite logically includes viruses. That's  
how a normal language user decodes unfamiliar terminology.

It's important for people to understand the different types of malware,  
so discuss them, instead of emphasizing a difference that's now of  
merely historical interest.

Have a good day,

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

Wolf K expressed precisely :
Quoted text here. Click to load it

You are, of course, welcome to think whatever you like.

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

On 2015-11-26 08:54, FromTheRafters wrote:
Quoted text here. Click to load it

You are, of course, welcome to ignore linguistics.

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

Wolf K presented the following explanation :
Quoted text here. Click to load it

I'm  aware of the common man's use of the term, and I'm not insisting  
that anyone use the word virus for malware when they don't care about  
the difference. They can use whatever term they like. It is still a  
fact that they are different animals, especially in the case of Ray's  
query. If it doesn't reproduce itself, it can't reproduce a morph of  
itself which has an encrypted version of the code used in the detection  
string.

I stand by my statement that this is a case where the distinction  
actually has a difference.

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

"FromTheRafters" wrote:

Quoted text here. Click to load it

Correct, Mr Spock.

Quoted text here. Click to load it


He's right. To the general public the word virus and malware (as we
would say) are synonymous. They're not interested in the differences
between a virus, worm, trojan or PUP; to them they are all viruses.
For some reason the words "computer virus" have become the all
encompassing term that we would call malware. Yes, "malware" does
include viruses if you accept that viruses are malicious.

WRT R Lopez's OP; it is very easy to create an executable that has a
unique signature on every download. There is no need for any special
encryption techniqes. One way would be to build an executable with a
section that is never used and fill it with random data. A script on
the server then generates a random section and puts the thing together
when the file is requested.



Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

Ant presented the following explanation :
Quoted text here. Click to load it

Yes, I believe that I mentioned server side polymorphism. Ray asked  
about malware which encrypts its own signature as opposed to malware  
which has its encryption or other polymorphism applied from without.

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

"FromTheRafters" wrote:

Quoted text here. Click to load it

So you did.

Quoted text here. Click to load it

I'm not sure what he means by "the badware uses encryption to change
its signature". That would imply a virus. However, "badware" could
mean the controlling software that generates the usual type of malware
(real viruses are rare these days) - in which case my example applies.



Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

Ant brought next idea :
Quoted text here. Click to load it

Indeed. I considered the idea of exploit kits as well. He didn't say  
virus so there was no need to go into the is it a virus or not debate  
and he should be commended for using the term malware. Going by the  
post's subject line it seemed to me that he was asking about malware  
whose signature is determined and yet then changed by that very same  
malware, such as the 'polymorphic slow' virus as mentioned in this  
article.

http://repo.hackerzvoice.net/depot_madchat/vxdevl/vdat/polyevol.htm

"'Slow polymorphic' viruses are one such method. They are polymorphic,  
but all samples generated on the same machine will seem to have the  
same decryptor. This may mislead an anti-virus producer into attempting  
to detect the virus with a single search string, as if it was just a  
simple encrypted but not polymorphic virus."

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

On Friday, November 27, 2015 at 9:37:12 AM UTC+8, FromTheRafters wrote:
  

I thank you for the "repo" link; it suggested a lot.

I also code for fun (I do demos of stuff that I want built, then generally  
hand it over to professional programmers; C# is my language), and I'm amaze
d at how much faster an optimized program is over a non-optimized program (
10-100x, and I do try and optimize code).  

So my next question is:  how do AV scanners scan so fast?  Do they have a s
pecial "emulator sandbox" that will try and 'run' a suspected piece of malw
are?  I doubt it, since if so, the virus writer will defeat such emulator b
y simply introducing delay into their malware, such as by having the malwar
e 'wait' 5 seconds before doing anything; this will defeat an emulator sand
box since time is of the essence and time = money, so no time can be wast
ed by AV companies.  

I think therefore the AV companies rely on SHA fingerprints, and use a look
up table or dictionary to see if there's an infection, with 'new' malware u
pdated hourly, daily, by the AV company.  Below is also a disclaimer from t
he article linked to that suggests there's other things not mentioned.

Long story short:  I don't think 'polymorphic' malware is easy to detect, a
nd I doubt AV companies spend much time trying to; rather, they go for 'cen
ter mass' and detect 'common' viruses that have a easy-to-detect digital fi
ngerprint, then the AV companies broadcast the daily 'solution' to such 'co
mmon' badware.  It's quick and dirty, and for most people 'good enough'.  T
hat's probably why you should do daily backups of important files.

I also think that's how Stuxnet and other such viruses are propagated:  unl
ess and until such badware becomes "popular" (infects enough machines to ge
t on the radar screen of the AV companies), it remains undetectable.

RL


The article is not an attempt at a complete description of Virut.ce, nor is
 it intended to be. We could have gone deeper into how the virus communicat
es with the IRC server, or examined more closely the details of how files a
re infected, but this time we deliberately dwelt on Virut's basic mechanism
s. Additionally, publishing a detailed description of the anti-emulation te
chniques would be irresponsible as malware writers could then exploit this  
information.

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

It happens that RayLopez99 formulated :
Quoted text here. Click to load it

Essentially, yes. Add to that the armoring of a virus or other malware  
which is not so much to evade automatic detection by AV software, but  
to make the malware reverse engineering task more difficult. It makes  
their 'zero-day' last longer.

If you're not tired of reading yet:

http://www.symantec.com/connect/articles/who-goes-there-introduction-access-virus-scanning-part-two

Re: Does any common malware encrypt its signature? Do commercial AV companies detect such malware?

Ant pretended :
Quoted text here. Click to load it


Indeed. I considered the idea of exploit kits as well. He didn't say  
virus so there was no need to go into the is it a virus or not debate  
and he should be commended for using the term malware. Going by the  
post's subject line it seemed to me that he was asking about malware  
whose signature is determined and yet then changed by that very same  
malware, such as the 'slow polymorphic' virus as mentioned in this  
article.

http://repo.hackerzvoice.net/depot_madchat/vxdevl/vdat/polyevol.htm

"'Slow polymorphic' viruses are one such method. They are polymorphic,  
but all samples generated on the same machine will seem to have the  
same decryptor. This may mislead an anti-virus producer into attempting  
to detect the virus with a single search string, as if it was just a  
simple encrypted but not polymorphic virus."

Site Timeline