Poor heuristics and static unpacking

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
In recent times I've noticed that the trends are changing when it
comes to virus detection.  Heuristic Technology is improving and
engines heavily dependant on signature updates are slipping when it
comes to virus reaction and detection in the first place. Those who
use static unpacking method and rely heavily on this (ie. KAV) are not
detecting a lot of malware even though under the packing it's
virtually unmodified.

When will good signature databases simply not be enough?
When will static unpacking become unfeasable to maintain?

Just a few thoughts....

--
Regards, Ian Kenefick
http://www.IK-CS.com

Re: Poor heuristics and static unpacking


| In recent times I've noticed that the trends are changing when it
| comes to virus detection.  Heuristic Technology is improving and
| engines heavily dependant on signature updates are slipping when it
| comes to virus reaction and detection in the first place. Those who
| use static unpacking method and rely heavily on this (ie. KAV) are not
| detecting a lot of malware even though under the packing it's
| virtually unmodified.
|
| When will good signature databases simply not be enough?
| When will static unpacking become unfeasable to maintain?
|
| Just a few thoughts....
|

An example will be the Media Codecs and DigiKeyGen sites producing all the ZLob
Trojans.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Poor heuristics and static unpacking

On Sun, 04 Jun 2006 21:36:11 GMT, "David H. Lipman"

Quoted text here. Click to load it

Yeah - I noticed the modifications are coming out sometimes more
frequent than the signatures that detect them.

Just take a look at this...

http://www.kaspersky.com/viruswatchlite?search_virus=zlob&x=0&y=0&hour_offset=-3

There is many pages of detections added for this single threat. This
is just one example though. What about all those bots!!?

--
Regards, Ian Kenefick
http://www.IK-CS.com

Re: Poor heuristics and static unpacking



|
| Yeah - I noticed the modifications are coming out sometimes more
| frequent than the signatures that detect them.
|
| Just take a look at this...
|
|
http://www.kaspersky.com/viruswatchlite?search_virus=zlob&x=0&y=0&hour_offset=-3
|
| There is many pages of detections added for this single threat. This
| is just one example though. What about all those bots!!?
|

McAfee is starting to come around.  I submitted some samples to AVERT/WebImmune
Today and I
got a "new detection" of "Generic Downloader.q" for all the variants submitted
and WebImmune
created an EXTRA.DAT file for it.

This is very new as I have been trying to get McAfee to do better on the
detection on these
ZLob installers for a month now.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Poor heuristics and static unpacking

On Sun, 04 Jun 2006 22:14:24 GMT, "David H. Lipman"

Quoted text here. Click to load it

I saw that earlier. Surely Generic Detection should have been added a
while ago. I know NOD32 added generic detection, then the samples were
modified and new generic detection is being released by ESET also for
this (according to Marcos).

Sill though... those with support for generic unpacking (emulation)
are performing better in this instance. There are many more examples.

--
Regards, Ian Kenefick
http://www.IK-CS.com

Re: Poor heuristics and static unpacking


| On Sun, 04 Jun 2006 22:14:24 GMT, "David H. Lipman"
|
Quoted text here. Click to load it
|
| I saw that earlier. Surely Generic Detection should have been added a
| while ago. I know NOD32 added generic detection, then the samples were
| modified and new generic detection is being released by ESET also for
| this (according to Marcos).
|
| Sill though... those with support for generic unpacking (emulation)
| are performing better in this instance. There are many more examples.
|

Yes there are indeed more examples.  The AV companies do need to adapt faster to
the changes
in the malware threat.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Poor heuristics and static unpacking

On Sun, 04 Jun 2006 23:22:07 +0100, Ian Kenefick

Quoted text here. Click to load it

Seems to me the downside of increasing heuristic/generic detections
are the increasing problems of false alarms, misidentifications, and
inability to clean. In fact, it seems increasingly dangerous with some
av now for users in deep doodoo to blindly scan with clean/delete
enabled since they are putting legit files in danger.

Art
http://home.epix.net/~artnpeg


Re: Poor heuristics and static unpacking



|
| Seems to me the downside of increasing heuristic/generic detections
| are the increasing problems of false alarms, misidentifications, and
| inability to clean. In fact, it seems increasingly dangerous with some
| av now for users in deep doodoo to blindly scan with clean/delete
| enabled since they are putting legit files in danger.
|
| Art
| http://home.epix.net/~artnpeg

An excellent point Art !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Poor heuristics and static unpacking


Quoted text here. Click to load it

Have you read the latest retrospective on www.av-comparatives.org ?

Quoted text here. Click to load it

Definately, this is a major problem. Especially when it comes to
poly's like Polip virus. Many AV's including KAV have added cleaning
routine for this only in recent days. So say KAV 6 (which can
terminate malware if it is in memory) will cause bluescreen on boot as
it terminates winlogon.exe as this gets infected also.

This is just one recent example.

--
Regards, Ian Kenefick
http://www.IK-CS.com

Re: Poor heuristics and static unpacking

On Mon, 05 Jun 2006 00:50:43 +0100, Ian Kenefick

Quoted text here. Click to load it

I have now, and I just read  the Report. Needs some digesting and
critical analysis.
        
Quoted text here. Click to load it

Interesting.

Art
http://home.epix.net/~artnpeg


Site Timeline