Author Topic: Malware packers and AV detection failure rates  (Read 6284 times)

0 Members and 1 Guest are viewing this topic.

September 01, 2007, 07:32:48 am
Read 6284 times

sowhat-x

  • Guest
...ok,had some fun with it,if I can call it this way...
Digging through my personal archive of packers,I though it wouldn't hurt,
to check a few on them (for one more time...) on VirusTotal/Jotti.

I submitted one called Morphnah Beta 2:
it's from the same russian guy,that had written Pohernah,called Kas...
Pohernah is detected nowadays by a few AVs,
at least the packer itself,didn't bother checking packed samples...
Morphnah Beta 2 was released about 3-4 months ago...wanna see today's results?
Check the attached .pdf in the end of my post...

So,what do we see here...a complete failure  :P
Except Webwasher,which gives a "Win32.Malware.gen!94" result.
But wait...I'll come to this "successful" result also...

Now you think,ok,maybe the AV companies didn't get that sample...
nop,I've personally submitted it at least 3-4 times in VirusTotal and Jotti,
from the moment it came to my hands,ie.just a few days after it was released in public.
It has even been submitted to specific AV companies,again,more than a couple of times...
Not to mention how many skiddies must have submitted it over there,for their own reasons...

Then,I decided to submit another one,called LHPack,from BlackLogic team.
Their site is down since long time.Wanna learn more about them?
Check out this nice paper in the following site,
called "Traffic Threat Analysis:85.255.113.174 and blacklogic.net",
http://craigchamberlain.dreamhosters.com/

Nice guys,hah? ;D :-X
Ok,back to LHPack and VirusTotal results,again,check the second attachment below...
And note that even if there was an excuse for Morphnah Beta 2,
say of the type..."it's a fairly new sample. and that's why it gets missed"...
(yeah,only...4 months old,and also spread in almost every script kiddie forum),
this latter one is more than 1 year and 6-7 months old...
Checked it?Good...maybe it happened you noticed a few similarities? :P
What do we see here?Complete failure once again...
and more specifically,we got exactly the same results:
WebWasher once again gives a "Win32.Malware.gen!94" result.

Now,as far as regarding the single one "successful" detection,
the one from the WebWasher product...
nop,it doesn't have say the super-advanced heuristics...
quite the contrary,they just chose the..."easy" way of doing things:
packed executable = infected executable.
Do you want further proofs about it...results/tests/whatever?
Well,there's not another .pdf attachment here...just a so-called "exercise for the reader":
just pack notepad.exe with plain old good UPX...(I used v3.01),then upload it VirusTotal... :D

September 01, 2007, 03:29:31 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Webwasher is terrible. It detects so many packers as being possibly malicious code it is unbelievable. They are supposed to be putting the effort into writing unpacking routines for the malware packers, rather than just saying, well this looks like a modified UPX, lets detect it :)

September 01, 2007, 05:53:45 pm
Reply #2

sowhat-x

  • Guest
...doh,forgot to be more specific above...and mention that LHPack is a general purpose packer,
eg.like zip/rar/tar etc,not just for win32 executables...
But that really doesn't make much of a difference,for at least two reasons...

1)First reason is the more obvious one....
who in the world would ever trust running/using for backups a(nother one...) file compressor,
especially from guys that distributed wmf exploits and sdbot variants from their webpage?

b)The compression algorithm/technique of LHPack itself,
under a certain degree of modifications naturally,
is more than likely to also be used in some of their "private" packers,viruses,whatever...
it won't be neither the first or the last time something like this happens.
Eg.a quick example that comes to my mind...
have you ever checked older WinUDA sfx files under PEiD?Take a visit at Dwing's page...
http://wex.cn/dwing/mycomp.htm
Yeap,you've guessed right...it's getting detected as Upack,he-he...it's the same algo modded  ;)
(By the way,Upack is a great packer,despite the annoying fact that it has been widely misused...)

And if anyone thinks I am being overjealous here...
ok,here are the results for a strictly PE file compressor written by the same team,
which is also more than 1 and half years old...packer is called "Apex 3.0 Alpha".
Again,results are...exactly the same.  :P
(The lamez.dll that you see in the report is what actually does the packing...)

As for Webwasher...he-he,yeah,personally,I agree 100% with your opinion...
pretty much as you said,"....looks like a modified UPX,let's detect it"...
because it wasn't even a modified UPX,he-he...
To be fair though...I have the slight impression (didn't bother checking their page),
that their product is meant to be used mainly in gateways/mail servers etc,
not in personal desktops...in that case,it would at least stop effectively most bots,
before spreading into the internal network...as most of them are usually packed.
But as said,I didn't (even) bother checking their page... ;D so I might be wrong on this... :P