| Trojan signature quality of certain AV products... Hi,
cause some of you sent me a PM I decided to open a new topic about this issue. Its mainly a comparison of signature quality of certain products and it shows how easyly a program can be fooled.
Some details about the test:
For the test I used the backdoor Y3K Pro 0.2 . I generated an UNPACKED and VISIBLE server. The server was detected by all 3 products i tested so far. Its called "server.exe" on every screen shoot.
Than I got a hex editor and used the "search" function to find any "y3k" string inside the file. I changed the case of the Y every time. If there was "Y3K" i changed it to "y3K" and if there was "y3k" it became "Y3k". Some other strings were changed, too.
The "hex edited" version is called "server - strings.exe" on the screen shoots.
After that I generated a third version. Its simply the original server edited with Ressource Hacker. I just deleted the Bitmap stored inside the ressources of the file.
The server is called "server - resources.exe" now.
I packed the 3 servers together with the TDS-3 radius database of today and attached it to this thread. This was done cause I know Wayne and Gavin. They will simply create a new signature and claim TDS-3 was never vulnerable *g*.
The 3 "products" will follow. If you want me more products to test simply post or write a PM.
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .
[text was edited by author 2003-08-19 08:36:14]
[text was edited by author 2003-08-19 08:50:47] |
|
| Re: Trojan signature quality of certain AV product NAV2003 uses text based signatures and is affected by the deletion of the Bitmap Ressource (perhaps it uses a string signature at a fixed offset).
Only the "original" was detected. |
|
| reply to Andreas Haak
McAfee uses some kind of checksum genereated using parts of the resource sections of the file as a signature. So it was surely affected by the bitmap erase. But it was not affected by the edited server. But in fact both methods - editing strings and editing ressources - are very easy. So its not recommended, too ... .
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... . |
|
| reply to Andreas Haak
TDS-3 was affected by deleting the bitmap and changing the strings. But It catched the resource variant using its heuristics. |
|
SchouwPremium
join:2003-05-29
Netherlands | reply to Andreas Haak
Re: Trojan signature quality of certain AV products... I also scanned these files with a few AVs:
KAV: detects all
RAV: detects all
CA: vet detects all, inoculate doesn't detect strings.exe
McAfee: detects all, but it detects resources.exe with heuristics.
F-Prot: seems to detect nothing(used F-Secure for this). |
|
| reply to Andreas Haak
Re: Trojan signature quality of certain AV product Well ... I deactivated heuristics while scanning. I wanted to look at the quality of the signatures - not the heuristics *g*. |
|
| reply to Andreas Haak
AntiVir uses text based signatures so it missed the hexedited server version ... |
|
| reply to Andreas Haak
TrojanHunter detects all three servers in memory - see attached screenshots. There seems to be a problem with the file detection, but I just added one file rule for the unpacked server which detected all three of them. I will post the updated ruleset ASAP.
--
Mischel Internet Security
http://www.misec.net |
|
| reply to Andreas Haak
Good to hear that.
Tried AVG 7.0 Trial ... and it doesn't detect ANY of the servers. Same with NOD32. NOD32 with advanced heuristics enabled catches all 3 of them ,,, , |
|
|
|
 Lucky5Premium
join:2002-07-24
Desert Floor | reply to Andreas Haak
Re: Trojan signature quality of certain AV products... BitDefender v7.0 |
|
| reply to Andreas Haak
Re: Trojan signature quality of certain AV product And Bitdefender relys on text based signatures, too ... . So it missed the hex edited server.
[text was edited by author 2003-08-19 09:31:33] |
|
| reply to Andreas Haak
said by Andreas Haak:
NOD32 with advanced heuristics enabled catches all 3 of them ,,, ,
That doesn't count, imho .. am wondering how many harmless non-viral files NOD32 also "catches" with those same heuristics. My point is, your test {by the title you gave the thread} is intended to examine signature strengths, not heuristics.  |
|
| reply to Andreas Haak
You are right  . But some other posted the heuristic results, too. So I thought it would be ok. Already mentioned the heuristical detection in TDS-3 for example.
But even a good heuristic can be fooled easyly. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Andreas Haak
That was interesting. I downloaded the zip file and ran NOD32 by it. It found nothing. I then scanned using advanced heuristics and the attached shows that NOD32 detected all three viruses. That command line advance heuristics scanning is damn impressive!
I next tried to scan via command line using the Trojan Hunter that I am trialing. Was that a mistake! I forgot that I cannot do that with Trojan Hunter because I have W98SE and this is a known bug that hasn't been fixed. All that happened was a series of errors generated that resulted in TH being hung and I had to resort to C/A/D to kill the application. I like Trojan Hunter but it is not for W98SE!
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning |
|
| reply to Andreas Haak
Yes ... NOD32's advanced heuristics is impressive. But in fact it doesn't count as Randy and I already mentioned. |
|
| reply to Andreas Haak
And DrWeb detects all of them ... |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Andreas Haak
Yes, I'm aware you were looking at signatures in this test and NOD didn't detect them. As for NOD "catching" harmless files using heuristics...well, it says "probable, unknown new virus"....so you can always check it out further.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning |
|
Lucky5Premium
join:2002-07-24
Desert Floor | reply to Andreas Haak
Re: Trojan signature quality of certain AV products... Avast 4 |
|
| reply to Andreas Haak
Andreas,
(Here we go again).
There's always going to be a signature somewhere in any trojan that can be modified to make it slip past the detection of any scanner (yours included), it just requires modifying a different area for each scanner (due to each scanner often having a signature in a different place), so can you please elaborate on what you're trying to prove in this thread? There's no difference between changing a couple of opcodes around and changing a text string - its all just a couple of keystrokes in a hex editor. Yes i agree with you that there is such a thing as 'signature quality' (ie. not only to strongly detect the trojan, but also to avoid false positives, which is why automated signature selection must not be used - this is why we hand-select all of our signatures after performing a full analysis), but at the same time you can't make bulletproof signatures - give me any trojan, any scanner, and I'll hex edit it so that it will no longer be detected.
Folks,
Don't be fooled by Andreas. He's been writing his own anti-trojan scanners for the last couple of years and is posting here telling you that various anti-trojan scanners are "vulnerable" to having trojans modified so that they can no longer be detected. WHAT HE ISN'T TELLING YOU is that _all_ scanners - his included - are equally 'vulnerable', so he's just shooting himself in the foot. Any trojan can be modified (often just with a hex editor, sometimes also with the assistance of a disassembler) so that it will be undetected by any anti-trojan scanner. Andreas simply chose a signature that he knew TDS was using so he can keep up with his monthly spate of attacks on TDS. I could easily modify any trojan so that it gets past any detection that Andreas's scanner has and it would only take a matter of minutes, but I don't go around attacking his software in an effort to promote mine - some of us actually have business ethics, and even morals, things that gravely elude Andreas Haak. The simple fact of the matter is he wouldn't waste so much time, time and time again, month after month, year after year, attacking TDS if he didn't think it was a quality scanner that represented some sort of threat to his own scanner, otherwise he'd be doing something more constructive with his time - nobody else would both wasting time on this, think about it.
Well, this thread has been a complete waste of everyones time.
[text was edited by author 2003-08-19 10:41:05] |
|
| reply to Andreas Haak
Re: Trojan signature quality of certain AV product Well Wayne,
Its way more difficult to patch code than to patch a simple string.
Of course you can circumwent any anti-* software if you know what they are searching for. But its a big diffrence between changing the case of a letter and changing the code of the file.
You can make it easy for every script kiddie out there to circumwent your product or you can make it as difficult as possible.
We can see you choosed the more unsecure but easier way for your product (as many others, too) ... .
--
Cause Wayne edited his posting, i just add my reply .
>Don't be fooled by Andreas. He's been writing his own
>anti-trojan scanners for the last couple of years and is
>posting here telling you that various anti-trojan scanners
>are "vulnerable" to having trojans modified so that they
>can no longer be detected.
Oh Wayne ... Is my english really that bad that you are unable to understand what I said? Again ...
This thread is about QUALITY OF SIGNATUREs. High quality signatures have in fact 3 characteristics:
- They are NOT text based.
- They don't produce false positives.
- They are specific enough to ensure a correct cleaning.
Searching for a text string inside a file as a signature is in fact every time the weakest signature. Its a fact that a human will first edit the human readable parts of the nasty to make it undetected. If you want to believe it or not - its a FACT.
I simply tried to show what programs uses such weak signatures. McAfee, NAV, BitDefender, AntiVir and many more are using them and TDS-3 uses such weak textbased signatures, too. I guess I can hardly not compare it to other AT programs cause TDS-3 is the only signature based one. Most of the others uses finger prints.
I already said it. OF COURSE YOU CAN MAKE EVERYTHING UNDETECTED. You have to search for something and if you know what a program is searching for its not a big deal to make it undetected. We had a similar discussion at this board in one of the blaster remover threads.
But in fact disassembling and reassembling code that is needed to circumwent a binary signature is way more difficult than simply use the Search and Replace function of the hexeditor of your choice.
I hope you agree at this point.
In fact high quality signatures are IMPORTANT. In fact script kiddies gave it up to search for exotic packers or crypters to get pass an anti-virus or anti-trojan programm. They try to make their "toys" undetected using patches etc. . And to make the creation of this patches as hard as possible its NECCESSARY to add high quality signatures.
>WHAT HE ISN'T TELLING YOU is that _all_ scanners - his
>included - are equally 'vulnerable', so he's just shooting
>himself in the foot.
I said this several times inside the discussion. Perhaps you need some new glasses?
>Andreas simply chose a signature that he knew TDS was using
>so he can keep up with his monthly spate of attacks on TDS.
Nonsense. I described above why this one was chosen. Cause it was unpacked and detected by McAfee, NAV and TDS-3. Didn't want to waste time preparing a backdoor for every single program. In fact this test can be done with SubSeven, NetBus and many other wide spread backdoors, too.
>I could easily modify any trojan so that it gets past any
>detection that Andreas's scanner has
In fact ANTS has discontinued several months (or even years) ago. I can get viruses past Microsoft Anti-Virus that was shipped with MS DOS 6.x, too. But nobody will be interested in this.
You simply don't want to understand Wayne and I can understand you. Showing how weak your signatures are and making your lies public is not good for you buisness ... .
>a matter of minutes, but I don't go around attacking his
>software in an effort to promote mine - some of us actually
Where did I do any advertisment?
>attacking TDS if he didn't think it was a quality scanner
>that represented some sort of threat to his own scanner,
Who is sitting on a high horse now?
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .
[text was edited by author 2003-08-19 12:24:15] |
|
