Detection within Installation files

Art · Sep 27, 2005

One kind of test of scanners that seems to be rare is that of their
ability to detect a variety of malware "within" install files.
Catching malware prior to installation is obviously a important
preventative.

I used a list of rogue web sites:

http://kppfree.altervista.org/spylist.htm

to steer me to a number of installation files. Below are just three
results of AV scanning using KAV:
*************************************
http://www.kazaa-download-manager.com
Install file: KDM-Setup.EXE
Trojan-Downloader.Win32.Small.asf data004
AdWare.Win32.WebHancer.351 whAgent.exe
AdWare.WebHancer whInstaller.exe

whsurvery.exe

webhdll.dll

whiehlpr.dll

http://www.mp3musicsearch.net
Install file: mp3ms.exe
AdWare.Win32.NewDotNet WISEOO24.BIN
Server-Proxy.Win32.MarketScore.k WISE0025.BIN
AdWare.Win32.SaveNow.bo WISE0026.BIN

http://www.kazaap.org
Install File: kazaap-3.6.exe
Adware.Win32.MediaBack data002
Trojan-Clicker.Win32.VB.dn data003
Trojan-Downloader.Win32.Agant.jt data005
*************************************
Notice the variety of Trojans and Adware in every install file.

One of the deficiencies of many or most spyware/adware/Trojan scanners
is their inability to scan "within" install files and act as a
preventative. One approach would be to upload install files to Virus
Total. That would only be viable if the file size is small enough. If
you have low upload speed, and/or the server is maxing out, this
approach could be painful

Having several free on-demand antivirus scanners on hand is another
approach. The best preventative though is to only download and install
known reputable software from trusted sources.

If your scanner, whatever kind, doesn't alert on at least the three
install files above, you are being short-changed. Demand of your
vendor that they learn to do a better job at preventative type of
scanning.

Art

http://home.epix.net/~artnpeg

David H. Lipman · Sep 27, 2005

|
| Having several free on-demand antivirus scanners on hand is another
| approach. The best preventative though is to only download and install
| known reputable software from trusted sources.
|
| If your scanner, whatever kind, doesn't alert on at least the three
| install files above, you are being short-changed. Demand of your
| vendor that they learn to do a better job at preventative type of
| scanning.
|
| Art
|
| http://home.epix.net/~artnpeg

I find this an interesting post Art and a kudos to Kasperski.

McAfee, even in a aggressive scanning mode, can't decompress these semi-proprietary
installer formats to be able to scan inside them. Thus, McAfee found /*NOTHING*/ !

Art · Sep 27, 2005

From: "Art" <[email protected]>

| One kind of test of scanners that seems to be rare is that of their
| ability to detect a variety of malware "within" install files.
| Catching malware prior to installation is obviously a important
| preventative.
|
| I used a list of rogue web sites:
|
| http://kppfree.altervista.org/spylist.htm
|
| to steer me to a number of installation files. Below are just three
| results of AV scanning using KAV:
| *************************************
| http://www.kazaa-download-manager.com
| Install file: KDM-Setup.EXE
| Trojan-Downloader.Win32.Small.asf data004
| AdWare.Win32.WebHancer.351 whAgent.exe
| AdWare.WebHancer whInstaller.exe
|
| whsurvery.exe
|
| webhdll.dll
|
| whiehlpr.dll
|
| http://www.mp3musicsearch.net
| Install file: mp3ms.exe
| AdWare.Win32.NewDotNet WISEOO24.BIN
| Server-Proxy.Win32.MarketScore.k WISE0025.BIN
| AdWare.Win32.SaveNow.bo WISE0026.BIN
|
| http://www.kazaap.org
| Install File: kazaap-3.6.exe
| Adware.Win32.MediaBack data002
| Trojan-Clicker.Win32.VB.dn data003
| Trojan-Downloader.Win32.Agant.jt data005
| *************************************
| Notice the variety of Trojans and Adware in every install file.
|
| One of the deficiencies of many or most spyware/adware/Trojan scanners
| is their inability to scan "within" install files and act as a
| preventative. One approach would be to upload install files to Virus
| Total. That would only be viable if the file size is small enough. If
| you have low upload speed, and/or the server is maxing out, this
| approach could be painful
|
| Having several free on-demand antivirus scanners on hand is another
| approach. The best preventative though is to only download and install
| known reputable software from trusted sources.
|
| If your scanner, whatever kind, doesn't alert on at least the three
| install files above, you are being short-changed. Demand of your
| vendor that they learn to do a better job at preventative type of
| scanning.
|
| Art
|
| http://home.epix.net/~artnpeg

I find this an interesting post Art and a kudos to Kasperski.

McAfee, even in a aggressive scanning mode, can't decompress these semi-proprietary
installer formats to be able to scan inside them. Thus, McAfee found /*NOTHING*/ !

I just checked the same three install files at Virus Total. The
results were:

Bit Defender .... 3 of 3
NOD32 ............ 2 of 3
clamav .......... 1 of 3
Antivir ............ 1 of 3
CAT-QuickHeal .. 1 of 3

All other av were 0 of 3

Ewido is 0 of 3 as well, even though I suspect it might alert on
systems infested with these programs.

I had started to do a much larger test. But then I figured that
reporting even just this little sample would be worthwhile. And
based on your response, I see it was already

Art

http://home.epix.net/~artnpeg

Ian Kenefick · Sep 27, 2005

http://kppfree.altervista.org/spylist.htm [snip]
*************************************
http://www.kazaa-download-manager.com
Install file: KDM-Setup.EXE
Trojan-Downloader.Win32.Small.asf data004
AdWare.Win32.WebHancer.351 whAgent.exe
AdWare.WebHancer whInstaller.exe [snip]
http://www.mp3musicsearch.net
Install file: mp3ms.exe
AdWare.Win32.NewDotNet WISEOO24.BIN
Server-Proxy.Win32.MarketScore.k WISE0025.BIN
AdWare.Win32.SaveNow.bo WISE0026.BIN [snip]
http://www.kazaap.org
Install File: kazaap-3.6.exe
Adware.Win32.MediaBack data002
Trojan-Clicker.Win32.VB.dn data003
Trojan-Downloader.Win32.Agant.jt data005
*************************************

[snip]

Kazaa-Download-Manager was detected by NOD32
Kazaap was detected by NOD32
mp3musicsearch wasn't detected by NOD32. I sent this for analysis to
ESET (NOD32).

Ian Kenefick · Sep 27, 2005

http://www.mp3musicsearch.net
Install file: mp3ms.exe
AdWare.Win32.NewDotNet WISEOO24.BIN
Server-Proxy.Win32.MarketScore.k WISE0025.BIN
AdWare.Win32.SaveNow.bo WISE0026.BIN

Since this one wasn't detected by my AV program I decided I would
infect myself. Ok, I infected a (disposable) virtual machine with some
software monitoring the activity. I wasn't surprised at how agressive
this thing was at downloading and installing spyware. I used a Windows
98 box running no firewall and no AV.

The install was funny - the program was assuring me it was spyware
free. In fact this piece of software was so much spyware free that it
was going to install a toolbar to make sure I was spyware free. Ha ha
ha!

Interstingly enough - there was a heluva lot of SMTP activity.
Something that infected me either from the website I got the program
from or the program itself was sending out/massmailing something!

I will be uploading this thread with links to screenshots soon!

David H. Lipman · Sep 27, 2005

|
| Art
|
| http://home.epix.net/~artnpeg

I sent a sample of; KDM-Setup.EXE To McAfee AVERT and explained the situation fully. They
sent me an EXTRA.DAT which then detected as; "Generic Adware.dr"

However, it wasn't good for mp3ms.exe and kazaap-3.6.exe.

Back to McAfee AVERT ! ;-)

Ian Kenefick · Sep 28, 2005

Interstingly enough - there was a heluva lot of SMTP activity.
Something that infected me either from the website I got the program
from or the program itself was sending out/massmailing something!

I will be uploading this thread with links to screenshots soon!

I uploaded some screenshots of the bad guys to www.ik-cs.com/malware

Art · Sep 28, 2005

I uploaded some screenshots of the bad guys to www.ik-cs.com/malware

Since you enjoy doing sample viability checking, I've got a few
thousand more for you to have a big whoop with

I had thought about doing a small scientific test using only
about 20 install file samples. The idea of writing up the details
and submitting to some PC mag interests me. I dunno how much
they pay nowdays. It would probably work out to be $0.01 per hour
for all the time it would take. But I might do it once for the
experience, and because the ability to scan install files is so
important, IMO. Most scanners suck when it comes to prevention, and it
would be fun to reveal that fact.

Art

http://home.epix.net/~artnpeg

Ian Kenefick · Sep 28, 2005

Since you enjoy doing sample viability checking, I've got a few
thousand more for you to have a big whoop with

My malware collection is in a warm dry place away from direct
sunlight. I've got plenty to keep me amused - spyware is funny though.
It's like for me, the comic malware.

I had thought about doing a small scientific test using only
about 20 install file samples. The idea of writing up the details
and submitting to some PC mag interests me. I dunno how much
they pay nowdays. It would probably work out to be $0.01 per hour
for all the time it would take. But I might do it once for the
experience, and because the ability to scan install files is so
important,

You should. You have plenty of experience to do it

Excercise your
creativity and blend it with your knowledge of malware. I'm sure it
would make for some interesting reading

IMO. Most scanners suck when it comes to prevention, and it
would be fun to reveal that fact.

Tee hee - pity about the bias that some (eh hemm CNET) magazines both
on and offline have to steer towards Symantec and the like for their
solutions. I don't mean to pick on Symantec but Jesus there are better
malware neophytes out there. Why don't you pop CNET a line - I think
the guys name is Ken Feinstein. Remember his review of NOD32!?!
http://www.nod32-si.com/awards/cnet_zdnet.htm

David H. Lipman · Sep 28, 2005

Addendum:

| I sent a sample of; KDM-Setup.EXE To McAfee AVERT and explained the situation
fully.
| They sent me an EXTRA.DAT which then detected as; "Generic Adware.dr"

| However, it wasn't good for mp3ms.exe and kazaap-3.6.exe.

| Back to McAfee AVERT ! ;-)

Well I got another EXTRA.DAT back from McAfee just now.

Generic Adware.dr (new PUP), Downloader-TP.dr (new trojan dropper)
for; mp3ms.exe and kazaap-3.6.exe.

Art · Sep 29, 2005

My malware collection is in a warm dry place away from direct
sunlight. I've got plenty to keep me amused - spyware is funny though.
It's like for me, the comic malware.

Most peeps don't share your view, of course. I certainly didn't back
when I was first getting started on the internet and discovered that
my ISP's connection software was "calling out". It turned out that I
had agreed to "fine print". All I had to do to get rid of it is to set
up a dialup connection in Windows. No doubt it was harmless but
I had and still have the attitude that I don't want anything like that
active on my machines.

Akso, some spyware is really nasty and difficult to remove, so I see
nothing amusing about it.

As to crapware pretending to be spyware free, I don't see anything
amusing about that either. It's as despicable as other forms of
malicious code ... and spam.

You should. You have plenty of experience to do it Excercise your
creativity and blend it with your knowledge of malware. I'm sure it
would make for some interesting reading

And howls and screams from religious believers in certain av.

Tee hee - pity about the bias that some (eh hemm CNET) magazines both
on and offline have to steer towards Symantec and the like for their
solutions. I don't mean to pick on Symantec but Jesus there are better
malware neophytes out there. Why don't you pop CNET a line - I think
the guys name is Ken Feinstein. Remember his review of NOD32!?!
http://www.nod32-si.com/awards/cnet_zdnet.htm

Ugh. Snake oil web site. Reminds me of when I pointed out NOD32 failed
to detect all the virus droppers in my collection. Howls and screams
from religious believers and snake oil peddlers go on to this day

Which reminds me there's a similar situation with my current idea
concerning install files. In the case of droppers, the howlers and
screamers argued that a av realtime will alert on the actual
virus dropped. That _should_ happen, of course. But it's at a inner
ring of the preventative defense perimeter, so to speak. Far better,
IMO to be able to detect malware "earlier" with on-demand scanning.
On-demand scanning is now widely used by ISPs and gateways which
are located at a larger outer perimeter yet. That's a ideal place to
clobber malware IMO. And home users using on-demand scanning
can use more than one scanner to get a variety of "opinions".

Similarly, it will be argued that the ability to detect malware in
install files is unnecessary since realtime av will alert during the
install process. My counter arguments are the same as with the
case of virus and Trojan droppers. Far better and safer if the
clued-in user can expect to scan "inside" install files using more
than one scanner.

Art

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyclick.com/?BF-FREE

Art · Sep 29, 2005

Addendum:

| I sent a sample of; KDM-Setup.EXE To McAfee AVERT and explained the situation
fully.
| They sent me an EXTRA.DAT which then detected as; "Generic Adware.dr"

| However, it wasn't good for mp3ms.exe and kazaap-3.6.exe.

| Back to McAfee AVERT ! ;-)

Well I got another EXTRA.DAT back from McAfee just now.

Generic Adware.dr (new PUP), Downloader-TP.dr (new trojan dropper)
for; mp3ms.exe and kazaap-3.6.exe.

Thanks to you and AVERT for the analysis substantiating that at least
some malware does indeed reside in the install files. But apparently,
McAfee is just doing a sig on the install files and not scanning
"within" them. Is that correct?

Art

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyclick.com/?BF-FREE

David H. Lipman · Sep 29, 2005

From: "Art" <[email protected]>

|
| Thanks to you and AVERT for the analysis substantiating that at least
| some malware does indeed reside in the install files. But apparently,
| McAfee is just doing a sig on the install files and not scanning
| "within" them. Is that correct?
|
| Art
|
| Art
|
| http://home.epix.net/~artnpeg
| Free antivirus:
| http://www.ik-cs.com/programs/virtools/KASFX.EXE
| http://www.claymania.com/KASFX.EXE
| http://tinyclick.com/?BF-FREE

My email to them has stated that case that they are not recognizing these installer
packages. There are just a variation of self executing archive files. I don't like their
EXTRA.DAT approach. They should be expanding the install files and scanning the files
within. I have even tested them with the latest McAfee ENGINE, v5000 Beta. Maybe they will
see a need to modify the ENGINE before its full release. It is the ENGINE that extracts the
archive files.

Art · Sep 29, 2005

From: "Art" <[email protected]>

|
| Thanks to you and AVERT for the analysis substantiating that at least
| some malware does indeed reside in the install files. But apparently,
| McAfee is just doing a sig on the install files and not scanning
| "within" them. Is that correct?
|

My email to them has stated that case that they are not recognizing these installer
packages. There are just a variation of self executing archive files. I don't like their
EXTRA.DAT approach. They should be expanding the install files and scanning the files
within. I have even tested them with the latest McAfee ENGINE, v5000 Beta. Maybe they will
see a need to modify the ENGINE before its full release. It is the ENGINE that extracts the
archive files.

Yes. They're putting a paint job on a auto that needs a engine
overhaul. Glad you agree.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

Roger Wilco · Sep 29, 2005

Similarly, it will be argued that the ability to detect malware in
install files is unnecessary since realtime av will alert during the
install process. My counter arguments are the same as with the
case of virus and Trojan droppers. Far better and safer if the
clued-in user can expect to scan "inside" install files using more
than one scanner.

It would be too easy for a malware to be nestled within an install file
and be unrecognizable to a scanner. To adequately scan for malware like
this you would need a full platform emulation not just a good enough and
far enough emulation. Install files routinely use compressed program
data and decompress it as the install program is running. Waiting for on
access AV to alert to program files created by the installation process
will only work if the malware is installed as "files". What happens if
the "malware" is decompressed and decrypted and executes as part of the
already running process? At least with a virus infected program file you
can expect part of the decryptor to be uncovered - not so with a program
that routinely decompresses data on the fly. The very last part of the
decompressed data could be the decryptor program that reveals the
malware. So emulation would have to be complete at least to the point
where the malware code decryptor becomes uncovered - then the scanner
would have to allow decryption to further identify the detected malware.
This of course assumes that no legitimate installer program needs to
decrypt anything and that the presence of a decryptor is enough of an
indicator that it is a malicious program.

Looks like alot of overhead to me. There is no reason that such a file
couldn't be submitted to an AV vendor's site hosting access to emulators
capable of digging this deep though. Again the AV web application idea
arises - no need for every AV on every PC to be capable of doing this

David H. Lipman · Sep 29, 2005

David H. Lipman · Sep 29, 2005

From: "Roger Wilco" <[email protected]>

|
| It would be too easy for a malware to be nestled within an install file
| and be unrecognizable to a scanner. To adequately scan for malware like
| this you would need a full platform emulation not just a good enough and
| far enough emulation. Install files routinely use compressed program
| data and decompress it as the install program is running. Waiting for on
| access AV to alert to program files created by the installation process
| will only work if the malware is installed as "files". What happens if
| the "malware" is decompressed and decrypted and executes as part of the
| already running process? At least with a virus infected program file you
| can expect part of the decryptor to be uncovered - not so with a program
| that routinely decompresses data on the fly. The very last part of the
| decompressed data could be the decryptor program that reveals the
| malware. So emulation would have to be complete at least to the point
| where the malware code decryptor becomes uncovered - then the scanner
| would have to allow decryption to further identify the detected malware.
| This of course assumes that no legitimate installer program needs to
| decrypt anything and that the presence of a decryptor is enough of an
| indicator that it is a malicious program.
|
| Looks like alot of overhead to me. There is no reason that such a file
| couldn't be submitted to an AV vendor's site hosting access to emulators
| capable of digging this deep though. Again the AV web application idea
| arises - no need for every AV on every PC to be capable of doing this
|

It should be a program switch.

Just like "scan archive files" there should be an option "scan inside installer packages".

Could get interesting however on something like Win2003 Server SP1 which is ~330MB ;-)

Art · Sep 29, 2005

It would be too easy for a malware to be nestled within an install file
and be unrecognizable to a scanner.

First, let me say that at least a couple of av I've looked so far have
the capability of finding multiple malwares within install files. They
don't merely create a sig for the outer shell. And few even have a
sig for the outer shell. Probably most users get no clue from their av
at all that they're about to install multiple malwares. They have to
rely on their realtime monitor to catch it all. And that's unlikely
since most av aren't up to the task of detecting spyware and adware
and the various pornwares and underwares so predominant nowdays.

To adequately scan for malware like
this you would need a full platform emulation not just a good enough and
far enough emulation. Install files routinely use compressed program
data and decompress it as the install program is running.

No. Not as the install file is running. You decompress during a
on-demand scan like KAV does. Looks like NOD32 does as well. I haven't
yet evaluated many current scanners, so I can't say just how many have
the capability.

Waiting for on
access AV to alert to program files created by the installation process
will only work if the malware is installed as "files".

Now you're suggesting to me a possible counter argument to the
naysayers and realtime av advocates. I'm talking about on-demand
scanning, not realtime monitors.

What happens if
the "malware" is decompressed and decrypted and executes as part of the
already running process?

See above. Won't happen with on-demand scanning.

<snip>

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

Shane · Sep 29, 2005

Yes. They're putting a paint job on a auto that needs a engine
overhaul.

That should fool most people then!

Shane

David H. Lipman · Sep 29, 2005

Addendum:

After submitting another two infected installation packages, I received the
following feedback this AM....

"I understand your concern and will pass along your feedback to the Engine team.
In the meantime, On Access scanning provides protection against those components
carried within the installer as soon as they hit the disk independently (prior to
execution)."
craig_schmugar<at>avertlabs.com

Detection within Installation files

Art

David H. Lipman

Art

Ian Kenefick

Ian Kenefick

David H. Lipman

Ian Kenefick

Art

Ian Kenefick

David H. Lipman

Art

Art

David H. Lipman

Art

Roger Wilco

David H. Lipman

David H. Lipman

Art

Shane

David H. Lipman