Poor heuristics and static unpacking

  • Thread starter Thread starter Ian Kenefick
  • Start date Start date
I

Ian Kenefick

In recent times I've noticed that the trends are changing when it
comes to virus detection. Heuristic Technology is improving and
engines heavily dependant on signature updates are slipping when it
comes to virus reaction and detection in the first place. Those who
use static unpacking method and rely heavily on this (ie. KAV) are not
detecting a lot of malware even though under the packing it's
virtually unmodified.

When will good signature databases simply not be enough?
When will static unpacking become unfeasable to maintain?

Just a few thoughts....
 
From: "Ian Kenefick" <[email protected]>

| In recent times I've noticed that the trends are changing when it
| comes to virus detection. Heuristic Technology is improving and
| engines heavily dependant on signature updates are slipping when it
| comes to virus reaction and detection in the first place. Those who
| use static unpacking method and rely heavily on this (ie. KAV) are not
| detecting a lot of malware even though under the packing it's
| virtually unmodified.
|
| When will good signature databases simply not be enough?
| When will static unpacking become unfeasable to maintain?
|
| Just a few thoughts....
|

An example will be the Media Codecs and DigiKeyGen sites producing all the ZLob Trojans.
 
From: "Ian Kenefick" <[email protected]>

| In recent times I've noticed that the trends are changing when it
| comes to virus detection. Heuristic Technology is improving and
| engines heavily dependant on signature updates are slipping when it
| comes to virus reaction and detection in the first place. Those who
| use static unpacking method and rely heavily on this (ie. KAV) are not
| detecting a lot of malware even though under the packing it's
| virtually unmodified.
|
| When will good signature databases simply not be enough?
| When will static unpacking become unfeasable to maintain?
|
| Just a few thoughts....
|

An example will be the Media Codecs and DigiKeyGen sites producing all the ZLob Trojans.
Click to expand...

Yeah - I noticed the modifications are coming out sometimes more
frequent than the signatures that detect them.

Just take a look at this...

http://www.kaspersky.com/viruswatchlite?search_virus=zlob&x=0&y=0&hour_offset=-3

There is many pages of detections added for this single threat. This
is just one example though. What about all those bots!!?
 
From: "Ian Kenefick" <[email protected]>


|
| Yeah - I noticed the modifications are coming out sometimes more
| frequent than the signatures that detect them.
|
| Just take a look at this...
|
| http://www.kaspersky.com/viruswatchlite?search_virus=zlob&x=0&y=0&hour_offset=-3
|
| There is many pages of detections added for this single threat. This
| is just one example though. What about all those bots!!?
|

McAfee is starting to come around. I submitted some samples to AVERT/WebImmune Today and I
got a "new detection" of "Generic Downloader.q" for all the variants submitted and WebImmune
created an EXTRA.DAT file for it.

This is very new as I have been trying to get McAfee to do better on the detection on these
ZLob installers for a month now.
 
This is very new as I have been trying to get McAfee to do better on the detection on these
ZLob installers for a month now.
Click to expand...

I saw that earlier. Surely Generic Detection should have been added a
while ago. I know NOD32 added generic detection, then the samples were
modified and new generic detection is being released by ESET also for
this (according to Marcos).

Sill though... those with support for generic unpacking (emulation)
are performing better in this instance. There are many more examples.
 
From: "Ian Kenefick" <[email protected]>

| On Sun, 04 Jun 2006 22:14:24 GMT, "David H. Lipman"
|
| I saw that earlier. Surely Generic Detection should have been added a
| while ago. I know NOD32 added generic detection, then the samples were
| modified and new generic detection is being released by ESET also for
| this (according to Marcos).
|
| Sill though... those with support for generic unpacking (emulation)
| are performing better in this instance. There are many more examples.
|

Yes there are indeed more examples. The AV companies do need to adapt faster to the changes
in the malware threat.
 
I saw that earlier. Surely Generic Detection should have been added a
while ago. I know NOD32 added generic detection, then the samples were
modified and new generic detection is being released by ESET also for
this (according to Marcos).

Sill though... those with support for generic unpacking (emulation)
are performing better in this instance. There are many more examples.
Click to expand...

Seems to me the downside of increasing heuristic/generic detections
are the increasing problems of false alarms, misidentifications, and
inability to clean. In fact, it seems increasingly dangerous with some
av now for users in deep doodoo to blindly scan with clean/delete
enabled since they are putting legit files in danger.

Art
http://home.epix.net/~artnpeg
 
From: "Art" <[email protected]>


|
| Seems to me the downside of increasing heuristic/generic detections
| are the increasing problems of false alarms, misidentifications, and
| inability to clean. In fact, it seems increasingly dangerous with some
| av now for users in deep doodoo to blindly scan with clean/delete
| enabled since they are putting legit files in danger.
|
| Art
| http://home.epix.net/~artnpeg

An excellent point Art !
 
Seems to me the downside of increasing heuristic/generic detections
are the increasing problems of false alarms, misidentifications, and
inability to clean.
Click to expand...

Have you read the latest retrospective on www.av-comparatives.org ?
In fact, it seems increasingly dangerous with some
av now for users in deep doodoo to blindly scan with clean/delete
enabled since they are putting legit files in danger.
Click to expand...

Definately, this is a major problem. Especially when it comes to
poly's like Polip virus. Many AV's including KAV have added cleaning
routine for this only in recent days. So say KAV 6 (which can
terminate malware if it is in memory) will cause bluescreen on boot as
it terminates winlogon.exe as this gets infected also.

This is just one recent example.
 
Have you read the latest retrospective on www.av-comparatives.org ?
Click to expand...

I have now, and I just read the Report. Needs some digesting and
critical analysis.
Definately, this is a major problem. Especially when it comes to
poly's like Polip virus. Many AV's including KAV have added cleaning
routine for this only in recent days. So say KAV 6 (which can
terminate malware if it is in memory) will cause bluescreen on boot as
it terminates winlogon.exe as this gets infected also.

This is just one recent example.
Click to expand...

Interesting.

Art
http://home.epix.net/~artnpeg
 
Back
Top