Penetration Testing mailing list archives

Re: [Full-disclosure] Inside AV engines?

From: "Valdis Shkesters" <valdis () antivirus lv>
Date: Tue, 13 Dec 2005 01:42:17 +0200

These days, a very popular approach is to pack malicious codes by
different packers to create a large number of pseudo versions. Tests
performed by Eric Johansen from IBM Virus CERT were presented
at the Virus Bulletin 2005 conference. He had packed the generally
known Nimda.a by different packers and tested what was the possibility
of fooling different anti-viruses. Symantec with its on-demand scanner
identified only 33%, McAfee 67%, Trend Micro 57%.

http://files.malwareblog.com/EJohansen_VB2005_Presentation.pdf
http://files.malwareblog.com/EJohansen_VB2005.pdf

Best regards,

Valdis

----- Original Message -----From: "Jeroen" <jeroen () isvet nl>

To: <pen-test () securityfocus com>; <full-disclosure () lists grok org uk>
Sent: Tuesday, December 13, 2005 12:56 AM
Subject: [Full-disclosure] Inside AV engines?

For penetration testing on Wintel system, I often use netcat.exe and stuff
like pwdump. More and more I need to disable anti-virus services before

running the tools to avoid alarms and auto-deletion of the applications.It

works but it isn't an ideal situation since theoretically a network can be
infected while the AV-services are down. Recompiling tools is an option

since the source of many tools I use is available. The question is (beforeIburn useless CPU cycles): can someone help me getting info about theinside

of AV engines? Will addition of some rubbish to the code do the trick (->
other checksum), do I need to change some core code or is it a mission
impossible anyway? Who can help for example getting some useful research
papers on the subject of detecting viruses and how to bypass mechanisms
used? Any help will be appreciated.


Greets,

Jeroen


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/



------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Inside AV engines? Jeroen (Dec 12)
- Re: [Full-disclosure] Inside AV engines? ad () heapoverflow com (Dec 12)
- Re: [Full-disclosure] Inside AV engines? Valdis Shkesters (Dec 12)
- Re: [Full-disclosure] Inside AV engines? Michael Tewner (Dec 13)
  - Re: [Full-disclosure] Inside AV engines? Fósforo (Dec 14)