Re: The Anti-Virus/IDS fantasy world

[El Nahual <nahual () 0hday org>]

I have to disagree with you (I tried to get out of this one since I used 
to work for an AV company) but I agree with Dave completly.

If sophos is correct why aren't they detecting 100% of the project mimic 
from 29a which is over 5 years old? metamorphic was designed and used on 
malware, also covert channels ARE used in malware and I have seen 
malware use 0hday on java to inject itself.

Obviously that takes a little more skill than what you are writting 
here, since most of antivirus just hook into functions and try to 
analize what you are doing and scan if you look like a virus based on 
next instructions (That is why antivirus didn't really like Vista's 
antihook protection, they just couldn't hook themselves, a no no since 
they have their own API!)

I saw someone that is a Genius (gotta say it), Oded Horowitz (did I get 
the last name right) 3 years ago with a code that blowed my mind, a 
binary analizer and detected not changes but other stuff (I promised not 
to disclose the complete stuff) but I think it would be a good time to 
have him on this conversation.

BTW didn't @stake have a binary decompiler/detection tool? did THAT ever 
work?

BTW I could say the same thing on AVs and analisis:

- Registry Hook - 100 lines of code
- mail*() hook - 150 lines of code
- _write(), _read(), _open() hooks - 500 lines of code
- Heristics engine - Bought from F-Prot
- Getting owned by a 1024 uppercase zip file name - PRICELESS

That is why most AVs have to blacklist, and why then you have signature 
variations, Kaspersky has smaller sigs because the way they use the 
engine, but still, everything can be tricked.

my $0.02

//Nahual


No Body wrote:
> I'm curious:  what exactly makes writing malware difficult?  Consider 
> a sophisticated modern mass-mailer with a backdoor.  In my experience, 
> it consists of:
>
> A)  Code to inject a thread into explorer.exe;  that thread then contains:
> B)  Code to report to a central server via HTTP;
> C)  A SOCKS proxy thread and/or remote file system viewer;
> D)  A routine to scour the disk for email addresses;
> E)  An SMTP client;
> F)  Code to ensure that the worm starts every time the system boots 
> (almost always via the registry), and maybe
> G)  Code to make sure its registry key / executable are not deleted.
>
> Each component is no more than 1,000 lines of code, and each is easily 
> testable.  For good measure, the binaries is are usually packed with 
> either FSG or UPX. 
>  
> Your standard IRC trojan is even less sophisticated.  Trojan 
> downloaders are literally less than ten lines of C code to write.  
> BHOs, as well, are much easier to write than they are to analyze (if 
> you don't believe me, try it).  SymbianOS malware is excruciatingly 
> difficult to analyze, while the malware authors have an emulator and 
> an SDK with a rich collection of examples to work with.
>
> I just don't see the "incredibly hard" part in writing malware:  are 
> you referring to some other class of malware than the ones I've 
> described?  I agree with Sophos (while at the same time thinking AV is 
> snake-oil):  statically analyzing malware is substantially harder than 
> writing it.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave