Metasploit mailing list archives

Re: New Javascript Packer: JSidle

From: Jonathan R <agentsmith15 () gmail com>
Date: Sat, 10 Jul 2010 18:15:39 -0500

NOD prides themselves on having one of the best heuristics engines, so
I believe NOD would mark the PDF as suspicious and not a specific
threat. You can do what many malware writers do and split the PDF into
multiple parts and you can narrow the range of where/what in the PDF
is getting flagged. Then change things accordingly.


This idea of delaying code to bypass detection has been brought up
before by well known virus writers like Z0mbie and Second Part To
Hell/[rRlf].
http://vxheavens.com/lib/vzo23.html   <--- Z0mbie's Paper
http://www.hack0wn.com/view.php?xroot=72.0&cat=papers   <--- SPTH/rHlf

This is all based upon the fact that a anti virus like Norton or NOD
can only spend about 3 or 4 seconds on each file. Otherwise a AV scan
would take to long.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

New Javascript Packer: JSidle Sven Taute (Jul 09)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 10)
  - Re: New Javascript Packer: JSidle Miguel Rios (Jul 10)
    - Re: New Javascript Packer: JSidle Jonathan R (Jul 10)
    - Re: New Javascript Packer: JSidle John Strand (Jul 10)
    - Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
    - Re: New Javascript Packer: JSidle Thierry Zoller (Jul 11)
    - Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 11)
    - Re: New Javascript Packer: JSidle Sven Taute (Jul 12)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
    - Re: New Javascript Packer: JSidle Thorgul (Jul 13)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)

(Thread continues...)