Re: New Javascript Packer: JSidle

[John Strand <strandjs () gmail com>]

Very true.

Still we all need to keep in mind that just because some antivirus engines
mark a piece of malware as "suspicions" for sites like VirusTotal does not
mean flag or even stop it on a "real" system. I have run across a couple of
examples with Symantec's Suspicious.Insight category.

If a company is paying you $20,000+ for a pen test you can afford to
purchase the same AV they are running and test your payloads on a "real"
system.

I know that Jonathan did not mention VirusTotal, I just wanted to add this
bit of information to the discussion.

-strandjs




On Sat, Jul 10, 2010 at 5:15 PM, Jonathan R <agentsmith15 () gmail com> wrote:

> NOD prides themselves on having one of the best heuristics engines, so
> I believe NOD would mark the PDF as suspicious and not a specific
> threat. You can do what many malware writers do and split the PDF into
> multiple parts and you can narrow the range of where/what in the PDF
> is getting flagged. Then change things accordingly.
>
>
> This idea of delaying code to bypass detection has been brought up
> before by well known virus writers like Z0mbie and Second Part To
> Hell/[rRlf].
> http://vxheavens.com/lib/vzo23.html   <--- Z0mbie's Paper
> http://www.hack0wn.com/view.php?xroot=72.0&cat=papers   <--- SPTH/rHlf
>
> This is all based upon the fact that a anti virus like Norton or NOD
> can only spend about 3 or 4 seconds on each file. Otherwise a AV scan
> would take to long.
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework