Metasploit mailing list archives

Re: New Javascript Packer: JSidle

From: Spring Systems <korund () hotmail com>
Date: Sun, 11 Jul 2010 09:53:58 +0000

I tried run adobe_flashplayer_newfunction PDF exploit with custom encoded javascript (not with JSidle  packer) on PC 
with Kaspersky AV: the first time pdf doc passed through AV ok, no alerts. When I tried to open this pdf doc second 
time, the antivirus has instantly reacted, flagged file and removed it. Sort of fast self-adjusting scanning engine?

spring

Date: Sat, 10 Jul 2010 18:39:35 -0600
From: strandjs () gmail com
To: agentsmith15 () gmail com
CC: framework () spool metasploit com
Subject: Re: [framework] New Javascript Packer: JSidle

Very true.  
Still we all need to keep in mind that just because some antivirus engines mark a piece of malware as "suspicions" for 
sites like VirusTotal does not mean flag or even stop it on a "real" system. I have run across a couple of examples 
with Symantec's Suspicious.Insight category.

If a company is paying you $20,000+ for a pen test you can afford to purchase the same AV they are running and test 
your payloads on a "real" system.
I know that Jonathan did not mention VirusTotal, I just wanted to add this bit of information to the discussion.

-strandjs 

On Sat, Jul 10, 2010 at 5:15 PM, Jonathan R <agentsmith15 () gmail com> wrote:

NOD prides themselves on having one of the best heuristics engines, so

I believe NOD would mark the PDF as suspicious and not a specific

threat. You can do what many malware writers do and split the PDF into

multiple parts and you can narrow the range of where/what in the PDF

is getting flagged. Then change things accordingly.

This idea of delaying code to bypass detection has been brought up

before by well known virus writers like Z0mbie and Second Part To

Hell/[rRlf].

http://vxheavens.com/lib/vzo23.html   <--- Z0mbie's Paper

http://www.hack0wn.com/view.php?xroot=72.0&cat=papers   <--- SPTH/rHlf

This is all based upon the fact that a anti virus like Norton or NOD

can only spend about 3 or 4 seconds on each file. Otherwise a AV scan

would take to long.

_______________________________________________

https://mail.metasploit.com/mailman/listinfo/framework

_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

New Javascript Packer: JSidle Sven Taute (Jul 09)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 10)
  - Re: New Javascript Packer: JSidle Miguel Rios (Jul 10)
    - Re: New Javascript Packer: JSidle Jonathan R (Jul 10)
    - Re: New Javascript Packer: JSidle John Strand (Jul 10)
    - Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
    - Re: New Javascript Packer: JSidle Thierry Zoller (Jul 11)
    - Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 11)
    - Re: New Javascript Packer: JSidle Sven Taute (Jul 12)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
    - Re: New Javascript Packer: JSidle Thorgul (Jul 13)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
    - Re: New Javascript Packer: JSidle Thorgul (Jul 13)
    - Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)

(Thread continues...)