AV products vulnerability [Fwd: [TH-research] Upx hack tool]
The below discussed tool in the forwarded message from TH-Research (The
Trojan Horses Research Mailing List) appears to enable malware to pass
right through the detection mechanisms of most AV products.
The reason this email message is forwarded is because this new.. erm..
let us call it a "packer" tricks quite a bit of the AV products in the
market.
Apparently either their engine's emulators can't handle it, or they do
not have one. Also, it is not screened by itself.
Screening this.. "packer" is very easy and can be done with a signature
for the short-term solution, it does not *require* an engine update.
One would expect an emulator to deal with it, but the surprise is not
too great and the weak spot is easy to fix.
Since it was announced on TH-Research a couple of days ago and all
member AV and AT firms should have updated their products, I am emailing
the world so the rest can update as well.
As we have seen many times, once one malware gets out and uses it, many
others soon will. The security concerns in not emailing this information
is not as serious as the risk if we do not.
The "packing" itself using this product, is rather simple to be un-done.
Thanks go to Rolles, Rolf for his help with proving the point and coding
an example for research purposes of defending against such malware.
Important note: the tool itself is perfectly legal. Many perfectly legal
packers are used by malware authors to try and "hide" their "creations"
from AV products.
I should also note that this new "packer" comes from the makers of PEcrypt.
As always, this message is forwarded according to the guidelines in the
TH-Research FAQ.
Gadi Evron.
The Trojan Horses Research Mailing List - http://ecompute.org/th-list
From: "Daniel Otis-Vigil"
To: TH-Research
Subject: [TH-research] Upx hack tool
Date: Tue, 20 Jan 2004 10:40:19 -0700
Mail from "Daniel Otis-Vigil"
Safe url: http://archphase.united.net.kg/projects.html
UPXredir
This tool takes a packed UPX file and smacks on a section and does a few
more things of trickery to transform it to not look like a UPX packed file
so when anti-virii comes only they can't decompress the packed data and see
it's raw form. Includes sourcecode and binary, written in Delphi 6.
Daniel Otis-Vigil
MooSoft Development
http://www.moosoft.com
-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list