<<< Date Index >>>     <<< Thread Index >>>

AV products vulnerability [Fwd: [TH-research] Upx hack tool]



The below discussed tool in the forwarded message from TH-Research (The Trojan Horses Research Mailing List) appears to enable malware to pass right through the detection mechanisms of most AV products.

The reason this email message is forwarded is because this new.. erm.. let us call it a "packer" tricks quite a bit of the AV products in the market.

Apparently either their engine's emulators can't handle it, or they do not have one. Also, it is not screened by itself. Screening this.. "packer" is very easy and can be done with a signature for the short-term solution, it does not *require* an engine update.

One would expect an emulator to deal with it, but the surprise is not too great and the weak spot is easy to fix.

Since it was announced on TH-Research a couple of days ago and all member AV and AT firms should have updated their products, I am emailing the world so the rest can update as well.

As we have seen many times, once one malware gets out and uses it, many others soon will. The security concerns in not emailing this information is not as serious as the risk if we do not.

The "packing" itself using this product, is rather simple to be un-done.
Thanks go to Rolles, Rolf for his help with proving the point and coding an example for research purposes of defending against such malware.

Important note: the tool itself is perfectly legal. Many perfectly legal packers are used by malware authors to try and "hide" their "creations" from AV products.
I should also note that this new "packer" comes from the makers of PEcrypt.

As always, this message is forwarded according to the guidelines in the TH-Research FAQ.

        Gadi Evron.

The Trojan Horses Research Mailing List - http://ecompute.org/th-list


From: "Daniel Otis-Vigil"
To: TH-Research
Subject: [TH-research] Upx hack tool
Date: Tue, 20 Jan 2004 10:40:19 -0700

Mail from "Daniel Otis-Vigil"

Safe url: http://archphase.united.net.kg/projects.html

UPXredir
This tool takes a packed UPX file and smacks on a section and does a few
more things of trickery to transform it to not look like a UPX packed file
so when anti-virii comes only they can't decompress the packed data and see
it's raw form. Includes sourcecode and binary, written in Delphi 6.

Daniel Otis-Vigil
MooSoft Development
http://www.moosoft.com

-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list