Original Antivirus Test
In this mini article, I will shed light on some features of the work of anti-virus software for signatures, and also tell you why software creators need to carefully consider the choice of packers if they do not want to dunk their reputation and their program.
A couple of days ago, without planning for myself, I conducted an interesting antivirus test. It all started with the fact that I, wandering through the lost folders of my drive, came across a couple of Trojans. Once (back in 2004) I had already conducted an antivirus test . There you can also look at the results of verification in my posts and the posts of other users. Then I took a couple of Trojans and several programs modifying the binary (various packers and other software, the full list is at the end). So I set about trying to see: what happened after 7 years?
Unfortunately, the original test I have left. Only parts of it. But this was enough for the experiment and some conclusions. Tests were conducted at www.virtest.com . This should, in theory, guarantee the relevance of the results to date.
')
The first discovery was waiting for me when I checked the DTr trojan in its original form. The original Trojan file is packaged by UPX. Test result: out of 41 antiviruses, only 2 (eTrust and AVL) could not identify it . Next, I checked the unpacked file of the same Trojan (also supplied by the developer). This time only 31 out of 41 caught him. A reasonable question arises: why then do anti-virus labs add samples, if you can get around them in such a simple way? For example, there are a bunch of UPX unpackers.
Then I tested the Pinch trojan, processed by different packers and other programs of the same bearded 2004. The result is the following (the number of antiviruses that found the virus to the total number of antiviruses):
After examining some of the antivirus reactions, I came to the conclusion that they were cursing more for the use of packers than for the signature of the Trojan itself. For example, here is the entry:
or here:
could not unpack and swears.
I remembered that Pinch came with an fsg packer. I also remembered how at one of the seminars the representative of VBA32 said that in some cases a packer is added to the database - if there is confidence that the packer is not widely spread and used to hide the virus signature. According to the virus analyst, such packers are often written by virus writers themselves. Well, there is some truth. Especially if you remember what kind of distribution before it was at various "file crypto artists".
My next experiment: take an innocuous program and try to process it with various packers. As a “victim,” I chose the ArpBuilder program I wrote .
Result:
In this regard, I recommend that programmers check their “child” after processing by packers . Otherwise, this may hurt the reputation of your software, and you will have to explain for a long time that “a misunderstanding has occurred”. According to my observations, using UPX does not cause such problems.
For those who want to conduct their own similar experiments, here are the lists of used programs (some software on the sites was updated after 2004):
A couple of days ago, without planning for myself, I conducted an interesting antivirus test. It all started with the fact that I, wandering through the lost folders of my drive, came across a couple of Trojans. Once (back in 2004) I had already conducted an antivirus test . There you can also look at the results of verification in my posts and the posts of other users. Then I took a couple of Trojans and several programs modifying the binary (various packers and other software, the full list is at the end). So I set about trying to see: what happened after 7 years?
Unfortunately, the original test I have left. Only parts of it. But this was enough for the experiment and some conclusions. Tests were conducted at www.virtest.com . This should, in theory, guarantee the relevance of the results to date.
')
The first discovery was waiting for me when I checked the DTr trojan in its original form. The original Trojan file is packaged by UPX. Test result: out of 41 antiviruses, only 2 (eTrust and AVL) could not identify it . Next, I checked the unpacked file of the same Trojan (also supplied by the developer). This time only 31 out of 41 caught him. A reasonable question arises: why then do anti-virus labs add samples, if you can get around them in such a simple way? For example, there are a bunch of UPX unpackers.
Then I tested the Pinch trojan, processed by different packers and other programs of the same bearded 2004. The result is the following (the number of antiviruses that found the virus to the total number of antiviruses):
After examining some of the antivirus reactions, I came to the conclusion that they were cursing more for the use of packers than for the signature of the Trojan itself. For example, here is the entry:
ClamWin Pinch_1.exe PUA.Packed.ASPackor here:
Webroot Pinch.exe Sus/UnkPackercould not unpack and swears.
I remembered that Pinch came with an fsg packer. I also remembered how at one of the seminars the representative of VBA32 said that in some cases a packer is added to the database - if there is confidence that the packer is not widely spread and used to hide the virus signature. According to the virus analyst, such packers are often written by virus writers themselves. Well, there is some truth. Especially if you remember what kind of distribution before it was at various "file crypto artists".
My next experiment: take an innocuous program and try to process it with various packers. As a “victim,” I chose the ArpBuilder program I wrote .
Result:
- for use PeCompact has cursed ClamWin.
- 24 antiviruses scolded about the use of fsg .
In this regard, I recommend that programmers check their “child” after processing by packers . Otherwise, this may hurt the reputation of your software, and you will have to explain for a long time that “a misunderstanding has occurred”. According to my observations, using UPX does not cause such problems.
For those who want to conduct their own similar experiments, here are the lists of used programs (some software on the sites was updated after 2004):
- Avx! AVSpoffer
- DotFix FakeSigner
- fsg
- HidePE, StealthPE
- Pecompact
- pe-patcher
Source: https://habr.com/ru/post/127942/
All Articles