Found this on Packetstorm, i remember that Mudge did make a joke on this topic several years ago in his presentation @ Blackhat.
I got this new idea how to identify and neutralise malware that do process injections into other processes.
It is a fairly simple thing, i have lots of code that could be used for it and i know how to write it, the problem is that i have no idea how to test it, mostly because i do not have access to a malware sample that do a process injection.
The program is basically an extention to one of my older programs (Procwall) but it would audit the process for certain properties and track these properties when it is running.
I read Robert Lemos latest article:
And i thought, how could someone do this more simple?
So i thought, "why not pack code twice"?
I booted up my VMWare XP system, grabbed an old copy of Sircam + 2 EXE packers and did the following:
1. I packed the Sircam binary with UPX and a separate mod program (so it can be repacked without being ID'd as UPX) and validated using virustotal.com that it would be detected. It was successfully detected by almost every major scanner except one which surprised me alot (*caugh* Symantec *caugh*).
Back in the days of the Amiga, we had lots of viruses too. We had memory resident programs (Like TSRs for Dos) that protected the system, antivirus code in Bootsectors, and programs that warned you if there were some virus-like programs running.
There were even antivirus software that could decode and analyse executable code - on the fly - and tell you what the code could do like "changes reset vectors, may survive a boot" (etc)
Now when i look back upon this era, i feel that we have move backwards in time. Not many are doing anything proactive, most anti virus software is just fixing the problem using reactive measures. Sure, it makes them money, so why bother fixing it?