Skip navigation.
Home

Detection rate of AV scanners.

I read Robert Lemos latest article:
http://www.securityfocus.com/brief/292

And i thought, how could someone do this more simple?

So i thought, "why not pack code twice"?

I booted up my VMWare XP system, grabbed an old copy of Sircam + 2 EXE packers and did the following:

1. I packed the Sircam binary with UPX and a separate mod program (so it can be repacked without being ID'd as UPX) and validated using virustotal.com that it would be detected. It was successfully detected by almost every major scanner except one which surprised me alot (*caugh* Symantec *caugh*).

2. I used a dummy DLL and packed the previously UPX'ed exe with that to get some more "fluff" for the next packer (PEBundle trial) to work with.

3. I uploaded the second, dual packed file to virustotal.com and here is the result of the 27 different scanner engines:

* 1 scanner (DrWeb) sucessfully detected the file as the Sircam worm.

* 3 scanners (Fortinet, CAT-Quickheal and Panda) flagged the file as "Suspicous".

* 23 scanners totally failed to identify the worm.

If this also is the standard of the commercial products, then this is a REALLY horrible result.

double packing

yep, check out other perverters and crypters like codecrypter. you'll get a better idea of how (in)effective the major av vendors are at scanning binaries...

your results are pretty consistent with what i've seen, although bitdefender seems to be a pretty good unpacker too. thanks for sharing!

Comment

"Suspicious" by mentioned scanners means that the file is packed with exe-packer that is offten used for packing malware.

Pack a "clean" file with the same packer as you did for Sircam, and those scanners will tell that the file is "suspicious".

About the horrible results, some exe-packers can be unpacked, and the unpacked file will be scanned. This is statick unpacking, and most of the AV-programs use this method.
If the AV-program does not have unpacking module for some packer - you can guess the results of scanning.

Other method is dynamic unpacking - something like executing/debugging the file, and let it unpack itself in the RAM, but prevent the unpacked file to execute; now dump the file from the memory and scan it.
The problem is that most of the newer packers has anti-debug technology that will prevent dynamic unpacking...

Yupp, i guessed as much

Yupp, i guessed as much about that AV scanners cry wolf every time they see a packed executable.

One problem with inmemory debugging is that HOW do you know that the program is the genuine one to scan? You can have packer inside packer inside packer within packer like those nested Russian dolls.

You would need something like "AntiHook" or the "Core Force" firewall and isolate the program from important system resources. I do not even bother to use AV software myself because i only run applications i (need to) trust on my main computer, games and such run on another box and the rest goes into VMWare - but even then, ONLY if i REALLY need to.

But there are still problem with code hiding: how do you know that it doesnt download some large DLL file and use that as a decryption key for some memory space that reveals a trojan/worm? What if it installs itself as a service and actively lowers access for AV software to scan its files? What if it decrypt data and injecting that executable code into another process with CreateRemoteThread()? This is not exactly brain surgery.

As for the anti-debug stuff, after looking on the IsDebuggerPresent() thing, i found it easier to terminate debuggers like Ollydbg by searching for process modules with a name with "dbg" in it or look for content within the memory space of a process that contains stuff like "BREAKPOINT", "JSR" and such stuff, then issue TerminateProcess().

Alternative solutions are much more fun.

Some honorable mention

some things to note I've come across. Certain AV simulation engines treat packers like archives, which makes sense to a certain degree. These engines are however configurable to scan to a certain archive depth. ie: packed 10 times, proceed no more.

The packer I used to test this was off the shelf UPX as you do find legitimate bins that are packed with UPX (installers and the like) and thus most AV vendors don't note it as suspicious.