Detection rate of AV scanners.
I read Robert Lemos latest article:
And i thought, how could someone do this more simple?
So i thought, "why not pack code twice"?
I booted up my VMWare XP system, grabbed an old copy of Sircam + 2 EXE packers and did the following:
1. I packed the Sircam binary with UPX and a separate mod program (so it can be repacked without being ID'd as UPX) and validated using virustotal.com that it would be detected. It was successfully detected by almost every major scanner except one which surprised me alot (*caugh* Symantec *caugh*).
2. I used a dummy DLL and packed the previously UPX'ed exe with that to get some more "fluff" for the next packer (PEBundle trial) to work with.
3. I uploaded the second, dual packed file to virustotal.com and here is the result of the 27 different scanner engines:
* 1 scanner (DrWeb) sucessfully detected the file as the Sircam worm.
* 3 scanners (Fortinet, CAT-Quickheal and Panda) flagged the file as "Suspicous".
* 23 scanners totally failed to identify the worm.
If this also is the standard of the commercial products, then this is a REALLY horrible result.