AV products vulnerability [Fwd: [TH-research] Upx hack tool]

• Previous message: Ed J. Aivazian: "TBE - the banner engine server-side script execution vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 22 Jan 2004 00:08:29 -0800
To: bugtraq@securityfocus.com

The below discussed tool in the forwarded message from TH-Research (The
Trojan Horses Research Mailing List) appears to enable malware to pass
right through the detection mechanisms of most AV products.

The reason this email message is forwarded is because this new.. erm..
let us call it a "packer" tricks quite a bit of the AV products in the
market.

Apparently either their engine's emulators can't handle it, or they do
not have one. Also, it is not screened by itself.
Screening this.. "packer" is very easy and can be done with a signature
for the short-term solution, it does not *require* an engine update.

One would expect an emulator to deal with it, but the surprise is not
too great and the weak spot is easy to fix.

Since it was announced on TH-Research a couple of days ago and all
member AV and AT firms should have updated their products, I am emailing
the world so the rest can update as well.

As we have seen many times, once one malware gets out and uses it, many
others soon will. The security concerns in not emailing this information
is not as serious as the risk if we do not.

The "packing" itself using this product, is rather simple to be un-done.
Thanks go to Rolles, Rolf for his help with proving the point and coding
an example for research purposes of defending against such malware.

Important note: the tool itself is perfectly legal. Many perfectly legal
packers are used by malware authors to try and "hide" their "creations"
from AV products.
I should also note that this new "packer" comes from the makers of PEcrypt.

As always, this message is forwarded according to the guidelines in the
TH-Research FAQ.

        Gadi Evron.

The Trojan Horses Research Mailing List - http://ecompute.org/th-list

From: "Daniel Otis-Vigil"
To: TH-Research
Subject: [TH-research] Upx hack tool
Date: Tue, 20 Jan 2004 10:40:19 -0700

Mail from "Daniel Otis-Vigil"

Safe url: http://archphase.united.net.kg/projects.html

UPXredir
This tool takes a packed UPX file and smacks on a section and does a few
more things of trickery to transform it to not look like a UPX packed file
so when anti-virii comes only they can't decompress the packed data and see
it's raw form. Includes sourcecode and binary, written in Delphi 6.

Daniel Otis-Vigil
MooSoft Development
http://www.moosoft.com

-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list

• Previous message: Ed J. Aivazian: "TBE - the banner engine server-side script execution vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] AV products vulnerability [Fwd: [TH-research] Upx hack tool] ... The below discussed tool in the forwarded message from TH-Research (The ... let us call it a "packer" tricks quite a bit of the AV products in the ... As we have seen many times, once one malware gets out and uses it, many ... the Trojan Horses Research mailing list. ... (Full-Disclosure) AV products vulnerability [Fwd: [TH-research] Upx hack tool] ... The below discussed tool in the forwarded message from TH-Research (The ... let us call it a "packer" tricks quite a bit of the AV products in the ... As we have seen many times, once one malware gets out and uses it, many ... the Trojan Horses Research mailing list. ... (Full-Disclosure) Re: [Full-Disclosure] viruses being sent to this list ... FD does not exchange malware. ... Humans do not knowingly send malware here. ... FD suffers from, mostly, mindless sending infected users. ... We are not *about* sharing samples on TH-Research, ... (Full-Disclosure) RE: Bagle worm status + more blocking information ... > members of TH-Research (The Trojan Horses Research Mailing List) ... (Bugtraq)