By combining several evasion techniques, real-world malicious executables with a high detection rat

Status
Not open for further replies.
Terry Ganzi

Terry Ganzi

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
Content source
https://www.blackhat.com/us-14/archives.html#one-packer-to-rule-them-all-empirical-identification-comparison-and-circumvention-of-current-antivirus-detection-techniques
ONE PACKER TO RULE THEM ALL: EMPIRICAL IDENTIFICATION, COMPARISON, AND CIRCUMVENTION OF CURRENT ANTIVIRUS DETECTION TECHNIQUES
Lately, many popular anti-virus solutions claim to be the most effective against unknown and obfuscated malware. Most of these solutions are rather vague about how they supposedly achieve this goal, making it hard for end-users to evaluate and compare the effectiveness of the different products on the market. This presentation presents empirically discovered results on the various implementations of these methods per solution, which reveal that some anti-virus solutions have more mature methods to detect x86 malware than others, but all of them are lagging behind when it comes to x64 malware. In general, at most three stages were identified in the detection process: Static detection, Code Emulation detection (before execution), and Runtime detection (during execution). New generic evasion techniques are presented for each of these stages. These techniques were implemented by an advanced, dedicated packer, which is an approach commonly taken by malware developers to evade detection of their malicious toolset. Two brand new packing methods were developed for this cause. By combining several evasion techniques, real-world malicious executables with a high detection rate were rendered completely undetected to the prying eyes of anti-virus products.


PRESENTED BY
Alaeddine Mesbahi & Arne Swinnen
 
  • Like
Reactions: Logethica and Shadowave
Nico@FMA

Nico@FMA

Level 27
Verified
May 11, 2013
1,687
Great article, but rather old news.
In 2002 the SANS institute published a report saying exactly the words above. And its true that traditional AV and Internet Security solutions are rendered ineffective against these kinds of methods of hiding malware.
However software like my FMA project is very capable of detecting these kinds of methods as the detection of it is being done by human eyes.
Slow process? yes it is but thats why its called digital forensic's.
That being said i know that both Sophos and Symantec have in-house forensic products which are not for sale (Only be used by technical staff on site for forensic investigations) that will detect these methods.

This article points out one fact: It is not the technical capability that the AV has or not has that fails to detect the malicious data.
But its the scope that is being applied by the industry to give a middle of the road protection standard.
If AV companies do want to give higher protection grades then this can be done rather fast.
However the question is would their AV program still be light weight and easy to understand?
And what about the costs?
So hence why specialized and forensic tools are often not being included in their products and are only being applied by technical staff.

Cheers
 
  • Like
Reactions: Terry Ganzi
Cats-4_Owners-2

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Differing points of view:
Nico@FMA said:
This article points out one fact: It is not the technical capability that the AV has or not has that fails to detect the malicious data.
But its the scope that is being applied by the industry to give a middle of the road protection standard.
If AV companies do want to give higher protection grades then this can be done rather fast.
However the question is would their AV program still be light weight and easy to understand?
And what about the costs?
Click to expand...
"Hokey religions and ancient weapons are no match for a good blaster at your side, kid."
-Han Solo
I would like to have the "FMA" Blaster, please.:):cool:

Cch123 said:
I don't think this should be counted as news. This article was published months before...
Click to expand...
"Your father's light saber. This is the weapon of a Jedi Knight. Not as clumsy or random as a blaster; an elegant weapon for a more civilized age. For over a thousand generations, the Jedi Knights were the guardians of peace and justice in the Old Republic. Before the dark times... before the Empire."
-Obi-wan Kenobi
I realize this wasn't just about old news, but I really liked the way it sounded!!:D
 
Last edited:
Status
Not open for further replies.

Similar threads

upnorth
    • Like
    • +Reputation
    • Thanks
Security News New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions
Replies
0
Views
1,064
Security News
upnorth
upnorth
silversurfer
    • +Reputation
    • Like
    • Wow
Emotet Malware Makes a Comeback with New Evasion Techniques
Replies
0
Views
496
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
More and more criminals are using legitimate websites to obfuscate malicious payloads
Replies
0
Views
840
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top