How much time does it take to create a malware that evades antimalware solutions? One or two minutes

[Terry Ganzi]

“In the following table, first column represents the Anti-Malware, the second the number of samples (without transformations) correctly detected by the antimalware while in the third column (in red) the number of correctly detected samples after transformation process.”

“The results is impressive: the antimalware is not able to recognize the transformed malware (given that it was able to recognize the original malware).
The transformation engine is released for the scientific community with the open source license at the following url: https://github.com/faber03/AndroidMalwareEvaluatingTools“

The details of the test conducted by the Iswatlab are included in the report titled “Evaluating malware obfuscation techniques against antimalware detection algorithms”

This test raises the discussion about the capability to limit the production of malware, the experts at the Iswatlab were able to create new malware without writing any line of new code, but just scrambling some old well-known threats.

You can read the rest of the news here: http://securityaffairs.co/wordpress/51714/malware/evading-antimalware.html

 

[SHvFl]

Malwarebytes detected 0? Damn son.
I am interested if any of all those programs devs care to explain how so different results. Either their is a flaw in the test logic or a flaw in their detection.

EDIT: This is for mobile which i know nothing but i assume it's mostly signature detection hence the results.

 

[ExoGen CyberSecurity]

Looks like AVG is better then I thought.

 

[kev216]

Some very interesting results. Some do much better than I expected and others really impress me with the bad results.
Results are very different from the ones of 'independent labs' like AV-test or others.
Thanks for sharing!

 

[Balrog]

Eset, Emsisoft...damn it!

That's the reason to no trust so much in the antimalware products but in the common sense. Which it is very rare in some persons.

 

[cruelsister]

With the code in hand it actually takes about 30 seconds (and that's when I'm doing my nails) to change malware. Further, the way the malware would be morphed is normally beta tested first to find the best pathway. It seems this test ("without writing any line of new code") is essentially about Script-kiddie mods so should be viewed as such.

 

[Terry Ganzi]

The transformation engine developed by the researcher for Android malware works by applying the following transformations:

• Disassembling & Reassembling.
• Repacking.
• Changing package name.
• Identifier Renaming.
• Data Encoding.
• Call indirections.
• Code Reordering.
• Junk Code Insertion.
• Composite Transformations

 

[bunchuu]

I see that malware will have morphing capability in near future to reinvent themselves

 

[exCode]

This is why I don't use any live virus protection. Say an installer installs software it didn't even advertise (no check to remove or anything) then I'll do a MBAM scan. But other than that I don't really do anything stupid. On VMs though..

 

[Myriad]

With the code in hand it actually takes about 30 seconds (and that's when I'm doing my nails) to change malware. Further, the way the malware would be morphed is normally beta tested first to find the best pathway. It seems this test ("without writing any line of new code") is essentially about Script-kiddie mods so should be viewed as such.

@cruelsister

Yes , thank you .... the voice of reason

If these things are not actively observable "in the wild " , they are of trivial importance .
Life is too short ...

 

[Lucent Warrior]

The point of these kind of article's, always seems to be lost within meaning. If they can alter the code with out adding any new code, and bypass signature detection, this would not be trivial. These particular samples may not be in the wild, but you can rest assured, that samples have been modified and are in the wild and that it happens often, and even though eventually the product your using may develop the needed signatures, it will be only after the new modified sample has already been found on some systems. The point of the article was to show how easily your AV can be bypassed within minutes of a little work. Think deeply on this.

 

[Solarquest]

@Terry Ganzi,
Thank you for sharing this!
If we tjink they used 5560 malwares, the detection ratio is low..after the "wash process" it gets even lower...not good at all and somehow scary.
Sometime ago I read on Android antivirus cannot monitor dynamic behavior..I'm not sure something changed since them...if not, all detection are signature+heuristic based...

 

[mlnevese]

I think it's interesting F-Secure actually detected MORE samples after the transformation. 4723 before and 4767 after...