Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
I am very disappointed by some antivirus solutions [copycats]
Message
<blockquote data-quote="Deleted member 65228" data-source="post: 714128"><p>Initially I wondered the same thing and thus pursued to quickly put it to the test.</p><p></p><p>I appended some random bytes to the end of the Portable Executable, meaningless bytes to be precise (0 and 1). This isn't just a file pumping technique, but can be used to force the hash checksum of the Portable Executable to change. The reason for this is because the hash checksum (e.g. MD5, SHA-1 and SHA-256) are calculated based on the bytes (which represents the data for the PE), so if you add/change bytes, the hash checksum will be different on the next re-calculation.</p><p></p><p>I re-uploaded the sample afterwards to VirusTotal: <a href="https://www.virustotal.com/#/file/6b5776ecb271574512ed1b7c2c6d8f2aba53617712a2d6f9e18ec43d323deb09/detection" target="_blank">VirusTotal</a></p><p></p><p>ESET no longer flags the sample. Bear in mind that all the bytes from the original sample which triggered a flag by ESET are still present, there's just a few additional 0s and 1s at the end of the bytes for the PE which is pretty meaningless in terms of difference - this did cause a hash checksum change though.</p><p></p><p>At the same time, you may notice how Avast and AVG still flag the sample. They could have still relied on hash checksum detection for the record, despite the overall hash checksum having changed and the detection still being caused... y<em>ou can actually hash sections of the Portable Executable.</em></p><p><em></em></p><p><em>Personally it means nothing to me, I still think the same of the vendors. It's just a test sample so why care?</em></p></blockquote><p></p>
[QUOTE="Deleted member 65228, post: 714128"] Initially I wondered the same thing and thus pursued to quickly put it to the test. I appended some random bytes to the end of the Portable Executable, meaningless bytes to be precise (0 and 1). This isn't just a file pumping technique, but can be used to force the hash checksum of the Portable Executable to change. The reason for this is because the hash checksum (e.g. MD5, SHA-1 and SHA-256) are calculated based on the bytes (which represents the data for the PE), so if you add/change bytes, the hash checksum will be different on the next re-calculation. I re-uploaded the sample afterwards to VirusTotal: [URL='https://www.virustotal.com/#/file/6b5776ecb271574512ed1b7c2c6d8f2aba53617712a2d6f9e18ec43d323deb09/detection']VirusTotal[/URL] ESET no longer flags the sample. Bear in mind that all the bytes from the original sample which triggered a flag by ESET are still present, there's just a few additional 0s and 1s at the end of the bytes for the PE which is pretty meaningless in terms of difference - this did cause a hash checksum change though. At the same time, you may notice how Avast and AVG still flag the sample. They could have still relied on hash checksum detection for the record, despite the overall hash checksum having changed and the detection still being caused... y[I]ou can actually hash sections of the Portable Executable. Personally it means nothing to me, I still think the same of the vendors. It's just a test sample so why care?[/I] [/QUOTE]
Insert quotes…
Verification
Post reply
Top