Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
TrojanZipperPOC and ESET signatures Case Study
Message
<blockquote data-quote="Hexspeak" data-source="post: 877323" data-attributes="member: 87292"><p>From VT's statistics, this seems to be a fairly new signature. I am wondering if you could PM me the original sample and the one that avoids the detection?</p><p></p><p>Sometimes I indeed found some signature are not strong, and even "dumb". Seems to be heavily dependent on the malware prevalence</p><p></p><p>Update:</p><p></p><p>alright I think I've got the sample</p><p></p><p>[ATTACH=full]238260[/ATTACH]</p><p>[ATTACH=full]238261[/ATTACH]</p><p></p><p>After a glance through the PE, I assume the key string features of this sample are these four parts: encryption extension list, hardcoded encryption path, zip routine, and ransomnote. Changing the extension list may compromise the feature, changing the note may be better. Randomly changing things above will still trigger the detection. While changing a combo of those can avoid the detection, the sample is in a nasty situation already.</p><p></p><p>Of course one can locate the key char that may significantly lower the scoring and avoid the detection upon deletion, or use basic method to concat the string or xor the string. But again, this requires some manual efforts. When manual efforts are involved, all bets are off (at least on the client side). The key here is when the mutated sample gets prevalent again, the detection signature will again be modified to be more robust. Thus I assume it is harder to avoid the detection using such evasion technique on more popular families. In addition, a production ransomware will have more features to be extracted including VSS deletion, key exchange, etc. Once there are more functionalities involved, simply changing a string or an API call won't do the trick.</p><p></p><p>I remembered my past experiments with a more popular ransomware required me to change 4~5 key strings/functions combos to eventually avoid the client-side detection. I guess applying a packer is more cost-efficient in this case....</p></blockquote><p></p>
[QUOTE="Hexspeak, post: 877323, member: 87292"] From VT's statistics, this seems to be a fairly new signature. I am wondering if you could PM me the original sample and the one that avoids the detection? Sometimes I indeed found some signature are not strong, and even "dumb". Seems to be heavily dependent on the malware prevalence Update: alright I think I've got the sample [ATTACH type="full" alt="hex.jpg"]238260[/ATTACH] [ATTACH type="full" alt="hex2.jpg"]238261[/ATTACH] After a glance through the PE, I assume the key string features of this sample are these four parts: encryption extension list, hardcoded encryption path, zip routine, and ransomnote. Changing the extension list may compromise the feature, changing the note may be better. Randomly changing things above will still trigger the detection. While changing a combo of those can avoid the detection, the sample is in a nasty situation already. Of course one can locate the key char that may significantly lower the scoring and avoid the detection upon deletion, or use basic method to concat the string or xor the string. But again, this requires some manual efforts. When manual efforts are involved, all bets are off (at least on the client side). The key here is when the mutated sample gets prevalent again, the detection signature will again be modified to be more robust. Thus I assume it is harder to avoid the detection using such evasion technique on more popular families. In addition, a production ransomware will have more features to be extracted including VSS deletion, key exchange, etc. Once there are more functionalities involved, simply changing a string or an API call won't do the trick. I remembered my past experiments with a more popular ransomware required me to change 4~5 key strings/functions combos to eventually avoid the client-side detection. I guess applying a packer is more cost-efficient in this case.... [/QUOTE]
Insert quotes…
Verification
Post reply
Top
