The first Virustotal report is of jpsvirus maker tool i just made disable task manager and i wrote my own code to do so using c++ 2nd virustotal report is my own virus. I just want to know thay why jps got detected by all AVs and mine was detected by only three.
Want To Know Virus Difference
- Thread starter malhunter332
- Start date
When it comes to detection of malware ("malicious software") there are many factors which come into play and even a small difference between these factors can result in a malicious or clean identification verdict depending on the Anti-Virus engine being tested against the target sample/s.
A virus is a type of malware, not all threats are viruses; that being said, viruses are definitely not as common in the wild as they were around 6 years ago and most vendors are moving to identification methods learning towards the threats which are really in the wild, which means they do a clean-up of their static detection methods (e.g. checksum hash databases, generic HEX signatures) and also for their dynamic behavioral detection methods - of course this does not mean that they won't detect viruses because this is not true at all, however due to how malware is always evolving and the vendors trying to keep updated with the newest threats, they need to spend more resources focusing on the real threats out in the wild, therefore some samples (e.g. of a Virus type) which were detected a few years ago may not be detected now.
Disabling Task Manager in itself is not going to cause a malware detection in most cases since it's only a suspicious trace which is commonly automated by malware which will attempt to hijack the system (to prevent the user from terminating the processes, etc.), however if the sample has real infection capabilities (e.g. PE infection to cause the virus code to be executed when the affected program/s are executed at some point during execution flow) then it will probably detect the sample assuming no packing mechanisms have been applied.
I need to point out that you are testing with VirusTotal and the detection's present on VirusTotal are not entirely accurate since the vendors may have differences between the engine in the Home/Enterprise products and the one they allow to be used on VirusTotal - this means that the detection's on VirusTotal may be more aggressive or less aggressive, you'll need to test the samples against the individual security products to get a more accurate verdict on it's detection for the samples.
When you are performing on-demand scanning (also done when using VirusTotal since it will use the static engine to scan the samples in most cases), you are only testing the static side of detection mechanisms which will utilize checksum hash detection (e.g. the databases of known threats they are already aware of and have processed), and the generic detection methods (part of the static heuristics - this can include a scoring system working towards scanning the Strings and PE Imports of the sample, alongside detection of code patterns via HEX (which is based on the bytes within the PE)).
If you are performing proper dynamic testing with a security product then the detection's can vary since if it supports proper dynamic monitoring protection it may be able to single out specific programs as being malicious based on it's behavior (dependent on the API calls for example).
We cannot know for sure why the security products do not detect one or the other properly unless we pick each part of the PE away to detect what makes the product trigger and what makes it shiver quietly... And that is a very hard job and may not even give a good result which is helpful at the end anyway. However, like I said, there are many factors that come into play (file size, code signing authentication, then the static scanning, etc.).
Anyway, I am not sure if it's even part of the rules here to be going around making malware and then asking for any sort of help (even though you are asking about why the samples are not detected by many vendors); I am assuming you are only doing this for educational testing purposes?
Hope this helped and stay safe,
Wave.
A virus is a type of malware, not all threats are viruses; that being said, viruses are definitely not as common in the wild as they were around 6 years ago and most vendors are moving to identification methods learning towards the threats which are really in the wild, which means they do a clean-up of their static detection methods (e.g. checksum hash databases, generic HEX signatures) and also for their dynamic behavioral detection methods - of course this does not mean that they won't detect viruses because this is not true at all, however due to how malware is always evolving and the vendors trying to keep updated with the newest threats, they need to spend more resources focusing on the real threats out in the wild, therefore some samples (e.g. of a Virus type) which were detected a few years ago may not be detected now.
Disabling Task Manager in itself is not going to cause a malware detection in most cases since it's only a suspicious trace which is commonly automated by malware which will attempt to hijack the system (to prevent the user from terminating the processes, etc.), however if the sample has real infection capabilities (e.g. PE infection to cause the virus code to be executed when the affected program/s are executed at some point during execution flow) then it will probably detect the sample assuming no packing mechanisms have been applied.
I need to point out that you are testing with VirusTotal and the detection's present on VirusTotal are not entirely accurate since the vendors may have differences between the engine in the Home/Enterprise products and the one they allow to be used on VirusTotal - this means that the detection's on VirusTotal may be more aggressive or less aggressive, you'll need to test the samples against the individual security products to get a more accurate verdict on it's detection for the samples.
When you are performing on-demand scanning (also done when using VirusTotal since it will use the static engine to scan the samples in most cases), you are only testing the static side of detection mechanisms which will utilize checksum hash detection (e.g. the databases of known threats they are already aware of and have processed), and the generic detection methods (part of the static heuristics - this can include a scoring system working towards scanning the Strings and PE Imports of the sample, alongside detection of code patterns via HEX (which is based on the bytes within the PE)).
If you are performing proper dynamic testing with a security product then the detection's can vary since if it supports proper dynamic monitoring protection it may be able to single out specific programs as being malicious based on it's behavior (dependent on the API calls for example).
We cannot know for sure why the security products do not detect one or the other properly unless we pick each part of the PE away to detect what makes the product trigger and what makes it shiver quietly... And that is a very hard job and may not even give a good result which is helpful at the end anyway. However, like I said, there are many factors that come into play (file size, code signing authentication, then the static scanning, etc.).
Anyway, I am not sure if it's even part of the rules here to be going around making malware and then asking for any sort of help (even though you are asking about why the samples are not detected by many vendors); I am assuming you are only doing this for educational testing purposes?
Hope this helped and stay safe,
Wave.
Thank you for this detail. yes obviously i am doing these on educational and research purpose bcoz you know the only way to deal with these threats is to get yourself familiarized that how they work. I am only interested to make AV program for Malware that's why i made these so i can test this when i will be building my AV.
One thing i would like to ask that if this is not virus and is hijacking code then why Virus maker title this as Virus.
And also i want to know that what could be signature for this specific code coz it is malicious code , isnt it ? I can give you code if you want to see but not in here coz i think this will be illegal to post malicious code in here.
For your info i am using registry tweak in C++.
One thing i would like to ask that if this is not virus and is hijacking code then why Virus maker title this as Virus.
And also i want to know that what could be signature for this specific code coz it is malicious code , isnt it ? I can give you code if you want to see but not in here coz i think this will be illegal to post malicious code in here.
For your info i am using registry tweak in C++.
1. You're probably wasting your time trying to develop an Anti-Virus product alone since there are so many different components to integrate which need to be done really carefully (and if you cannot compete with other vendors then no one will use it since Windows Defender is decent on it's own); been there, done that, taken the picture. But if that is your plan and you don't mind spending all the time then go for it, but don't be surprised if you find yourself in the same place more-or-less that you are in now this time next year.
2. To be completely honest with you, most malware authors these days (especially) are pretty damn dumb and don't really know what they are doing. We've gone from advanced PE infecting virus, kernel-mode rootkit and bootkit infections being common in the wild to half-completed broken samples mostly being made in the .NET framework. Go to any malware pack and there's an 80% chance (random percentage I made up on the spot) that many of the samples will mostly be either really badly made or just pretty much broken.
3. Use a HEX editor to identify parts that are exclusive to samples which can be used as an identification method for other samples with the same bytes (which represents the code), but you need to be careful since if you don't do it right you can cause a lot of false positive detection's. You should be familiar with reverse engineering for this stage, some good software would be: IDA Pro, WinDbg, OllyDbg.
4. There's no point in you sending me the code because I don't need it, I already know what you've done because you told me... You disabled Task Manager via registry functions (probably via the Win32 API): DisableTaskMgr policy. There's neither any point in me making you a signature for that activity based on HEX because: you won't learn if someone just does it for you (since you won't understand how I even did it properly - and it takes time to learn, you can't just read a post and know how to do it for good, I struggle too because we are not perfect), and packing will just completely bypass the detection unless you are capable of working with unpacking mechanisms (and by the looks of things, you aren't).
5. If you want to dynamically block the disabling of Task Manager then write a DLL to perform API hooking on NtSetValueKey and then inject this DLL into the target process/es (e.g. monitored processes); in the callback you can filter out the key which is being modified to prevent a process from modifying the DisableTaskMgr one (to stop it from being blocked). I recommend manual-map injection since then the DLL won't be found in the PEB list and therefore won't be detected as a module in the process' address space using normal methods of enumerating through the process' modules and therefore it's more stealth and makes it harder to detect the AV engine's presence.
Manual map injection works by writing to the process' memory to cause it to load the target DLL to inject with LdrLoadDll (Native API function which is responsible for the loading of DLLs in a process - it is called when LoadLibrary is called); you'll also need to do things like resolve the API imports.
-------------------------------------------------
I've written a couple of threads on AV development so I will post the links below, maybe they can help you with some other things unrelated to this topic:
AV self-protection (process) [C/C++)
Anti-Rootkit development [C/C++ - kernel-mode & user-mode]
Critical Processes [Theory & C++/C#/VB] (useful since you can learn more on this for cleaning malware which have set themselves as a critical process)
Stay safe and good luck,
Wave.
Similar threads
- Locked
