The recent false detection and deletion of svchost.exe(XP sp3) by MCAffee shocked every one who use MCAffee Anti virus. This article will try to reveal the dark side of this incident. False positives problem is a big head ache for AV companies. Even Anti virus titans are having this problem. The number of unique malwares are doubling every year. Every day AV companies are getting thousands of samples from various sources. In reality a malware analyst can analyze only tens of malware every day.
To analyze thousands of samples every day employing malware analysts and paying them is not even an imaginable thing for AV companies. But on many AV tests giving more than 90% detection rate is not possible with very few analysts. so finally many of them start to use a heuristic tool(program) which will scan the sample with major anti virus tools and based on other AV's detection it will directly add detection pattern(eg:CRC) for that sample with out being checked by a malware analyst.
w32/wecorl is a file patching worm that patches svchost.exe(other versions infect iexplore.exe, winlogon.exe etc) and spreads to other machines by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.
The thing to be considered here is that all the AV's are detecting wecorl as a worm. The patching logic of wecorl is not even on all the machines. It varies depending on the cavity(zero bytes) available in the file it is trying to patch. But the call to infected code lies near the entry point. So the detection pattern added by MCAfee for wecorl is too bad in this case.
To avoid this type of incidents every AV vendor should stop adding detection patterns for malware by considering other AV's detection. They should expand the strength of their research lab. Atleast analyzing every samples that they receive with sand-box would help them in avoiding this kind of incidents.
At last I want to refer the article by Magnus - "On the way to better testing" in viruslist.com is a good testing article . But this article has been criticized by most of the AV vendors.
Sunday, May 9, 2010
Wednesday, January 27, 2010
Rogue - Security Tool
This rogue tool roams around the Internet recently and annoys users.
Kaspersky detects this one as Fraudpack only. The interesting thing is that KAV fails to detect the unpacked file and detects only the packer.
The malware on execution installs it's copy into %Document & Settings\All Users\Application data%\%rand%\%rand%.exe
On successful installation displays the dialogue box with message "security tool successfully installed".
Then makes an impression of scanning the system for spyware and adware. Always shows a detection count of exactly 21 threats. The threat count never changes for this rogue-ware.
The original file is deleted through a batch file dropped in the same directory.
The batch file kills the initial copying files process by it's image name ( taskkill /im ) and deletes it.
The malware adds a run entry to start automatically after reboot. The real face of the malware can be seen only after reboot. On rebooting the system it kills all the user processes alerting them all as malware.
The malware after making a snapshot of all the available processes terminates them.
It doesn't make privilege escalation to kill highly privileged processes. The reason is, it doesn't want to crash the system but it just wanna annoy the user, by restricting him from running any application.
It asks the user to register the product in order to clean the malwares in the system.
It also shows pop up messages regarding the system infection.
The interesting fact in this scenario is this rogue doesn't terminates the internet explorer process(iexplore.exe).The reason may be to enable the user to make payments to register.
It also allows certain other processes to run.
List:
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft-cleaner.exe
So if you are infected by this malware don't reboot the system.
Just open the task manager and look for a process name with random numbers and terminate them. Then do usual cleaning in registry and file system.
If you reboot the system then it is really hard to kill the process.
As most of the rogue malwares are packed with polymorphic packers I didn't find any AV company unpacking them.
Even though certain AV's detect them as a packed file(packer detection). I have seen certain security application's(even certain av's) processes gets terminated by this rogue.
This malware application is actually written in Delphi. Even manually unpacking this malware is not a impossible task, but you should be aware of anti debugging trick in the packer.
For reference in reversing delphi look for my paper "digging deplhi" at vxheavens.
Kaspersky detects this one as Fraudpack only. The interesting thing is that KAV fails to detect the unpacked file and detects only the packer.
The malware on execution installs it's copy into %Document & Settings\All Users\Application data%\%rand%\%rand%.exe
On successful installation displays the dialogue box with message "security tool successfully installed".
Then makes an impression of scanning the system for spyware and adware. Always shows a detection count of exactly 21 threats. The threat count never changes for this rogue-ware.
The original file is deleted through a batch file dropped in the same directory.The batch file kills the initial copying files process by it's image name ( taskkill /im ) and deletes it.
The malware adds a run entry to start automatically after reboot. The real face of the malware can be seen only after reboot. On rebooting the system it kills all the user processes alerting them all as malware.
The malware after making a snapshot of all the available processes terminates them.
It doesn't make privilege escalation to kill highly privileged processes. The reason is, it doesn't want to crash the system but it just wanna annoy the user, by restricting him from running any application.
It asks the user to register the product in order to clean the malwares in the system.
It also shows pop up messages regarding the system infection.
The interesting fact in this scenario is this rogue doesn't terminates the internet explorer process(iexplore.exe).The reason may be to enable the user to make payments to register.
It also allows certain other processes to run.
List:
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft-cleaner.exe
So if you are infected by this malware don't reboot the system.
Just open the task manager and look for a process name with random numbers and terminate them. Then do usual cleaning in registry and file system.
If you reboot the system then it is really hard to kill the process.
As most of the rogue malwares are packed with polymorphic packers I didn't find any AV company unpacking them.
Even though certain AV's detect them as a packed file(packer detection). I have seen certain security application's(even certain av's) processes gets terminated by this rogue.
This malware application is actually written in Delphi. Even manually unpacking this malware is not a impossible task, but you should be aware of anti debugging trick in the packer.
For reference in reversing delphi look for my paper "digging deplhi" at vxheavens.
Sunday, November 16, 2008
Reversing - Art of Understanding Others Codes
Let this one be a good start for things to come.
This blog will try to speak about my contributions to secured computing .
My special thanks to Mark Russinovich and Matt Pietrek for their valuable contributions to reversing world.
Subscribe to:
Posts (Atom)