sunbiz_3000 said:
I think I have to completely disagree with u on this one! Modifying the code in the way I did, by just adding some dummy stucts or changing pointer locations doesnt create new malwares. Its just a variant of the original malware. Just the kind that is so common these days. Remember that more than 60% of the malwares (never really cared for defining what the world means by viruses --> so I may have used the terms interchangably) today are just variants of older ones (nothing scientific --> this is my guess based on looking at virus databases of AV companies and other sources like vscdb, viruslist, Secunia...etc). Nothing to be looked down upon, but only helps create better protection against variants!!
The reason this kind of modification of code is invalid is because of concerns from the AV-vendors about whether the modifications are doctored to suit a particular vendor's heuristics engine in order to get that AV the best result. Due to this, it is looked down upon by the industry and hence the testers use only the new variants and new samples that have appeared in a widespread manner and test them against AVs with old updates. Other than that it could theoretically work, but then, you are not releasing these samples in-the-wild and seeing which AV protects from what?
Do u know the tester personally?? Coz that would be really helpful in getting some more insight on what samples he/she is testing on. Also would be helpful to analyze few codes I have compiled recently!!
Well, there are multiple testers actually, and I know one of them, but not in the sense that we sit down and share coffee everyday.
However, I can get in contact with him. The guys are very strict on their samples policy. You can only get the samples if you work for an AV vendor.
I would really like to know what is ur fav AV and how it performs on ur sample. After that we could assemble a group of guys (Im sure a few volunteers from TE would be excited to help) and do an AV review (and post our results across the net). We could mix our samples and create a few more original sample viruses)
AV reviews involve more than just detection rates.
Anyway, I have tried only four AVs on my sample set, namely BitDefender, AVG Anti-Malware (basically it is AVG+Ewido AntiSpyware), Dr.Web and the Dr.Web clone Virus Chaser.
Based purely on detection rate BitDefender performs the best. Kaspersky should probably do better but I have not checked it out. AVG Anti-Malware is second (The free version has lower detection rate compared to the paid version I was using), and Dr.Web is third.
There is some small difference between the detection rates of Dr.Web and Virus Chaser, both of which use the Dr.Web engine. Virus Chaser detects about ~30 samples less than Dr.Web. Similar small differences have been observed in Virus Bulletin as well between Dr.Web and Virus Chaser, as well as KAV and eScan, both of which use the KAV engine.
Im really confused on why KAV missed on the 3 viruses after repacking, while detecting the rest 400. I used UPX and PECompact doing a dual packing, but randomly --> like UPX sometimes first while PECompact sometimes first. The only assumption I made was that it may have happened since these were P2P worms (Cibyz/Kibyz, Oror variant, Zafi D) and required PowerShell or someother execution environment that must have been lost (making the code useless) in the packing...
Probably an error occurred during unpacking. KAV is very sensitive to the version of packer used and even a .01 change in the release version of the packer will not be reliably unpacked by KAV until an update is released to cover this (luckily KAV updates every hour).
AV programs with generic unpacker should not have such problems in general. NOD32 relies a lot on its generic unpacker and the static (i.e. normal) packer support is quite low. The generic unpacker does most of the job. On the other hand BitDefender has the next best unpack engine to KAV, and also has a generic unpacker (the malware that was detected with generic unpacker is reported by BitDefender as GenPack: <Malware Name>)
[QUOTEAlso one thing I had missed out in the earlier discussions was regarding the use of 2 AVs or 2 AV scanners... I had once found G Data's AV Kit... combined KAV and BDs scan engines. Never had the goodluck to try it out. But Im sure it'll have the best detection, but dint find its performance and stuff... Has any1 here had a look at that??[/QUOTE]
GDATA AVK 2006 has a good interface and offers solid protection but is very heavy. The cost is also quite high and the support is not up to par. GDATA AVK 2007 will retain Kaspersky engine but it replaces BD engine with Avast.
