lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <400F84FD.3080900@linuxbox.org>
Date: Thu, 22 Jan 2004 00:08:29 -0800
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: AV products vulnerability [Fwd: [TH-research] Upx hack tool]


The below discussed tool in the forwarded message from TH-Research (The 
Trojan Horses Research Mailing List) appears to enable malware to pass 
right through the detection mechanisms of most AV products.

The reason this email message is forwarded is because this new.. erm.. 
let us call it a "packer" tricks quite a bit of the AV products in the 
market.

Apparently either their engine's emulators can't handle it, or they do 
not have one. Also, it is not screened by itself.
Screening this.. "packer" is very easy and can be done with a signature 
for the short-term solution, it does not *require* an engine update.

One would expect an emulator to deal with it, but the surprise is not 
too great and the weak spot is easy to fix.

Since it was announced on TH-Research a couple of days ago and all 
member AV and AT firms should have updated their products, I am emailing 
the world so the rest can update as well.

As we have seen many times, once one malware gets out and uses it, many 
others soon will. The security concerns in not emailing this information 
is not as serious as the risk if we do not.

The "packing" itself using this product, is rather simple to be un-done.
Thanks go to Rolles, Rolf for his help with proving the point and coding 
an example for research purposes of defending against such malware.

Important note: the tool itself is perfectly legal. Many perfectly legal 
packers are used by malware authors to try and "hide" their "creations" 
from AV products.
I should also note that this new "packer" comes from the makers of PEcrypt.

As always, this message is forwarded according to the guidelines in the 
TH-Research FAQ.

	Gadi Evron.

The Trojan Horses Research Mailing List - http://ecompute.org/th-list


From: "Daniel Otis-Vigil"
To: TH-Research
Subject: [TH-research] Upx hack tool
Date: Tue, 20 Jan 2004 10:40:19 -0700

Mail from "Daniel Otis-Vigil"

Safe url: http://archphase.united.net.kg/projects.html

UPXredir
This tool takes a packed UPX file and smacks on a section and does a few
more things of trickery to transform it to not look like a UPX packed file
so when anti-virii comes only they can't decompress the packed data and see
it's raw form. Includes sourcecode and binary, written in Delphi 6.

Daniel Otis-Vigil
MooSoft Development
http://www.moosoft.com

-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ