lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Dec 12 23:42:33 2005
From: valdis at antivirus.lv (Valdis Shkesters)
Subject: Inside AV engines?

These days, a very popular approach is to pack malicious codes by
different packers to create a large number of pseudo versions. Tests
performed by Eric Johansen from IBM Virus CERT were presented
at the Virus Bulletin 2005 conference. He had packed the generally
known Nimda.a by different packers and tested what was the possibility
of fooling different anti-viruses. Symantec with its on-demand scanner
identified only 33%, McAfee 67%, Trend Micro 57%.

http://files.malwareblog.com/EJohansen_VB2005_Presentation.pdf
http://files.malwareblog.com/EJohansen_VB2005.pdf

Best regards,

Valdis


----- Original Message ----- 
From: "Jeroen" <jeroen@...et.nl>
To: <pen-test@...urityfocus.com>; <full-disclosure@...ts.grok.org.uk>
Sent: Tuesday, December 13, 2005 12:56 AM
Subject: [Full-disclosure] Inside AV engines?


> For penetration testing on Wintel system, I often use netcat.exe and stuff
> like pwdump. More and more I need to disable anti-virus services before
> running the tools to avoid alarms and auto-deletion of the applications. 
> It
> works but it isn't an ideal situation since theoretically a network can be
> infected while the AV-services are down. Recompiling tools is an option
> since the source of many tools I use is available. The question is (before 
> I
> burn useless CPU cycles): can someone help me getting info about the 
> inside
> of AV engines? Will addition of some rubbish to the code do the trick (->
> other checksum), do I need to change some core code or is it a mission
> impossible anyway? Who can help for example getting some useful research
> papers on the subject of detecting viruses and how to bypass mechanisms
> used? Any help will be appreciated.
>
>
> Greets,
>
> Jeroen
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ