Hi my forum friends,
Here are some results of avast detection against an automated online packing service:
https://polypack.eecs.umich.edu/results ... 278ae73bfd
Some av vendors did not welcome this research product of Michigan university to make malware go undetected through various packers, while security experts on their turn say av vendors are to blame that fail to detect repackaged malware.
Users can upload malware to the researchers at polypack and there it will be made undetectable to go under the radar of av scanners. Maynor states that polypack is peak technology to establish the weak sides of the av scanning technology and to demonstrate how easily detection can be circumvented, see: http://erratasec.blogspot.com/2009/08/a ... d-hen.html
According to the researchers at: https://polypack.eecs.umich.edu/ the repackaging technique has been available to malcreants for quite some time now, but their techniques could make circumventing by 250% more effective. AV vendors should not criticize this research but contribute to make detection rate better and close the vulnerability gap.
Only one thing is effective against this kind of malware: take care you are least vulnerable for bugs and exploits, do not log in as admin/root, and keep all the software of your machines fully updated and fully patched,
luntrus
Polypack- should initiative be vilified?
Polypack- should initiative be vilified?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Polypack- should initiative be vilified?
Links are unreachable. I'll just read the article.
"This Connection is Untrusted
You have asked Namoroka to connect
securely to polypack.eecs.umich.edu, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified."
Edit: Links are reachable if you change https to http.
It looks like the Kapersky blogger hasn't read http://polypack.eecs.umich.edu either. He's spouting misinformation.
Edit: Just read Maynor's article about Kapersky's complaint. The article explains why it's understandable that Kapersky vilifies the project.
Thank goodness for NoScript, Sandboxie, and safe hex.Unfortunately for Kapersky (and other AV sales companies), projects such as the Polypack Project highlight the fallacy that signature based AV products can protect anything other than sales numbers. Could you imagine a slightly different scenario: "Cigarette company employee states that research into tobacco/cancer link is unthical?"
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Re: Polypack- should initiative be vilified?
And in some instances, detection rates INCREASED over the unpacked sample.
Have to wonder about that.
I can understand an A/V not having an unpacker for a particular packer, & so then not being able to detect it, but how does one miss the unpacked sample, yet does detect in a packed sample of the same?
(Sounds like monkey business to me.)
Themida
Universal Extractor
Have to wonder about that.
I can understand an A/V not having an unpacker for a particular packer, & so then not being able to detect it, but how does one miss the unpacked sample, yet does detect in a packed sample of the same?
(Sounds like monkey business to me.)
Themida
Universal Extractor
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: Polypack- should initiative be vilified?
Maybe doesn't detect any enclosed in particular - but fudges and just correlates a particular packer with malware in general. Sort of a packer signature.
Or did this test single out the packed item by name?
Or did this test single out the packed item by name?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Re: Polypack- should initiative be vilified?
My thought too.
I didn't see it noted what the found malware was reported as? (Didn't read the PDF either. <I think there was a PDF, somewhere?>)
I didn't see it noted what the found malware was reported as? (Didn't read the PDF either. <I think there was a PDF, somewhere?>)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: Polypack- should initiative be vilified?
There's the pdf http://jon.oberheide.org/files/woot09-polypack.pdftherube wrote: I didn't see it noted what the found malware was reported as? (Didn't read the PDF either. <I think there was a PDF, somewhere?>)
from the blog that luntrus linked to http://erratasec.blogspot.com/2009/08/a ... d-hen.html
I went into a coma at this point
because just before, the authors had asserted that their central figure described successful identification of binaries as malwareEngines like AntiVir, which has a fairly
dark stripe, may appear to be quite effective at detect-
ing many packer classes, but this may be due to over-
aggressive heuristics flagging binaries with high entropy
as malicious and can lead to significant false positives
It doesn't look as though their agenda was to identify any particular malware at all. It's a league table of packers vs AV engines. And the adjustments for which malware gets successfully trapped when their bleeding edge development is used by the whitehats? Monkey business is a very nice description.The greyscale shade of the square repre-
sents the percentage of samples successfully detected as
malicious,
Irrelevant observation: what a great load of impenetrable jargon they use.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Polypack- should initiative be vilified?
Thanks for the link. I've downloaded it.Grumpy Old Lady wrote:There's the pdf http://jon.oberheide.org/files/woot09-polypack.pdf
Aside from the use of the word "entropy" -- which may have a narrow technical meaning in this context -- this all makes sense to me: i.e. the darker the square, the more malicious binaries were detected. But although overly aggressive detection heuristics may find more malware, they often have unacceptably high false positive detection rates as well.I went into a coma at this pointbecause just before, the authors had asserted that their central figure described successful identification of binaries as malwareEngines like AntiVir, which has a fairly
dark stripe, may appear to be quite effective at detect-
ing many packer classes, but this may be due to over-
aggressive heuristics flagging binaries with high entropy
as malicious and can lead to significant false positivesThe greyscale shade of the square repre-
sents the percentage of samples successfully detected as
malicious,
Not sure what you mean here. The abstract makes it clear their agenda isn't to identify any particular malware, but to develop a packer service other whitehats can use. It looks like a reasonable whitehat project to me. I'd just as soon not have that kind of research only done by the bad guys. Apparently the bad guys already have pretty good packers already, and more significant, there's room for building newer packers that avoid AV detection. It's an arms race.It doesn't look as though their agenda was to identify any particular malware at all. It's a league table of packers vs AV engines. And the adjustments for which malware gets successfully trapped when their bleeding edge development is used by the whitehats? Monkey business is a very nice description
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: Polypack- should initiative be vilified?
Oh, don't listen to me - I am clueless about AV detection methods. It's always seemed to be very much an art and quite resistant to any kind of logical analysis; results (the famous "heuristic") is paramount.
Quoth Alan Baxter
The false positives don't appear to have been reported.
But, as you've said, it is a war and much good may result if their algorithms are tuneable.
And even if their league tables simply annoy the AV vendors whose engines aren't high on the tables (they won't be able to claim a "polypack certificate of excellence" or something like that) that will be a goad for the companies concerned to improve their engines.
Quoth Alan Baxter
Which says that the best results, as reported on the figure, could also have the biggest false positives.But although overly aggressive detection heuristics may find more malware, they often have unacceptably high false positive detection rates as well.
The false positives don't appear to have been reported.
But, as you've said, it is a war and much good may result if their algorithms are tuneable.
And even if their league tables simply annoy the AV vendors whose engines aren't high on the tables (they won't be able to claim a "polypack certificate of excellence" or something like that) that will be a goad for the companies concerned to improve their engines.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2