Polypack- should initiative be vilified?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Polypack- should initiative be vilified?

Post by luntrus »

Hi my forum friends,

Here are some results of avast detection against an automated online packing service:
https://polypack.eecs.umich.edu/results ... 278ae73bfd
Some av vendors did not welcome this research product of Michigan university to make malware go undetected through various packers, while security experts on their turn say av vendors are to blame that fail to detect repackaged malware.
Users can upload malware to the researchers at polypack and there it will be made undetectable to go under the radar of av scanners. Maynor states that polypack is peak technology to establish the weak sides of the av scanning technology and to demonstrate how easily detection can be circumvented, see: http://erratasec.blogspot.com/2009/08/a ... d-hen.html
According to the researchers at: https://polypack.eecs.umich.edu/ the repackaging technique has been available to malcreants for quite some time now, but their techniques could make circumventing by 250% more effective. AV vendors should not criticize this research but contribute to make detection rate better and close the vulnerability gap.
Only one thing is effective against this kind of malware: take care you are least vulnerable for bugs and exploits, do not log in as admin/root, and keep all the software of your machines fully updated and fully patched,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Polypack- should initiative be vilified?

Post by Alan Baxter »

Links are unreachable. I'll just read the article.
"This Connection is Untrusted
You have asked Namoroka to connect
securely to polypack.eecs.umich.edu, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
"

Edit: Links are reachable if you change https to http.
It looks like the Kapersky blogger hasn't read http://polypack.eecs.umich.edu either. He's spouting misinformation.

Edit: Just read Maynor's article about Kapersky's complaint. The article explains why it's understandable that Kapersky vilifies the project.
Unfortunately for Kapersky (and other AV sales companies), projects such as the Polypack Project highlight the fallacy that signature based AV products can protect anything other than sales numbers. Could you imagine a slightly different scenario: "Cigarette company employee states that research into tobacco/cancer link is unthical?"
Thank goodness for NoScript, Sandboxie, and safe hex.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Polypack- should initiative be vilified?

Post by therube »

And in some instances, detection rates INCREASED over the unpacked sample.
Have to wonder about that.

I can understand an A/V not having an unpacker for a particular packer, & so then not being able to detect it, but how does one miss the unpacked sample, yet does detect in a packed sample of the same?
(Sounds like monkey business to me.)

Image

Themida

Universal Extractor
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Polypack- should initiative be vilified?

Post by Grumpy Old Lady »

Maybe doesn't detect any enclosed in particular - but fudges and just correlates a particular packer with malware in general. Sort of a packer signature.
Or did this test single out the packed item by name?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Polypack- should initiative be vilified?

Post by therube »

My thought too.
I didn't see it noted what the found malware was reported as? (Didn't read the PDF either. <I think there was a PDF, somewhere?>)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Polypack- should initiative be vilified?

Post by Grumpy Old Lady »

therube wrote: I didn't see it noted what the found malware was reported as? (Didn't read the PDF either. <I think there was a PDF, somewhere?>)
There's the pdf http://jon.oberheide.org/files/woot09-polypack.pdf
from the blog that luntrus linked to http://erratasec.blogspot.com/2009/08/a ... d-hen.html

I went into a coma at this point
Engines like AntiVir, which has a fairly
dark stripe, may appear to be quite effective at detect-
ing many packer classes, but this may be due to over-
aggressive heuristics flagging binaries with high entropy
as malicious and can lead to significant false positives
because just before, the authors had asserted that their central figure described successful identification of binaries as malware
The greyscale shade of the square repre-
sents the percentage of samples successfully detected as
malicious,
It doesn't look as though their agenda was to identify any particular malware at all. It's a league table of packers vs AV engines. And the adjustments for which malware gets successfully trapped when their bleeding edge development is used by the whitehats? Monkey business is a very nice description.
Irrelevant observation: what a great load of impenetrable jargon they use.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Polypack- should initiative be vilified?

Post by Alan Baxter »

Grumpy Old Lady wrote:There's the pdf http://jon.oberheide.org/files/woot09-polypack.pdf
Thanks for the link. I've downloaded it.
I went into a coma at this point
Engines like AntiVir, which has a fairly
dark stripe, may appear to be quite effective at detect-
ing many packer classes, but this may be due to over-
aggressive heuristics flagging binaries with high entropy
as malicious and can lead to significant false positives
because just before, the authors had asserted that their central figure described successful identification of binaries as malware
The greyscale shade of the square repre-
sents the percentage of samples successfully detected as
malicious,
Aside from the use of the word "entropy" -- which may have a narrow technical meaning in this context -- this all makes sense to me: i.e. the darker the square, the more malicious binaries were detected. But although overly aggressive detection heuristics may find more malware, they often have unacceptably high false positive detection rates as well.
It doesn't look as though their agenda was to identify any particular malware at all. It's a league table of packers vs AV engines. And the adjustments for which malware gets successfully trapped when their bleeding edge development is used by the whitehats? Monkey business is a very nice description
Not sure what you mean here. The abstract makes it clear their agenda isn't to identify any particular malware, but to develop a packer service other whitehats can use. It looks like a reasonable whitehat project to me. I'd just as soon not have that kind of research only done by the bad guys. Apparently the bad guys already have pretty good packers already, and more significant, there's room for building newer packers that avoid AV detection. It's an arms race.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Polypack- should initiative be vilified?

Post by Grumpy Old Lady »

Oh, don't listen to me - I am clueless about AV detection methods. It's always seemed to be very much an art and quite resistant to any kind of logical analysis; results (the famous "heuristic") is paramount.
Quoth Alan Baxter
But although overly aggressive detection heuristics may find more malware, they often have unacceptably high false positive detection rates as well.
Which says that the best results, as reported on the figure, could also have the biggest false positives.
The false positives don't appear to have been reported.

But, as you've said, it is a war and much good may result if their algorithms are tuneable.
And even if their league tables simply annoy the AV vendors whose engines aren't high on the tables (they won't be able to claim a "polypack certificate of excellence" or something like that) that will be a goad for the companies concerned to improve their engines.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Post Reply