TUCoPS :: Security App Flaws :: hack3020.htm

AV products vuln Upx hack tool]
AV products vulnerability [Fwd: [TH-research] Upx hack tool] 

The below discussed tool in the forwarded message from TH-Research (The 
Trojan Horses Research Mailing List) appears to enable malware to pass 
right through the detection mechanisms of most AV products.

The reason this email message is forwarded is because this new.. erm.. 
let us call it a "packer" tricks quite a bit of the AV products in the 
market.

Apparently either their engine's emulators can't handle it, or they do 
not have one. Also, it is not screened by itself.
Screening this.. "packer" is very easy and can be done with a signature 
for the short-term solution, it does not *require* an engine update.

One would expect an emulator to deal with it, but the surprise is not 
too great and the weak spot is easy to fix.

Since it was announced on TH-Research a couple of days ago and all 
member AV and AT firms should have updated their products, I am emailing 
the world so the rest can update as well.

As we have seen many times, once one malware gets out and uses it, many 
others soon will. The security concerns in not emailing this information 
is not as serious as the risk if we do not.

The "packing" itself using this product, is rather simple to be un-done.
Thanks go to Rolles, Rolf for his help with proving the point and coding 
an example for research purposes of defending against such malware.

Important note: the tool itself is perfectly legal. Many perfectly legal 
packers are used by malware authors to try and "hide" their "creations" 
from AV products.
I should also note that this new "packer" comes from the makers of PEcrypt.

As always, this message is forwarded according to the guidelines in the 
TH-Research FAQ.

	Gadi Evron.

The Trojan Horses Research Mailing List - http://ecompute.org/th-list 


From: "Daniel Otis-Vigil"
To: TH-Research
Subject: [TH-research] Upx hack tool
Date: Tue, 20 Jan 2004 10:40:19 -0700

Mail from "Daniel Otis-Vigil"

Safe url: http://archphase.united.net.kg/projects.html 

UPXredir
This tool takes a packed UPX file and smacks on a section and does a few
more things of trickery to transform it to not look like a UPX packed file
so when anti-virii comes only they can't decompress the packed data and see
it's raw form. Includes sourcecode and binary, written in Delphi 6.

Daniel Otis-Vigil
MooSoft Development
http://www.moosoft.com 

-
TH-Research, the Trojan Horses Research mailing list.
List home page: http://ecompute.org/th-list

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH