A forum for reverse engineering, OS internals and malware analysis 

 #11420  by kareldjag/michk
 Fri Feb 03, 2012 1:00 pm
hi

Original publication:
http://seclists.org/fulldisclosure/2012/Feb/42

More info about this kind of evasion/bypass method on t. Zoller site:
http://blog.zoller.lu/2009/04/case-for- ... sions.html

Colander like protection of av since years but nothing can break this marketing mess...

Rgds
 #11467  by Vrtule
 Mon Feb 06, 2012 4:43 pm
I also do not understand why this is a serious problem. Antiviruses are unable to explore archive of this type, however, they can catch its contents when the archive is being unpacked. Hence, the infection gets few steps deeper into the corporation infrastructure, but will be detected at last. And users probably won't unpack archives of rare type because they will not have necessary tools installed.
 #11581  by kareldjag/michk
 Sun Feb 12, 2012 7:58 pm
Does it make full sens to think that i was really serious when publishing this?
As a « no more free bugs partisan »( http://www.securityfocus.com/brief/933 ), i would be more interested in looking for a flaw in IE and selling it to leave these frozen times in Europe…
I know that it is not a runtime detection flaw…as it is the case for instance by this Cert advisory
http://www.cert.fi/en/reports/2010/vulnerability.html
It has been demonstrated that av black list pattern file detection is an NP-Complete and Undecideable problem.
Corrupted and flawed by design, it appears difficult for them to circumscribe polymorphism, metamorphism, oligomorphism, signature faking, stealth codes and forensic hiding areas and techniques…
As an intrusion and pentest method, using archives (unsupported likes .kz, encrypted or malformed) is only interesting for storing unwanted and malicious files without being detected : risks and impacts are of course low.
Due to « come from China » previous intrusions in European firms and gvts, the av industry needs to be aware of the ability of scanner engines to check files inside this archive format.
It is not sensationalism, it is FACT.
Now it`is up to Mr Bojangles to code his packer, to evade ALL antivirus listed on VirusTotal/Jotti and claim the same thing…
Rgds