A forum for reverse engineering, OS internals and malware analysis 

AV hall of shame

All off-topic discussion goes here.

Re: AV hall of shame

 #9545  by EP_X0FF
 Sat Nov 05, 2011 3:30 pm
@Fyyre

they don't like my old Delphi :)

Re: AV hall of shame

 #9692  by Xylitol
 Sun Nov 13, 2011 4:25 pm
SUPERAntiSpyware detect simple hello world in AutoIt as 'Trojan.Agent/Gen-Goo'
Code: Select all
MsgBox(0x0, "Hello World", "Hello World")
Auto packed with UPX normal compression (default setting on Aut2exe v3).
http://www.virustotal.com/file-scan/rep ... 1321199486

Result can be increased by ByteHero (Trojan.Spy.Gen.b) if you add the word 'Virus' or 'kernel32.dll' in the hello world
http://www.virustotal.com/file-scan/rep ... 1321200254

Re: AV hall of shame

 #9919  by Xylitol
 Sat Nov 26, 2011 10:18 am
Once again we have a fail for ByteHero and SUPERAntiSpyware

This SpyEye sample was submitted the 2011-11-25: http://www.virustotal.com/file-scan/rep ... 1322239936
ByteHero 1.0.0.1 2011.11.14 Trojan.Win32.Heur.Gen
SUPERAntiSpyware 4.40.0.1006 2011.11.24 Trojan.Agent/CDesc[Generic]

Then rescanned to virustotal today http://www.virustotal.com/file-scan/rep ... 1322295341
1/42 >> 2.4%
detections of ByteHero and SUPERAntiSpyware vanished!

Re: AV hall of shame

 #9921  by EP_X0FF
 Sat Nov 26, 2011 10:30 am
SUPERAntiSpyware Fake"I even dont know what is it" just was unable to scan or there is scripts problem at VirusTotal side. See rescan

http://www.virustotal.com/file-scan/rep ... 1322302682

ByteHero is sort of random generator which is useless in case of detection any kind of modern obfuscated malware.

Re: AV hall of shame

 #9927  by EP_X0FF
 Sun Nov 27, 2011 3:46 am
SUPERAntiSpyware "FakeAV" tests.

TEST 1 - FAIL

http://www.virustotal.com/file-scan/rep ... 1322363829
File name: t[36].php
Submission date: 2011-11-27 03:17:09 (UTC)
Current status: finished
Result: 1/ 43 (2.3%)

SUPERAntiSpyware 4.40.0.1006 2011.11.26 Trojan.Dropper/Gen-PHP
t[36].php is Win32 executable with such fantastic payload inside.
Code: Select all
.text:00401000                 public start
.text:00401000 start           proc near
.text:00401000                 push    0               ; uExitCode
.text:00401002                 call    ds:ExitProcess
.text:00401002 start           endp
How does this "Trojan Dropper Generic" works. It is a work of true genius - by looking at file extension and presence of version info block - see TEST 2.

TEST 2 - FAIL

Taking hh.exe as victim.

Initial result
http://www.virustotal.com/file-scan/rep ... 1322364638 - OK

Change hash (1 byte changed at the end of file)
http://www.virustotal.com/file-scan/rep ... 1322364899 - OK

VersionInfo removed from binary
http://www.virustotal.com/file-scan/rep ... 1322364793 - Trojan.Dropper/Gen-PHP

Extension changed back to exe
http://www.virustotal.com/file-scan/rep ... 1322365045 - OK, trojan magically disappears

Re: AV hall of shame

 #10141  by t4L
 Mon Dec 05, 2011 7:16 am
More unacceptable false detection:
Code: Select all
00401040 >/$  6A 00         PUSH 0
00401042  |.  0000          ADD BYTE PTR DS:[EAX],AL
00401044  |.  005B 81       ADD BYTE PTR DS:[EBX-7F],BL
00401047  \.  C3            RETN
00401048      9B            DB 9B
00401049      02            DB 02
0040104A      00            DB 00
0040104B      00            DB 00
0040104C      53            DB 53                                    ;  CHAR 'S'
0040104D      F3            DB F3
0040104E   .  C3            RETN
0040104F   .  15 08104000   ADC EAX,<&USER32.MessageBoxW>
00401054   .  6A 00         PUSH 0                                   ; /ExitCode = 0
00401056   .  FF15 00104000 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
0040105C   .  C3            RETN
0040105D      90            NOP
0040105E      90            NOP
0040105F      90            NOP
Result: 24 /43 (55.8%)
http://www.virustotal.com/file-scan/rep ... 1315214110
 Return to “General Discussion”