A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #2034  by CloneRanger
 Tue Aug 17, 2010 4:27 pm
I've tested several versions of these POC's, Unprevx & Blovex, and NOT one of them worked ? And that was on XP/SP2 in Admin, and after disabling my security to allow them.

Initially i had Prevx v.186 and i then updated to v.187, but still NO shutdown or kill !

I'm not complaining lol, just surprised after all the talk etc. Why do think i was able to survive these POC's, are they only version specific or ?

So who's next, Symantec, ESET, MBAM etc ?

Cloneranger @ Wilders

*

I like Foxes, and Prevx :P

moderator:
This thread created from Breaking Prevx 3 self-protection and contains offtopic discussion about PoC testings.
Last edited by EP_X0FF on Thu Aug 19, 2010 7:31 am, edited 1 time in total. Reason: added thread description
 #2035  by EP_X0FF
 Tue Aug 17, 2010 5:07 pm
From screenshots you posted @ wilders I see damaged PE file (screenshot with NTVDM). Seems to be files you downloaded damaged. Sometimes browsers cannot normally save RAR/ZIP archives from web.
So who's next, Symantec, ESET, MBAM etc ?
No one from this list :)
 #2036  by CloneRanger
 Tue Aug 17, 2010 6:08 pm
@ EP_X0FF
From screenshots you posted @ wilders I see damaged PE file (screenshot with NTVDM)
I agree that one - Blovex1.exe - must have been damaged, but NOT all the others i ran and tested. I've uploaded a screenie of the ones i used. I had to slightly rename most of them so i could put them in the same folder. I wouldn't have thought that should make a difference, and even the one i hadn't renamed - Blovex.exe - didn't work ?

*

I like Foxes, and Prevx :P
Attachments
ub.gif
UnPrevx & Blovex
ub.gif (11.02 KiB) Viewed 727 times
 #2037  by ssj100
 Tue Aug 17, 2010 6:31 pm
CloneRanger, this isn't the first time you're having trouble reproducing POC's haha.

As I told you once before, it's a good idea to reproduce these things in a freshly installed Windows. You really should consider looking into programs like VirtualBox to do your testing.
 #2038  by CloneRanger
 Tue Aug 17, 2010 6:49 pm
@ ssj100

If you'ld noticed, my post was @ EP_X0FF :P
this isn't the first time you're having trouble reproducing POC's haha.
Didn't have ANY trouble with them, these POC's just didn't work. As for the .lnk POC's i presume you are referring to, been there and got the T shirt thanks.
As I told you once before, it's a good idea to reproduce these things in a freshly installed Windows. You really should consider looking into programs like VirtualBox to do your testing.
Told me LOL. So you're saying that, unless these type of files are run in a fresh Windows install, they are useless ? I don't believe EP_X0FF was advocating doing that ! And if that is/was the case, which i very much doubt, what kind of a real world test would that be !

I like Foxes, and Prevx :P Dislike Trolls
 #2039  by EP_X0FF
 Wed Aug 18, 2010 2:49 am
Without testing at your machine (or it's VM clone) I can't tell you what is the problem. This can be everything.
Better try all this stuff (including Prevx, because it's also can be buggy) in VM. Virtual PC will be enough.
 #2040  by ssj100
 Wed Aug 18, 2010 2:51 am
CloneRanger wrote:Didn't have ANY trouble with them, these POC's just didn't work. As for the .lnk POC's i presume you are referring to, been there and got the T shirt thanks.
Well, the fact is that I can reproduce all the POC's that have been released (while you can't). Obviously EP_X0FF can reproduce it too. Basically what I'm saying is that there must be something not quite right with your setup, since you tend to have trouble reproducing POC's (that is, they don't work on your particular system).

The latest POC seems to work more smoothly than the previous ones though - unfortunately it's not released to the public yet, so I can't offer it to you to test.

I was just making a suggestion about using eg. VirtualBox. If you think about it, using a clean install of Windows is always going to be the best way to test programs etc. When you have many third party programs installed (particularly security programs), you never know what is conflicting with what. And keep in mind that simply disabling the security program often isn't good enough. I don't know if you recall a conflict that caused Sandboxie to be "bypassed" simply by having an Antivirus installed or a Classical HIPS. Disabling the real-time guard or disabling the Classical HIPS still resulted in conflict/bypass - you needed to completely uninstall the Antivirus or Classical HIPS program to fix it. Anyway tzuk fixed the problem, but hopefully you get my point.
 #2046  by CloneRanger
 Wed Aug 18, 2010 6:29 am
@ EP_X0FF

I tested them using ShadowDefender, and disabled ALL my security for the duration.

I'm wondering if my having a number of Windows Services permanently disabled, "may" have something to do with it ? If not ?

It "appears" that even though some of the POC's weren't specifically targetted at the Prevx versions i had v.186 & v.187 they should still have worked. Is this correct ? If not then that would be a reason why they didn't !

*

@ ssj100
Basically what I'm saying is that there must be something not quite right with your setup, since you tend to have trouble reproducing POC's (that is, they don't work on your particular system).
Well that's different !

I would say, there must be something good about my system if they don't work, but see my reply to EP_X0FF above for a "possible" reason. All my other apps/programs etc work just fine, and i don't have any problems with them.
I was just making a suggestion about using eg. VirtualBox.
OK
If you think about it, using a clean install of Windows is always going to be the best way to test programs etc.
Well i have to disagree, because that is not how people operate their Comps in daily life. So i think it's unrepresentative of real world systems, and interactivity etc between apps.
 #2047  by ssj100
 Wed Aug 18, 2010 6:42 am
CloneRanger wrote:
If you think about it, using a clean install of Windows is always going to be the best way to test programs etc.
Well i have to disagree, because that is not how people operate their Comps in daily life. So i think it's unrepresentative of real world systems, and interactivity etc between apps.
Again, the reason to test things in a clean install of Windows is because it eliminates third party variations. If you disagree, why did you disable your other security software? You could say that eg. ProcessGuard blocked it easily, and therefore the POC doesn't work. Right? You disabled your other security software for the same reason as what I am suggesting - to eliminate third party variations.

Anyway, just making a point.
 #2056  by CloneRanger
 Wed Aug 18, 2010 11:22 pm
@ ssj100
why did you disable your other security software?
If i hadn't they wouldn't have even been able to run, due to either .EXE blocking and/or AV etc detection. Not to eliminate third party variations.

Sure i ran then with SD enabled, but that wouldn't interfere with the POC's.

If every piece of malware had to ask people to do a fresh install first and/or run in a VM etc, where would that get them. I run tests in a realistic real world enviroment. First with all my security in place to see if they block/interject etc, then one by one i disable them and see what happens, or not. The main purpose of most tests etc i do, is to see how my security shapes up, or not. It it does great, if not i improve it.