Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: spywar on February 18, 2013, 07:59:50 PM

Title: About "Dyna" detection
Post by: spywar on February 18, 2013, 07:59:50 PM
I don't know if you already know how the Dyna detections are used but let me explain you.

1. I have an undetected Zbot sample
2. I execute it
3. file is Autosandboxed
4. Autosandbox stop a malware
5. Go to quarantine.
Screen attached.
"Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc)
So this is one of the 1500 Dyna signs ?"
"Autosandbox reports 50 000 Dyna infections every day".
Title: Re: About "Dyna" detection
Post by: DavidR on February 18, 2013, 08:06:04 PM
Well this will no doubt please RejZoR, has been looking for autosandbox detections.
Title: Re: About "Dyna" detection
Post by: RejZoR on February 18, 2013, 08:07:51 PM
Yes, up till this month (February 2013), there was absolutely no activity from Auto Sandbox. But now, i've seen like 8 of them in like 4 Youtube videos. So they have finally done something about it and i'm happy with that. Now they need to get the Behavior Shield going and they'll be fully lock and loaded.
Title: Re: About "Dyna" detection
Post by: DavidR on February 18, 2013, 08:25:39 PM
Yep, one down, Behavior Shield next.
Title: Re: About "Dyna" detection
Post by: Pubert E on February 18, 2013, 08:27:05 PM
 8)

All that shiny new hardware at avast! HQ is proving it's worth.
Excellent news for all  :)
Title: Re: About "Dyna" detection
Post by: avast@@dvantage77.com on February 18, 2013, 09:27:01 PM
Sir, where did you see this?

"Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc)
So this is one of the 1500 Dyna signs ?"
"Autosandbox reports 50 000 Dyna infections every day".
Title: Re: About "Dyna" detection
Post by: avast@@dvantage77.com on February 18, 2013, 09:29:34 PM
I found it: http://forum.avast.com/index.php?topic=112583.msg882539#msg882539

From P.K., so I am going to ask straight to the horses mouth!
Title: Re: About "Dyna" detection
Post by: pk on February 18, 2013, 09:46:06 PM
Thanks spywar for your test & helping to open RejZoR's eyes, hopefully the last autosandbox skeptic has fallen ;D.

Autosandbox improvements in v8:
User interface wasn't changed (in fact I didn't have idea how to improve it), only detection rates. As you know, autosandbox executes a suspicious process in the sandbox and logs every filesystem/registry operations, attempts to inject to different processes, modify system components, install hooks, network connections, etc etc. Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc). Autosandbox reports 50 000 Dyna infections every day. Our viruslab analyses ~40k unique malwares every day in autosandbox and collect the logs, running on 180 virtual machines in ramdisk for 24hrs a day. In A7, malware attempts to inject itself into different processes were blocked. In A8, we duplicate & sandbox target's process on different desktop and allow injections, so malware isn't stopped early and we continue monitoring activity from the injection payload. Since we started to analyze a lot of malwares in our viruslab, every machine crash is reported to me & fixed. Autosandbox/sandbox should be therefore quite stable in A8.
Title: Re: About "Dyna" detection
Post by: RejZoR on February 18, 2013, 09:56:23 PM
Yes, but prior this month, Auto Sandbox really didn't do much for the end user. This has only changed now.
Title: Re: About "Dyna" detection
Post by: DavidR on February 18, 2013, 10:08:16 PM
Hopefully we will see this reflected in the various antivirus test results such as av-comparatives.org.
Title: Re: About "Dyna" detection
Post by: avast@@dvantage77.com on February 18, 2013, 10:21:02 PM
I have said it before, that AutoSandbox will defferentiate us from the other vendors, and then they'll copy out technology, again!  Thanks P.K. for all your hard work. I KNOW how much that you have personally invested in this!  Thanks againg for all your hard work, P.K.!
Title: Re: About "Dyna" detection
Post by: Lisandro on February 19, 2013, 02:13:57 AM
Hopefully we will see this reflected in the various antivirus test results such as av-comparatives.org.
I hope so.
Thanks pk for your hard work.
Title: Re: About "Dyna" detection
Post by: true indian on February 19, 2013, 08:50:35 AM
thanks pk and rest of avast team...you guys are awesome and together you make a really powerful product!  8)
Title: Re: About "Dyna" detection
Post by: Vlk on February 19, 2013, 09:00:27 AM
Besides what pk said, there's one more innovation with respect to those Dyna detections. We call it snxsql and it basically allows us to use the full richness of SQL queries to detect viruses in the sandbox. That is, the whole execution trace from the sandbox is stuffed to an in-memory SQL database and we consequently make queries to that DB (including some pretty complex/rich ones). This allows the detections to be fairly sophisticated, while minimizing the FP rates.

While the actual creation of these dyna detections / sql queries is now still a manual process (done by our virus analysts), we are close to actually implementing an automated generator for this - technically, this would be sort of "Evo-gen" for dyna detections.

Pretty fascinating stuff, especially if you see the results.

So, please, stay tuned, more stuff is coming. :)

Thanks
Vlk
Title: Re: About "Dyna" detection
Post by: true indian on February 19, 2013, 09:23:22 AM
So, please, stay tuned, more stuff is coming. :)

You are making me impatient now  ;D

thanks for the hard work Vlk and avast team..once again you guys rock!  ;)
Title: Re: About "Dyna" detection
Post by: RejZoR on February 19, 2013, 10:50:43 AM
Besides what pk said, there's one more innovation with respect to those Dyna detections. We call it snxsql and it basically allows us to use the full richness of SQL queries to detect viruses in the sandbox. That is, the whole execution trace from the sandbox is stuffed to an in-memory SQL database and we consequently make queries to that DB (including some pretty complex/rich ones). This allows the detections to be fairly sophisticated, while minimizing the FP rates.

While the actual creation of these dyna detections / sql queries is now still a manual process (done by our virus analysts), we are close to actually implementing an automated generator for this - technically, this would be sort of "Evo-gen" for dyna detections.

Pretty fascinating stuff, especially if you see the results.

So, please, stay tuned, more stuff is coming. :)

Thanks
Vlk

Do tell more. So what you're working on is basically a Dyna-Gen? So, if i understand this correctly, you'll be able to generate Dyna detection rules automatically from bunch of existing samples like you do with Evo-Gen at the moment? By "close" you mean for the release (or at least sometime around that time) of avast! 8 or sometime during year 2013?
Either way i'm looking forward to this as it would mean we will see even more Auto Sandbox detections.
Title: Re: About "Dyna" detection
Post by: kev797 on February 19, 2013, 11:18:05 AM
thank you avast team for a great product and all your hard work, :)
Title: Re: About "Dyna" detection
Post by: Pubert E on February 19, 2013, 02:09:40 PM
Sounds fantastic!
If all this becomes real i'm almost ready to buy up some licenses  ;D
Title: Re: About "Dyna" detection
Post by: spywar on February 19, 2013, 06:41:18 PM
Besides what pk said, there's one more innovation with respect to those Dyna detections. We call it snxsql and it basically allows us to use the full richness of SQL queries to detect viruses in the sandbox. That is, the whole execution trace from the sandbox is stuffed to an in-memory SQL database and we consequently make queries to that DB (including some pretty complex/rich ones). This allows the detections to be fairly sophisticated, while minimizing the FP rates.

While the actual creation of these dyna detections / sql queries is now still a manual process (done by our virus analysts), we are close to actually implementing an automated generator for this - technically, this would be sort of "Evo-gen" for dyna detections.

Pretty fascinating stuff, especially if you see the results.

So, please, stay tuned, more stuff is coming. :)

Thanks
Vlk
"Sort of Evo-Gen for Dyna detections"  ;D ... Thanks for this info !
Title: Re: About "Dyna" detection
Post by: spywar on February 19, 2013, 09:48:36 PM
And a new one (https://www.virustotal.com/en/file/a237b162399893a58c3e2a901450c07f7d213f8e85a591093c33763b00a85894/analysis/) detected today "Dyna:NetShield-A;"
Title: Re: About "Dyna" detection
Post by: Charyb on February 19, 2013, 09:51:37 PM
That's awesome. I am anxious to see everything up and running.
Title: Re: About "Dyna" detection
Post by: spywar on February 20, 2013, 09:14:02 AM
And new one  ;)
"Dyna:FsShield-A;"
sample : https://www.virustotal.com/en/file/93db29c62d1a1115dcc19579ecabcca20a2a4816fa39c2f5239da604736af202/analysis/
Title: Re: About "Dyna" detection
Post by: spywar on February 20, 2013, 06:01:51 PM
And again ... (https://www.virustotal.com/fr/file/58a80f311c14624bf50f9e45db0e62a5a4902ecffeeda120ad0d775ac109d4a9/analysis/)
"Dyna:Bicololo-AH [Trj];"