About "Dyna" detection

[spywar]

I don't know if you already know how the Dyna detections are used but let me explain you.

1. I have an undetected Zbot sample
2. I execute it
3. file is Autosandboxed
4. Autosandbox stop a malware
5. Go to quarantine.
Screen attached.
"Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc)
So this is one of the 1500 Dyna signs ?"
"Autosandbox reports 50 000 Dyna infections every day".

[DavidR]

Well this will no doubt please RejZoR, has been looking for autosandbox detections.

[RejZoR]

Yes, up till this month (February 2013), there was absolutely no activity from Auto Sandbox. But now, i've seen like 8 of them in like 4 Youtube videos. So they have finally done something about it and i'm happy with that. Now they need to get the Behavior Shield going and they'll be fully lock and loaded.

[DavidR]

Yep, one down, Behavior Shield next.

[Pubert E]

 

All that shiny new hardware at avast! HQ is proving it's worth.
Excellent news for all 

[avast@@dvantage77.com]

Sir, where did you see this?

"Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc)
So this is one of the 1500 Dyna signs ?"
"Autosandbox reports 50 000 Dyna infections every day".

[avast@@dvantage77.com]

I found it: http://forum.avast.com/index.php?topic=112583.msg882539#msg882539

From P.K., so I am going to ask straight to the horses mouth!

[pk]

Thanks spywar for your test & helping to open RejZoR's eyes, hopefully the last autosandbox skeptic has fallen .

Autosandbox improvements in v8:
User interface wasn't changed (in fact I didn't have idea how to improve it), only detection rates. As you know, autosandbox executes a suspicious process in the sandbox and logs every filesystem/registry operations, attempts to inject to different processes, modify system components, install hooks, network connections, etc etc. Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc). Autosandbox reports 50 000 Dyna infections every day. Our viruslab analyses ~40k unique malwares every day in autosandbox and collect the logs, running on 180 virtual machines in ramdisk for 24hrs a day. In A7, malware attempts to inject itself into different processes were blocked. In A8, we duplicate & sandbox target's process on different desktop and allow injections, so malware isn't stopped early and we continue monitoring activity from the injection payload. Since we started to analyze a lot of malwares in our viruslab, every machine crash is reported to me & fixed. Autosandbox/sandbox should be therefore quite stable in A8.

[RejZoR]

Yes, but prior this month, Auto Sandbox really didn't do much for the end user. This has only changed now.

[DavidR]

Hopefully we will see this reflected in the various antivirus test results such as av-comparatives.org.

[avast@@dvantage77.com]

I have said it before, that AutoSandbox will defferentiate us from the other vendors, and then they'll copy out technology, again!  Thanks P.K. for all your hard work. I KNOW how much that you have personally invested in this!  Thanks againg for all your hard work, P.K.!

[Lisandro]

Hopefully we will see this reflected in the various antivirus test results such as av-comparatives.org.

I hope so.
Thanks pk for your hard work.

[true indian]

thanks pk and rest of avast team...you guys are awesome and together you make a really powerful product! 

[Vlk]

Besides what pk said, there's one more innovation with respect to those Dyna detections. We call it snxsql and it basically allows us to use the full richness of SQL queries to detect viruses in the sandbox. That is, the whole execution trace from the sandbox is stuffed to an in-memory SQL database and we consequently make queries to that DB (including some pretty complex/rich ones). This allows the detections to be fairly sophisticated, while minimizing the FP rates.

While the actual creation of these dyna detections / sql queries is now still a manual process (done by our virus analysts), we are close to actually implementing an automated generator for this - technically, this would be sort of "Evo-gen" for dyna detections.

Pretty fascinating stuff, especially if you see the results.

So, please, stay tuned, more stuff is coming.

Thanks
Vlk

[true indian]

So, please, stay tuned, more stuff is coming.

You are making me impatient now 

thanks for the hard work Vlk and avast team..once again you guys rock!