Author Topic: About "Dyna" detection  (Read 12319 times)

0 Members and 1 Guest are viewing this topic.

Offline spywar

  • Malware Hunter
  • Poster
  • *
  • Posts: 441
About "Dyna" detection
« on: February 18, 2013, 07:59:50 PM »
I don't know if you already know how the Dyna detections are used but let me explain you.

1. I have an undetected Zbot sample
2. I execute it
3. file is Autosandboxed
4. Autosandbox stop a malware
5. Go to quarantine.
Screen attached.
"Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc)
So this is one of the 1500 Dyna signs ?"
"Autosandbox reports 50 000 Dyna infections every day".

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80887
  • No support PMs thanks
Re: About "Dyna" detection
« Reply #1 on: February 18, 2013, 08:06:04 PM »
Well this will no doubt please RejZoR, has been looking for autosandbox detections.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.2.2364/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9237
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: About "Dyna" detection
« Reply #2 on: February 18, 2013, 08:07:51 PM »
Yes, up till this month (February 2013), there was absolutely no activity from Auto Sandbox. But now, i've seen like 8 of them in like 4 Youtube videos. So they have finally done something about it and i'm happy with that. Now they need to get the Behavior Shield going and they'll be fully lock and loaded.
Visit my webpage RejZoR's Flock of Sheep

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80887
  • No support PMs thanks
Re: About "Dyna" detection
« Reply #3 on: February 18, 2013, 08:25:39 PM »
Yep, one down, Behavior Shield next.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.2.2364/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pubert E

  • Jr. Member
  • **
  • Posts: 52
  • avast! user for many years
Re: About "Dyna" detection
« Reply #4 on: February 18, 2013, 08:27:05 PM »
 8)

All that shiny new hardware at avast! HQ is proving it's worth.
Excellent news for all  :)
avast! internet security 9.0.2006 // win 8.1

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast reseller
  • Advanced Poster
  • *
  • Posts: 741
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: About "Dyna" detection
« Reply #5 on: February 18, 2013, 09:27:01 PM »
Sir, where did you see this?

"Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc)
So this is one of the 1500 Dyna signs ?"
"Autosandbox reports 50 000 Dyna infections every day".
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast reseller
  • Advanced Poster
  • *
  • Posts: 741
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: About "Dyna" detection
« Reply #6 on: February 18, 2013, 09:29:34 PM »
I found it: http://forum.avast.com/index.php?topic=112583.msg882539#msg882539

From P.K., so I am going to ask straight to the horses mouth!
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2074
Re: About "Dyna" detection
« Reply #7 on: February 18, 2013, 09:46:06 PM »
Thanks spywar for your test & helping to open RejZoR's eyes, hopefully the last autosandbox skeptic has fallen ;D.

Autosandbox improvements in v8:
User interface wasn't changed (in fact I didn't have idea how to improve it), only detection rates. As you know, autosandbox executes a suspicious process in the sandbox and logs every filesystem/registry operations, attempts to inject to different processes, modify system components, install hooks, network connections, etc etc. Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc). Autosandbox reports 50 000 Dyna infections every day. Our viruslab analyses ~40k unique malwares every day in autosandbox and collect the logs, running on 180 virtual machines in ramdisk for 24hrs a day. In A7, malware attempts to inject itself into different processes were blocked. In A8, we duplicate & sandbox target's process on different desktop and allow injections, so malware isn't stopped early and we continue monitoring activity from the injection payload. Since we started to analyze a lot of malwares in our viruslab, every machine crash is reported to me & fixed. Autosandbox/sandbox should be therefore quite stable in A8.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9237
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: About "Dyna" detection
« Reply #8 on: February 18, 2013, 09:56:23 PM »
Yes, but prior this month, Auto Sandbox really didn't do much for the end user. This has only changed now.
Visit my webpage RejZoR's Flock of Sheep

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80887
  • No support PMs thanks
Re: About "Dyna" detection
« Reply #9 on: February 18, 2013, 10:08:16 PM »
Hopefully we will see this reflected in the various antivirus test results such as av-comparatives.org.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.2.2364/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast reseller
  • Advanced Poster
  • *
  • Posts: 741
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: About "Dyna" detection
« Reply #10 on: February 18, 2013, 10:21:02 PM »
I have said it before, that AutoSandbox will defferentiate us from the other vendors, and then they'll copy out technology, again!  Thanks P.K. for all your hard work. I KNOW how much that you have personally invested in this!  Thanks againg for all your hard work, P.K.!
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67282
Re: About "Dyna" detection
« Reply #11 on: February 19, 2013, 02:13:57 AM »
Hopefully we will see this reflected in the various antivirus test results such as av-comparatives.org.
I hope so.
Thanks pk for your hard work.
The best things in life are free.

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 712
  • A Good Old Indian!
Re: About "Dyna" detection
« Reply #12 on: February 19, 2013, 08:50:35 AM »
thanks pk and rest of avast team...you guys are awesome and together you make a really powerful product!  8)

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11666
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: About "Dyna" detection
« Reply #13 on: February 19, 2013, 09:00:27 AM »
Besides what pk said, there's one more innovation with respect to those Dyna detections. We call it snxsql and it basically allows us to use the full richness of SQL queries to detect viruses in the sandbox. That is, the whole execution trace from the sandbox is stuffed to an in-memory SQL database and we consequently make queries to that DB (including some pretty complex/rich ones). This allows the detections to be fairly sophisticated, while minimizing the FP rates.

While the actual creation of these dyna detections / sql queries is now still a manual process (done by our virus analysts), we are close to actually implementing an automated generator for this - technically, this would be sort of "Evo-gen" for dyna detections.

Pretty fascinating stuff, especially if you see the results.

So, please, stay tuned, more stuff is coming. :)

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 712
  • A Good Old Indian!
Re: About "Dyna" detection
« Reply #14 on: February 19, 2013, 09:23:22 AM »
So, please, stay tuned, more stuff is coming. :)

You are making me impatient now  ;D

thanks for the hard work Vlk and avast team..once again you guys rock!  ;)