Author Topic: Avast still not able to detect "Hacker Defender" (Read 4030 times)

Fract504 · « **on:** April 08, 2006, 09:01:54 PM »

Hello,

check out this chart: http://www.emailbattles.com/archive/battles/virus_aadddbhadc_ia/

Avast still falls behind. Is this by intention? Any clues?
I want to see my favorite AV ahead of the competition :-)

Lisandro · « **Reply #1 on:** April 08, 2006, 09:28:22 PM »

It's sad that we can't count with this protection as some other antivirus do... $:-\$ :'(

RejZoR · « **Reply #2 on:** April 08, 2006, 09:43:07 PM »

Tested with Jotti and VT. Are they kidding?

FreewheelinFrank · « **Reply #3 on:** April 08, 2006, 09:55:56 PM »

Actually not unable to detect Hacker Defender, but unable to detect an encrypted version, in common with "all of the big guns."

Quote

The only "big name" Antivirus to discover the modified program is Kaspersky. All of the big guns, Symantec, McAfee, Sophos, Clam-AV are circumvented! Of course eTrust likely thinks this new version of the binary is winword.exe or something.

So, why is it detected at all? Well, the version of CodeCrypter that I used retained the same OEP (original entry point). I suspect if this was randomized, all AV would be circumvented.

http://www.infosecinstitute.com/blog/2006/03/circumventing-antivirus-via.html

The AV's that did detect the encrypted code apparently spotted the one part that wasn't encrypted, soon to be taken care of by the mysterious rabbit/tibbar:

Quote

The main weakness of the last release, which allowed a signature to be put on it, was that it used a static stub at entry point and another static stub for the decryption routine.

The second weakness was that the decryption stub was always placed in the same location in the last section of the file.

Finally, it used fixed parameters in the Linear Congential Random Number Generator (LCG) algorithm I used to perform the "encryption".

Now on the other side of things, I have not had any time to get further on my other project CodeMutator, but it had come a fair long way in development, and is capable of mutating stubs...

So the next release of codeCrypter is going to incorporate codeMutator for the purpose of making the stub different every time the packer is used.

http://tibbar.blog.co.uk/2006/03/31/codecrypter_next_release_plans~689557

When he works out how to do that, all the AV's will be up the creek without a hydraulic propulsion implement.

Fract504 · « **Reply #4 on:** April 09, 2006, 12:39:10 AM »

If viruses really get this far, we can really say good-bye and maybe make heavier use of intrusion detection systems (like PREVX e.g.).
But Prevx really made my machine slow... $:-\$

Spiritsongs · « **Reply #5 on:** April 09, 2006, 02:05:14 AM »

Hi all :

I thought "Hacker Defender" was a rootkit !? If yes, is that
what the antirootkit programs are supposed to detect ?

FreewheelinFrank · « **Reply #6 on:** April 09, 2006, 10:18:38 AM »

When installed it is a rootkit, yes.

Before it is installed, it is just a potentially infectious executable, like any virus, worm, Trojan or piece of spyware.

avast! does detect the Hacker Defender executable, but, in common with many other AV's, not when it is encrypted in this way.

Author Topic: Avast still not able to detect "Hacker Defender" (Read 4030 times)

Fract504

Avast still not able to detect "Hacker Defender"

Lisandro

Re: Avast still not able to detect "Hacker Defender"

RejZoR

Re: Avast still not able to detect "Hacker Defender"

FreewheelinFrank

Re: Avast still not able to detect "Hacker Defender"

Fract504

Re: Avast still not able to detect "Hacker Defender"

Spiritsongs

"Hacker Defender"

FreewheelinFrank

Re: Avast still not able to detect "Hacker Defender"