Author Topic: Win32:Virtualizer [Cryp] question?  (Read 6090 times)

0 Members and 1 Guest are viewing this topic.

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Win32:Virtualizer [Cryp] question?
« on: September 14, 2007, 05:41:40 PM »
Just wondered what the category Cryp stands for and what this type of virus does and where they generally hide?

ps Does anyone know if Avast team plans on creating a database of viruses and there types on there website so people can lookup the virus and get info on what it is capable of?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Virtualizer [Cryp] question?
« Reply #1 on: September 14, 2007, 05:44:52 PM »
Maybe not entire database but info what each of these extensions mean (described on support.avast.com would be a good idea).
I know most of them but many users don't.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11805
    • AVAST Software
Re: Win32:Virtualizer [Cryp] question?
« Reply #2 on: September 14, 2007, 07:20:20 PM »
Well, this particular one is kind of... an experiment.
Cryp = Cryptor - i.e. the detection is based on the cryptor/packer the file is scrambled with. It is meant for malware packers and some special stuff.

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Re: Win32:Virtualizer [Cryp] question?
« Reply #3 on: September 14, 2007, 11:39:03 PM »
so that means it targets the thing malware is encryped with? ???

(not that good with packer information)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11805
    • AVAST Software
Re: Win32:Virtualizer [Cryp] question?
« Reply #4 on: September 15, 2007, 12:18:43 AM »
Yes.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Virtualizer [Cryp] question?
« Reply #5 on: September 15, 2007, 02:43:01 AM »
Quiet large part of, for example AntiVir's HEUR detections is based on how is program protected, so going in similar direction is a smart thing imo (especially if it's done in a smart way).
HEUR/Crypted were quiet common and as far as i can tell it all depends on how many layers and what kind of cryptors/protectors/packers are used together. The more exotic combination, the higher chance of getting flagged. Regular programs are usually not using anything similar or in a very very rare cases.
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Win32:Virtualizer [Cryp] question?
« Reply #6 on: September 15, 2007, 07:25:36 AM »
Well, the Antivir's Heur/Crypted thing is quite strange IMHO.
From what I tested, Antivir flags e.g. standard Windows notepad.exe repacked with AsProtect (and many other, quite "official" packers/protectors). No multiple packing, no underground packers... strange. I wonder how they deal with false positives, and do the packer/protector vendors say about that. :)
If at first you don't succeed, then skydiving's not for you.

Offline avatar2005

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 423
  • In search of Harmony in our lives
Re: Win32:Virtualizer [Cryp] question?
« Reply #7 on: September 15, 2007, 09:29:54 AM »
I wonder how they deal with false positives, and do the packer/protector vendors say about that. :)
Hi Vlk!
They (Avira, I mean), just keep updating their scanning engine on & on, that's why their update are quite large for me on a home dial-up (~ 5-7 MB everyday), I know what I'm saying coz Iwas an Antivir user befor switched to beloved Avast 8).
Take care
Let the God & The forces of Light will guiding you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Virtualizer [Cryp] question?
« Reply #8 on: September 15, 2007, 10:24:57 AM »
Well, the Antivir's Heur/Crypted thing is quite strange IMHO.
From what I tested, Antivir flags e.g. standard Windows notepad.exe repacked with AsProtect (and many other, quite "official" packers/protectors). No multiple packing, no underground packers... strange. I wonder how they deal with false positives, and do the packer/protector vendors say about that. :)

Really? I haven't gone checking this far but for example HEUR/Crypted.Layered (which is now replaced by HEUR/Crypted) was suppose to mean layered cryptor/packer usage (executable protected by Yoda's Crypter and later packed with lets say UPack).
I mean, this way you avoid quiet some false positives and simply force malware writers into using less packers and crypters which again means you have to do less work on unpacking part of the engine and focus on other more important detection subsystems.
Not that unpacking would be all that needed today (in terms of repacked malware). But you still have to unpack it for a proper detection either way...
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11805
    • AVAST Software
Re: Win32:Virtualizer [Cryp] question?
« Reply #9 on: September 15, 2007, 01:13:53 PM »
Not that unpacking would be all that needed today (in terms of repacked malware).

Well, that's actually questionable (if you mean it the way I understand).
I'd say it depends on the choice of signatures - and if chosen well, you can get surprising results.
Whenever I add a new (un)packer, quite a significant number of samples get detected, without adding any new signatures. For example, I updated the Morphine unpacker in the last avast! update - and the number of previously undetected samples decreased by something like 10.000. I'm not saying that it's completely different samples - it's probably only variants of one specific malware group (or just a few of them) that are sometimes packed with other (already supported) packers that we already did support... but still.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Virtualizer [Cryp] question?
« Reply #10 on: September 15, 2007, 01:33:47 PM »
Thats true, but i think malware writers aren't repacking malware all that much as they used to when packers were barelly emerging and were actually (effectivelly) used to evade detection for some time. Though they still use packers to decrease file size and also make detection tougher to some degree.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11805
    • AVAST Software
Re: Win32:Virtualizer [Cryp] question?
« Reply #11 on: September 15, 2007, 01:37:04 PM »
Could be. On the other hand, most malware is not written from scratch... but is just a small modification of previous variants on the source level, possible with the same (malware) libraries used... etc.

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Re: Win32:Virtualizer [Cryp] question?
« Reply #12 on: September 15, 2007, 10:36:23 PM »
So in simple terms what is changing in Avast regarding detection? (sorry to ask but some of the stuff I just read went over my head :-[)