Author Topic: Avast IMPRESSES on this real encounter!  (Read 12529 times)

0 Members and 1 Guest are viewing this topic.

Kobra

  • Guest
Avast IMPRESSES on this real encounter!
« on: June 08, 2004, 05:25:59 AM »
A friend passed off a CD to me with a specifically malicious virus on it.  He said it infected him, and wanted me to check it out.  ;D  Of course, being the AV hobbiest I am.. Why not!

Anyway, heres the kicker..  This is like a triple compressed virus, if not more.  Let me show you the layers this virus is hidden under.

Layer 1: Its packed inside a seperate runtime packed executable that installs another add-on product.

Layer 2: This runtime install its inside is packed inside the full setup.exe runtime module once again.

Layer 3: Now this setup, and the rest of the files are packed AGAIN inside a BIN/CUE file situation for burning to CD.

Layer 4: This entire package is archived up inside a zip file.

Now we know the virus is older, and well defined by AV products.  But the key here is how whoever is attempting to deliver it, is masking it so deeply, that they are gambling nothing will pick it up until its too late.  Which is partially true.

AVG-Pro and Norman-AV couldn't find it until the very last second, when the virus already implanted on the last stage of the final install - note this is AFTER all of the other layers had to be opened, then burned to CD, etc.

I'm happy to report, so far, only Avast found this baby FROM THE SURFACE without need to even unzip, burn, or even install the product and the addon it was hidden in!  This is quite impressive to me, is anyone else impressed?

I'm going to go through the headaches of testing this on a few other AV's tonight as well for grins and I will be sure to let you know my results.  One thinks this might be a very good test, since the SOONER a bad guy is caught, the better, why go through all those layers?

Regards...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re:Avast IMPRESSES on this real encounter!
« Reply #1 on: June 08, 2004, 05:39:27 AM »
Thanks Kobra for your hard test work...
Wellcome to avast forums  :D
The best things in life are free.

CharleyO

  • Guest
Re:Avast IMPRESSES on this real encounter!
« Reply #2 on: June 08, 2004, 05:40:33 AM »

Kobra - that is impressive! Now you know why we love avast! so much. It's the best!    ;D  

By the way, nice work testing that virus out and offering the information to the rest of us!    :)  



Offline radicalb21

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 438
  • Be Safe. Be Smart. Use Common Sense.
Re:Avast IMPRESSES on this real encounter!
« Reply #3 on: June 08, 2004, 05:46:21 AM »
Good job KOBRA.
iMac 21.5 " Mid 2011 2.7 GHz Intel Core i5
4 GB 1333 MHz DDR3
AMD Radeon HD 6770M 512 MB

Kobra

  • Guest
Re:Avast IMPRESSES on this real encounter!
« Reply #4 on: June 08, 2004, 07:30:48 AM »
an update....

Here is what I did for more extended tests.  I broke the bad guy down to all layers up to level 2 (at high risk for myself lol).  No way in hell am I messing with a bios trashing 1k virus past that level, I don't even have a virtual machine setup here!  (and I should)

So far i've tested, AVG, NOD32, KAV5, AVK, Norman, Avast, McAfee Enterprise 8.0i Beta and F-Secure. Thats it for me for now on this test file, i've had enough. =)  Results aren't too good, but i'm still thinking about what we can surmise from this!

I think the issue here is, how DEEP these programs truely are with their on-demand scanning systems. Do they really scan as good as they say?  Are they really scanning INSIDE those archives or are they just doing a header check?  If I was brave, i'd test each product down to the infection layer, but i'm not, if a single product missed it, i'm toast, or if it didn't clean it right, i'm toast.  So the question is, how soon would YOU like to know of a threat on your system?  Do you want to wait till its down to the last second, and something could go wrong, or do you want to deal with it far far in advance? What if you burn the CD, insert it into a windows computer, and autorun starts up setup, and infects you before your AV picks it up?  Clearly, even BURNING a deadly file, gives me the shakes.  =)

So heres where my testing is...  Unless I indicate otherwise, all settings were completely maxed, all versions were current, including definitions.  System was cleanly rebooted and registry proofed prior to testing each product.

NOD32 - Failed, no detection to till right up to infection.

KAV5 - Failure until layer 2.

AVK - Failure until layer 2.

F-Secure - Failure until layer 2.

McAfee Beta - Failure until layer 2.

AVG - Failed, no detection till infection (according to member testing this).

Norman - Failure until level 1, pre-infection though.

Avast Pro - Sucess! Level 4 immediate detection.

From this limited non-scientific personal test, I can personally surmise to myself, that anything with the KAV engines is picking it up at a reasonably safe layer(I think), which SHOULD be before infection would take place - this later would be the "Just clicked to install the file" stage.  AVG I would consider worst on this one, with NOD32 and Norman bringing up the real with deadly close call detection. However, that would bother me still, because NOD32 is well known for failing to clean - and if that happened here, your machine is done.  Remember, ALL of these products except Avast didn't find the bad guy before burning the BIN/CUE files, and only a couple of them(KAV engines) detected during the initial install layer, or at some point within that initial install layer.

Avast shocked me here,  detected immediately, without even unzipping the archive that was downloaded, without even burning the BIN. Penetrated deep into the suspect file, and found a 1k virus hiding behind a bush. BRAVO!  =)


Heres the details on the subject virus:
--------------------------------------------

Win:CIH 1.x
CIH is a virus which infects native Windows 95/98 applications (PE - Portable Executable files).
It is approximately 1Kbyte long. Virus has been found In the Wild in many countries all over the world. It installs itself into the memory, hooks file access calls and infects EXE files that are opened. It has very dangerous trigger: depending on the system date it operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if motherboard and chipset allows writing to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Many modern motherboard cannot be protected by a DIP switch. Virus then overwrites data on all installed hard drives.


Three versions of this virus are known: CIH 1.2 and 1.3 activate the trigger routine on April 26th only, while the version 1.4 is able to do the damage on 26th of any month. CIH stores itself in the "holes" between the PE sections so the file length remains the same.

« Last Edit: June 08, 2004, 07:36:19 AM by Kobra »

Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Avast IMPRESSES on this real encounter!
« Reply #5 on: June 08, 2004, 08:11:03 AM »
and let me remind everyone F-Secure has the KAV engine along with 2 others (and avast beat that WOOOOO)
« Last Edit: June 08, 2004, 08:11:24 AM by MacLover2000 »
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Avast IMPRESSES on this real encounter!
« Reply #6 on: June 08, 2004, 08:56:54 AM »
Seems a bit like good luck to me...

I mean, avast's unpackers are probably OK but c'mon - KAV features tens (if not hundreds) of unpacking engines - and new are being added all the time...


Anyway I'm glad avast didn't fail you. :)
If at first you don't succeed, then skydiving's not for you.

rloschmann

  • Guest
Re:Avast IMPRESSES on this real encounter!
« Reply #7 on: June 08, 2004, 11:47:15 AM »
I had, before chosing avast, done similar tests. The EICAR test file packed and encrypted with several formats. The files were downloaded from http://www.attac.net

I had a total of 27 different file formats and the result for each AV tested (number of files detected) :

Avast : 22
PC-Cillin : 22
NOD32 : 17
Antivir PE : 12
AVG 6.0 Free : 8

Since this test i switched from AVG to Avast!  8)

Note : the scan was done with on-demand scanner (explorer extension).

Tipton

  • Guest
Re:Avast IMPRESSES on this real encounter!
« Reply #8 on: June 08, 2004, 04:48:55 PM »
Good job Kobra! I do have to ask myself this question though. Why would anyone that tests a virus, not be running imaging software? Or are you?

Douglas

Kobra

  • Guest
Re:Avast IMPRESSES on this real encounter!
« Reply #9 on: June 08, 2004, 04:51:15 PM »
and let me remind everyone F-Secure has the KAV engine along with 2 others (and avast beat that WOOOOO)

It wouldn't matter what engine it had, if its not TRUELY scanning within those packs/archives, it won't find them.  eXtendia AVK for example, uses the KAV+RAV databases/definitions in a dual engined format.  Theres virtually nothing that it can't detect.  It failed like the others, because it simply required me to be down to the second to lowest common denominator to find it!

Its not luck, its simple math.  Avast *REALLY* scanned the archives, none of the other products did.  When you select "Scan Archive" on another AV, don't you expect it to be scanning the archive, any files within the archive, and any other archives within that archive?  I know I would, and its a bit misleading that they don't.

For that, Avast has my respect, and money (at least for single user version).. Now if we can get some advanced heuristics, i'd buy a enterprise license for the 80 PC's at work and 4 at home.   LOL!

PS: I'm running imaging software, but ideally, I should be running a Virtual Machine.  Too lazy to set it up.  But worst case, the test PC can be easily formatted without any headaches, i've got a custom build windowsXP Pro CD that installs all my drives and programs automagically.   ;)
« Last Edit: June 08, 2004, 05:19:50 PM by Kobra »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9404
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Avast IMPRESSES on this real encounter!
« Reply #10 on: June 08, 2004, 04:56:56 PM »
Yup i'we been testing viruses in real environment within VirualPC.
I just made copy of Virtual hard Drive so i could easily restore old Win installation after testing some hihi destructive parasite ;D
Visit my webpage Angry Sheep Blog