Author Topic: Basic heuristics for Standard Shield?  (Read 3620 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Basic heuristics for Standard Shield?
« on: August 25, 2004, 06:26:23 PM »
I know that avast! cannot perform heuristic analysis on files yet,but detecting non-standard packers could be first step into this area.

This won't be a full heuristic solution,but majority of viruses/worms use modified packers. You'd get warning about potentialy dangerous file and you could then send it to Chest or to Alwil.

I got this idea when i was playing with some trojan sample that was using modified UPX packer...
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Basic heuristics for Standard Shield?
« Reply #1 on: August 25, 2004, 07:27:59 PM »
Erm... how do you define a non-standard packer?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Basic heuristics for Standard Shield?
« Reply #2 on: August 25, 2004, 07:45:49 PM »
The one which is modified/hacked.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Basic heuristics for Standard Shield?
« Reply #3 on: August 25, 2004, 08:18:14 PM »
How can you tell that a file was modified if you don't know its original state?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Basic heuristics for Standard Shield?
« Reply #4 on: August 25, 2004, 08:20:06 PM »
If UPX compressor/decompressor program can detect this,then i'm pretty sure avast! can also. Along with other packer methods.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Basic heuristics for Standard Shield?
« Reply #5 on: August 25, 2004, 08:32:02 PM »
It depends on how "well" the modification is done; heavily modified programs aren't detected by UPX as UPX at all. Additionally, even "legal" programs are (for some reason completely unknown to me) packed by UPX scramblers occasionally.

Well, in general it's an interesting idea... but a real implementation wouldn't be easy, and I'm not sure about the results.