Author Topic: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar (Read 11760 times)

goodjohnjr · « **Reply #15 on:** January 13, 2012, 06:31:02 PM »

Quote from: Left123 on January 13, 2012, 03:11:37 PM

I would like to mention something,speaking generally.Just because a file is packed with UPX(Ultimate packer for executables),it doesn't mean that it is infected.In most cases,UPX is used to reduce the size of a file(.exe) etc etc.

Interesting, thank you for sharing that Left123.

goodjohnjr · « **Reply #16 on:** January 13, 2012, 06:32:53 PM »

I think that I have seen/heard of UPX before several times so you are probably right that it is not always used for malware.

polonus · « **Reply #17 on:** January 14, 2012, 01:14:46 AM »

UPX can also be used for protection by developers. A benefit is that a checksum of both the compressed and uncompressed file is maintained internally.
Malcreants however can layer it with other inner packing to mislead analysts and victims alike, seemingly meaningless dead closed jump code is found, but the malcode when running knows how to jump that.
So the story is not that easily told as it is being presented. We have an abominable clever opponent in the malcrean. This is an interesting read on the subject from the Norman blog:
http://blogs.norman.com/2011/malware-detection-team/relations-between-spammed-malware
This link's article author = Snorre Fagerland, Principal Security Researcher in the Malware Detection Team (MDT) at Norman's. Discussed a.o is. outer layer of UPX packing; inner packer is [P1],

polonus

goodjohnjr · « **Reply #18 on:** January 14, 2012, 01:41:40 AM »

Quote from: polonus on January 14, 2012, 01:14:46 AM

UPX can also be used for protection by developers. A benefit is that a checksum of both the compressed and uncompressed file is maintained internally.
Malcreants however can layer it with other inner packing to mislead analysts and victims alike, seemingly meaningless dead closed jump code is found, but the malcode when running knows how to jump that.
So the story is not that easily told as it is being presented. We have an abominable clever opponent in the malcrean. This is an interesting read on the subject from the Norman blog:
http://blogs.norman.com/2011/malware-detection-team/relations-between-spammed-malware
This link's article author = Snorre Fagerland, Principal Security Researcher in the Malware Detection Team (MDT) at Norman's. Discussed a.o is. outer layer of UPX packing; inner packer is [P1],

polonus

Thank you for sharing that informative article Polonus.

Left123 · « **Reply #19 on:** January 14, 2012, 12:29:07 PM »

Quote from: polonus on January 14, 2012, 01:14:46 AM

UPX can also be used for protection by developers. A benefit is that a checksum of both the compressed and uncompressed file is maintained internally.
Malcreants however can layer it with other inner packing to mislead analysts and victims alike, seemingly meaningless dead closed jump code is found, but the malcode when running knows how to jump that.
So the story is not that easily told as it is being presented. We have an abominable clever opponent in the malcrean. This is an interesting read on the subject from the Norman blog:
http://blogs.norman.com/2011/malware-detection-team/relations-between-spammed-malware
This link's article author = Snorre Fagerland, Principal Security Researcher in the Malware Detection Team (MDT) at Norman's. Discussed a.o is. outer layer of UPX packing; inner packer is [P1],

polonus

Yes but,it is well known that UPX have many weaknesses and can be unpacked easily(it's really easy,seriously.)and this is why,UPX is actually used to reduce the size of the file.Unpacking UPX is as simple as,1,2,3

.

goodjohnjr · « **Reply #20 on:** January 14, 2012, 09:17:52 PM »

Quote from: Left123 on January 14, 2012, 12:29:07 PM

Quote from: polonus on January 14, 2012, 01:14:46 AM
UPX can also be used for protection by developers. A benefit is that a checksum of both the compressed and uncompressed file is maintained internally.
Malcreants however can layer it with other inner packing to mislead analysts and victims alike, seemingly meaningless dead closed jump code is found, but the malcode when running knows how to jump that.
So the story is not that easily told as it is being presented. We have an abominable clever opponent in the malcrean. This is an interesting read on the subject from the Norman blog:
http://blogs.norman.com/2011/malware-detection-team/relations-between-spammed-malware
This link's article author = Snorre Fagerland, Principal Security Researcher in the Malware Detection Team (MDT) at Norman's. Discussed a.o is. outer layer of UPX packing; inner packer is [P1],

polonus
Yes but,it is well known that UPX have many weaknesses and can be packed easily(it's really easy,seriously.)and this is why,UPX is actually used to reduce the size of the file.Unpacking UPX is as simple as,1,2,3 .

Thank you for sharing that Left123, some of you are giving some pretty informative comments.

Author Topic: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar (Read 11760 times)

goodjohnjr

Re: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar

goodjohnjr

Re: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar

polonus

Re: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar

goodjohnjr

Re: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar

Left123

Re: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar

goodjohnjr

Re: Possible Malware MalwareBytes_Anti-Malware_1.60.0.1800.rar