Navigation bar
  Home Print document Start Previous page
 14 of 49 
 Next page End 9 10 11 12 13 14 15 16 17 18 19  

13
There are many possibilities for performing malicious actions and creation of
various files on a victim system. The challenge here is to detect malicious scripts
in the SFX archive (a “good” code) and not in the archived files (optionally a
“bad” code). Because the WinRar is the legitimate program, it cannot be blocked
by antivirus program. Probably, to stop this kind of threat, a new (heuristic)
engine (or “plug-in” to engine) must be developed that can go inside of SFX
archive, extract scripts and…compare with a static signature or emulate
execution? It is not a good idea to block all SFX archives that have scripts,
because this can create many false positive alerts.
I did test with WinZip Self-Extractor 2.2 program and the results where the same:
the SFX archive shutdown “alg.exe” service and the script section is not in the
clear text format.
Described here programs for creating SFX archives, were just examples of many
other similar programs, which includes such functionality. It can be a very hard
task for the antivirus programs to “debug” their behavior without blocking them.
2.2 Using software protection and anti-cracking software
to avoid antivirus detection 
There are commercial software that provides different kinds of protection from
cracking and reverse engineering. Here is a partial list of them:
-
ACProtect by Risco software Inc. [1]
-
SoftwarePassport (known as Armadillo) by Silicon Realms Toolworks. [2] 
-
EXECryptor by SoftComplete Development. [3]
-
SDProtector by SDProtector.com [4]
-
StarForce by Protection Technology.[5] 
These programs have many features as dynamic code encryption/decryption,
code replace, metamorphic engine, API export, anti debug/dump/trace and more.
They can help to protect software programs from illegal use and here is the
problem. As you probably notice, the specs of these programs are almost exactly
what the malicious software writer is trying to develop by himself – encrypted,
meta or polymorphic virus that will evade antivirus detection. The problem is that
malware writers also develop the decryption engine (that supposed to decrypt an
encrypted code in the body of the program) and this was the weakest link in the
Previous page Top Next page