17
Antivirus
Version
Update
Result
eTrust-Vet
11.9.1.0
07.20.2005
no virus found
Fortinet
2.36.0.0
07.20.2005
no virus found
F-Prot
3.16c
07.20.2005
no virus found
Ikarus
2.32
07.20.2005
Backdoor.Win32.Rbot.IN
Kaspersky
4.0.2.24
07.20.2005
no virus found
McAfee
4539
07.20.2005
no virus found
NOD32v2
1.1174
07.20.2005
no virus found
Norman
5.70.10
07.19.2005
no virus found
Panda
8.02.00
07.20.2005
no virus found
Sybari
7.5.1314
07.20.2005
no virus found
Symantec
8.0
07.20.2005
no virus found
TheHacker
5.8.2.074
07.20.2005
no virus found
VBA32
3.10.4
07.20.2005
no virus found
The results were sad; only one antivirus detected the encrypted Agobot sample
and two antivirus products detected Bagle sample.
NOTE: It seems to me, that the Ikarus antivirus has false positive detection, as
two samples were detected as the same virus.
As my initial test showed, using commercial software protection programs by
virus writers can pose significant problems (technical and non-technical) to
antivirus programs in their mission to detect malware.
An interesting idea come into view after this test – when I execute a file with the
protection of the SoftwarePassport demo version, the pop-up window appears.
This pop-up has just one button "OK", when I press it - protected program starts.
Therefore, it can be anti-emulation technique against antivirus software, because
the execution flow stopped in the code decryption section waiting for the user
input and only then – the code is decrypted and protected program starts.
2.3 A detour around Antivirus software or how “legally”
change PE files, intercept API calls, inject DLL and
more
First, when I see this, I probably overreacted and did not believe that this is for
real…
 |
 |
 |